Version v0.4 of the documentation is no longer actively maintained. The site that you are currently viewing is an archived snapshot. For up-to-date documentation, see the latest version.

API Reference

Auto-generated API reference for CRDs defined by the Coraza Kubernetes Operator.

Packages

waf.k8s.coraza.io/v1alpha1

waf.k8s.coraza.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the waf v1alpha1 API group.

Resource Types

DriverConfig

DriverConfig defines the driver configuration for the Engine.

Exactly one driver must be specified.

Validation:

MinProperties: 0

Appears in:

EngineSpec

Field	Description	Default	Validation
`istio` IstioDriverConfig	istio configures the Engine to integrate with Istio service mesh.		MinProperties: 0 Optional: {}

Engine

Engine represents an instance of a Web Application Firewall (WAF) engine.

Appears in:

EngineList

Field	Description	Validation
`apiVersion` string	`waf.k8s.coraza.io/v1alpha1`
`kind` string	`Engine`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`spec` EngineSpec	spec defines the desired state of Engine.	Required: {}
`status` EngineStatus	status defines the observed state of Engine.	MinProperties: 0 Optional: {}

EngineList

EngineList contains a list of Engine resources.

Field	Description	Validation
`apiVersion` string	`waf.k8s.coraza.io/v1alpha1`
`kind` string	`EngineList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`items` Engine array	Items is the list of Engines.	Required: {}

EngineSpec

EngineSpec defines the desired state of an Engine.

Appears in:

Engine

Field	Description	Default	Validation
`ruleSet` RuleSetReference	ruleSet specifies the RuleSet resource that will be used to load rules into the Engine. The referenced RuleSet must be in the same namespace as the Engine.		Required: {}
`driver` DriverConfig	driver specifies the driver configuration for the engine. This determines how the WAF engine will be deployed and integrated with some implementation. Currently only supports Istio ingress Gateways.		MinProperties: 0 Optional: {}
`failurePolicy` FailurePolicy	failurePolicy determines the behavior when the WAF is not ready or encounters errors. Valid values are: - “Fail”: Block traffic when the WAF is not ready or encounters errors - “Allow”: Allow traffic through when the WAF is not ready or encounters errors When omitted, this means the user has no opinion and the platform will choose a reasonable default, which is subject to change over time. The current default is fail.	fail	Enum: [fail allow] Optional: {}

EngineStatus

EngineStatus defines the observed state of Engine.

Validation:

MinProperties: 0

Appears in:

Engine

Field	Description	Default	Validation
`conditions` Condition array	conditions represent the current state of the Engine resource. Each condition has a unique type and reflects the status of a specific aspect of the resource. Standard condition types include: - “Ready”: the engine has been successfully deployed and is operational - “Progressing”: the resource is being created or updated - “Degraded”: the resource failed to reach or maintain its desired state The status of each condition is one of True, False, or Unknown.		MaxItems: 16 MinItems: 1 Optional: {}
`gateways` GatewayReference array	gateways is the list of Gateways in the same namespace that match the Engine’s workload selector.		MaxItems: 16 MinItems: 1 Optional: {}

FailurePolicy

Underlying type: string

FailurePolicy describes the failure policy for the Engine.

Validation:

Enum: [fail allow]

Appears in:

EngineSpec

Value	Description
`fail`	FailurePolicyFail blocks traffic when the Engine is not ready or encounters errors.
`allow`	FailurePolicyAllow allows traffic through when the Engine is not ready or encounters errors.

GatewayReference

GatewayReference is a reference to a Gateway resource in the same namespace as the Engine.

Appears in:

EngineStatus

Field	Description	Default	Validation
`name` string	name is the name of the Gateway in the same namespace as the Engine.		MaxLength: 253 MinLength: 1 Required: {}

IstioDriverConfig

IstioDriverConfig defines Istio-specific integration mechanisms that will be used to deploy and manage the Engine with Istio.

Exactly one mode must be specified.

Validation:

MinProperties: 0

Appears in:

DriverConfig

Field	Description	Default	Validation
`wasm` IstioWasmConfig	wasm configures the Engine to be deployed as a WebAssembly plugin.		MinProperties: 0 Optional: {}

IstioIntegrationMode

Underlying type: string

IstioIntegrationMode specifies what mechanism will be used to integrate the WAF with Istio.

Validation:

Enum: [gateway]

Appears in:

IstioWasmConfig

Value	Description
`gateway`	IstioIntegrationModeGateway applies the filter at the Gateway level.

IstioWasmConfig

IstioWasmConfig defines configuration for deploying the Engine as a WASM plugin with Istio.

Validation:

MinProperties: 0

Appears in:

IstioDriverConfig

Field	Description	Default	Validation
`mode` IstioIntegrationMode	mode specifies what mechanism will be used to integrate the WAF with Istio. Currently only supports “Gateway” mode, utilizing Gateway API resources.	gateway	Enum: [gateway] Optional: {}
`workloadSelector` LabelSelector	workloadSelector specifies the selection criteria for attaching the WAF to Istio resources. Required when mode is “gateway”.		Optional: {}
`image` string	image is the OCI image reference for the Coraza WASM plugin. If omitted the operator uses its configured default WASM OCI reference (–default-wasm-image / CORAZA_DEFAULT_WASM_IMAGE).		MaxLength: 1024 MinLength: 1 Optional: {}
`imagePullSecret` string	imagePullSecret is the name of a Kubernetes Secret in the same namespace as the Engine that contains Docker registry credentials for pulling the WASM OCI image. This is passed directly to the Istio WasmPlugin resource.		MaxLength: 253 MinLength: 1 Optional: {}
`ruleSetCacheServer` RuleSetCacheServerConfig	ruleSetCacheServer contains configuration for the ruleset cache server. When omitted, no cache server will be used and no rulesets will be dynamically loaded. This implies that your Engine will be deployed with all rules statically embedded.		MinProperties: 0 Optional: {}

RuleSet

RuleSet represents a set of Web Application Firewall (WAF) rules.

Appears in:

RuleSetList

Field	Description	Validation
`apiVersion` string	`waf.k8s.coraza.io/v1alpha1`
`kind` string	`RuleSet`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`spec` RuleSetSpec	spec defines the desired state of RuleSet.	Required: {}
`status` RuleSetStatus	status defines the observed state of RuleSet.	MinProperties: 1 Optional: {}

RuleSetCacheServerConfig

RuleSetCacheServerConfig defines the configuration for the RuleSet cache server.

Validation:

MinProperties: 0

Appears in:

IstioWasmConfig

Field	Description	Default	Validation
`pollIntervalSeconds` integer	pollIntervalSeconds specifies how often the WAF should check for configuration updates. The value is specified in seconds. When omitted, this means the user has no opinion and the platform will choose a reasonable default, which is subject to change over time. The current default is 15 seconds.	15	Maximum: 3600 Minimum: 1 Optional: {}

RuleSetList

RuleSetList contains a list of RuleSet resources.

Field	Description	Validation
`apiVersion` string	`waf.k8s.coraza.io/v1alpha1`
`kind` string	`RuleSetList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.	Optional: {}
`items` RuleSet array	Items is the list of RuleSets.	Required: {}

RuleSetReference

RuleSetReference is a reference to a RuleSet resource.

Appears in:

EngineSpec

Field	Description	Default	Validation
`name` string	name is the name of the RuleSet in the same namespace as the Engine.		MaxLength: 253 MinLength: 1 Required: {}

RuleSetSpec

RuleSetSpec defines the desired state of RuleSet.

Appears in:

RuleSet

Field	Description	Default	Validation
`rules` RuleSourceReference array	rules is an ordered list of references to ConfigMaps that contain the firewall rules to be compiled into a complete set. Each entry refers to a ConfigMap by name in the same namespace as the RuleSet. The ConfigMap must contain a “rules” key.		MaxItems: 2048 MinItems: 1 Required: {}
`ruleData` string	ruleData contains the name of a secret with the required data for rules. Usually rules that contain the directive ‘@pmFromFile’. This secret must be created containing the type coraza/data otherwise it will not be watched. Additionally, the secret must contain the name of each file as the key, and the content of the file as the value		MaxLength: 253 MinLength: 1 Optional: {}

RuleSetStatus

RuleSetStatus defines the observed state of RuleSet.

Validation:

MinProperties: 1

Appears in:

RuleSet

Field	Description	Default	Validation
`conditions` Condition array	conditions represent the current state of the RuleSet resource. Each condition has a unique type and reflects the status of a specific aspect of the resource. Standard condition types include: - “Ready”: the RuleSet has been processed and the rules have been cached - “Progressing”: the resource is being created or updated - “Degraded”: the resource failed to reach or maintain its desired state The status of each condition is one of True, False, or Unknown.		MaxItems: 16 MinItems: 1 Optional: {}

RuleSourceReference

RuleSourceReference is a reference to a ConfigMap that contains WAF rules.

Appears in:

RuleSetSpec

Field	Description	Default	Validation
`name` string	name is the name of the ConfigMap in the same namespace as the RuleSet.		MaxLength: 253 MinLength: 1 Required: {}