Skip to main content
Version: 1.6.x

WAF Settings

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
waf:
rules:
- Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
name: tier1-waf-gw
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: gateway
passthroughServers:
- name: nginx
port: 8443
hostname: nginx.example.com
waf:
rules:
- Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
name: waf-gw
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: waf-gateway
waf:
rules:
- SecRuleEngine DETECTION_ONLY
- SecDebugLogLevel 5
- Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
http:
- name: bookinfo
port: 9443
hostname: bookinfo.com

WAFSettings

WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives

FieldDescriptionValidation Rule

rules

List of string
REQUIRED
Rules to be leveraged by WAF. The parser evaluates the list of rules from the top to the bottom.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}