Text file
src/edge-infra.dev/test/fixtures/crds/gcp/compute.cnrm.cloud.google.com_computesecuritypolicies.yaml
1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: computesecuritypolicies.compute.cnrm.cloud.google.com
8spec:
9 group: compute.cnrm.cloud.google.com
10 names:
11 kind: ComputeSecurityPolicy
12 listKind: ComputeSecurityPolicyList
13 plural: computesecuritypolicies
14 singular: computesecuritypolicy
15 scope: Namespaced
16 versions:
17 - name: v1beta1
18 schema:
19 openAPIV3Schema:
20 description: ComputeSecurityPolicy is the Schema for the compute API
21 properties:
22 apiVersion:
23 description: |-
24 APIVersion defines the versioned schema of this representation of an object.
25 Servers should convert recognized schemas to the latest internal value, and
26 may reject unrecognized values.
27 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
28 type: string
29 kind:
30 description: |-
31 Kind is a string value representing the REST resource this object represents.
32 Servers may infer this from the endpoint the client submits requests to.
33 Cannot be updated.
34 In CamelCase.
35 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
36 type: string
37 metadata:
38 type: object
39 spec:
40 properties:
41 adaptiveProtectionConfig:
42 description: Adaptive Protection Config of this security policy.
43 properties:
44 autoDeployConfig:
45 description: Auto Deploy Config of this security policy.
46 properties:
47 confidenceThreshold:
48 description: Rules are only automatically deployed for alerts
49 on potential attacks with confidence scores greater than
50 this threshold.
51 type: number
52 expirationSec:
53 description: Google Cloud Armor stops applying the action
54 in the automatically deployed rule to an identified attacker
55 after this duration. The rule continues to operate against
56 new requests.
57 type: integer
58 impactedBaselineThreshold:
59 description: Rules are only automatically deployed when the
60 estimated impact to baseline traffic from the suggested
61 mitigation is below this threshold.
62 type: number
63 loadThreshold:
64 description: Identifies new attackers only when the load to
65 the backend service that is under attack exceeds this threshold.
66 type: number
67 type: object
68 layer7DdosDefenseConfig:
69 description: Layer 7 DDoS Defense Config of this security policy.
70 properties:
71 enable:
72 description: If set to true, enables CAAP for L7 DDoS detection.
73 type: boolean
74 ruleVisibility:
75 description: 'Rule visibility. Supported values include: "STANDARD",
76 "PREMIUM".'
77 type: string
78 type: object
79 type: object
80 advancedOptionsConfig:
81 description: Advanced Options Config of this security policy.
82 properties:
83 jsonCustomConfig:
84 description: Custom configuration to apply the JSON parsing. Only
85 applicable when JSON parsing is set to STANDARD.
86 properties:
87 contentTypes:
88 description: A list of custom Content-Type header values to
89 apply the JSON parsing.
90 items:
91 type: string
92 type: array
93 required:
94 - contentTypes
95 type: object
96 jsonParsing:
97 description: 'JSON body parsing. Supported values include: "DISABLED",
98 "STANDARD".'
99 type: string
100 logLevel:
101 description: 'Logging level. Supported values include: "NORMAL",
102 "VERBOSE".'
103 type: string
104 type: object
105 description:
106 description: An optional description of this security policy. Max
107 size is 2048.
108 type: string
109 recaptchaOptionsConfig:
110 description: reCAPTCHA configuration options to be applied for the
111 security policy.
112 properties:
113 redirectSiteKeyRef:
114 description: |-
115 A field to supply a reCAPTCHA site key to be used for all the rules
116 using the redirect action with the type of GOOGLE_RECAPTCHA under
117 the security policy. The specified site key needs to be created from
118 the reCAPTCHA API. The user is responsible for the validity of the
119 specified site key. If not specified, a Google-managed site key is
120 used.
121 properties:
122 external:
123 description: The external name of the referenced resource
124 type: string
125 kind:
126 description: Kind of the referent.
127 type: string
128 name:
129 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
130 type: string
131 namespace:
132 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
133 type: string
134 type: object
135 required:
136 - redirectSiteKeyRef
137 type: object
138 resourceID:
139 description: Immutable. Optional. The name of the resource. Used for
140 creation and acquisition. When unset, the value of `metadata.name`
141 is used as the default.
142 type: string
143 rule:
144 description: The set of rules that belong to this policy. There must
145 always be a default rule (rule with priority 2147483647 and match
146 "*"). If no rules are provided when creating a security policy,
147 a default rule with action "allow" will be added.
148 items:
149 properties:
150 action:
151 description: Action to take when match matches the request.
152 type: string
153 description:
154 description: An optional description of this rule. Max size
155 is 64.
156 type: string
157 headerAction:
158 description: Additional actions that are performed on headers.
159 properties:
160 requestHeadersToAdds:
161 description: The list of request headers to add or overwrite
162 if they're already present.
163 items:
164 properties:
165 headerName:
166 description: The name of the header to set.
167 type: string
168 headerValue:
169 description: The value to set the named header to.
170 type: string
171 required:
172 - headerName
173 type: object
174 type: array
175 required:
176 - requestHeadersToAdds
177 type: object
178 match:
179 description: A match condition that incoming traffic is evaluated
180 against. If it evaluates to true, the corresponding action
181 is enforced.
182 properties:
183 config:
184 description: The configuration options available when specifying
185 versioned_expr. This field must be specified if versioned_expr
186 is specified and cannot be specified if versioned_expr
187 is not specified.
188 properties:
189 srcIpRanges:
190 description: Set of IP addresses or ranges (IPV4 or
191 IPV6) in CIDR notation to match against inbound traffic.
192 There is a limit of 10 IP ranges per rule. A value
193 of '*' matches all IPs (can be used to override the
194 default behavior).
195 items:
196 type: string
197 type: array
198 required:
199 - srcIpRanges
200 type: object
201 expr:
202 description: User defined CEVAL expression. A CEVAL expression
203 is used to specify match criteria such as origin.ip, source.region_code
204 and contents in the request header.
205 properties:
206 expression:
207 description: Textual representation of an expression
208 in Common Expression Language syntax. The application
209 context of the containing message determines which
210 well-known feature set of CEL is supported.
211 type: string
212 required:
213 - expression
214 type: object
215 versionedExpr:
216 description: 'Predefined rule expression. If this field
217 is specified, config must also be specified. Available
218 options: SRC_IPS_V1: Must specify the corresponding
219 src_ip_ranges field in config.'
220 type: string
221 type: object
222 preconfiguredWafConfig:
223 description: Preconfigured WAF configuration to be applied for
224 the rule. If the rule does not evaluate preconfigured WAF
225 rules, i.e., if evaluatePreconfiguredWaf() is not used, this
226 field will have no effect.
227 properties:
228 exclusion:
229 description: An exclusion to apply during preconfigured
230 WAF evaluation.
231 items:
232 properties:
233 requestCookie:
234 description: Request cookie whose value will be excluded
235 from inspection during preconfigured WAF evaluation.
236 items:
237 properties:
238 operator:
239 description: 'You can specify an exact match
240 or a partial match by using a field operator
241 and a field value. Available options: EQUALS:
242 The operator matches if the field value equals
243 the specified value. STARTS_WITH: The operator
244 matches if the field value starts with the
245 specified value. ENDS_WITH: The operator matches
246 if the field value ends with the specified
247 value. CONTAINS: The operator matches if the
248 field value contains the specified value.
249 EQUALS_ANY: The operator matches if the field
250 value is any value.'
251 type: string
252 value:
253 description: A request field matching the specified
254 value will be excluded from inspection during
255 preconfigured WAF evaluation. The field value
256 must be given if the field operator is not
257 EQUALS_ANY, and cannot be given if the field
258 operator is EQUALS_ANY.
259 type: string
260 required:
261 - operator
262 type: object
263 type: array
264 requestHeader:
265 description: Request header whose value will be excluded
266 from inspection during preconfigured WAF evaluation.
267 items:
268 properties:
269 operator:
270 description: 'You can specify an exact match
271 or a partial match by using a field operator
272 and a field value. Available options: EQUALS:
273 The operator matches if the field value equals
274 the specified value. STARTS_WITH: The operator
275 matches if the field value starts with the
276 specified value. ENDS_WITH: The operator matches
277 if the field value ends with the specified
278 value. CONTAINS: The operator matches if the
279 field value contains the specified value.
280 EQUALS_ANY: The operator matches if the field
281 value is any value.'
282 type: string
283 value:
284 description: A request field matching the specified
285 value will be excluded from inspection during
286 preconfigured WAF evaluation. The field value
287 must be given if the field operator is not
288 EQUALS_ANY, and cannot be given if the field
289 operator is EQUALS_ANY.
290 type: string
291 required:
292 - operator
293 type: object
294 type: array
295 requestQueryParam:
296 description: Request query parameter whose value will
297 be excluded from inspection during preconfigured
298 WAF evaluation. Note that the parameter can be
299 in the query string or in the POST body.
300 items:
301 properties:
302 operator:
303 description: 'You can specify an exact match
304 or a partial match by using a field operator
305 and a field value. Available options: EQUALS:
306 The operator matches if the field value equals
307 the specified value. STARTS_WITH: The operator
308 matches if the field value starts with the
309 specified value. ENDS_WITH: The operator matches
310 if the field value ends with the specified
311 value. CONTAINS: The operator matches if the
312 field value contains the specified value.
313 EQUALS_ANY: The operator matches if the field
314 value is any value.'
315 type: string
316 value:
317 description: A request field matching the specified
318 value will be excluded from inspection during
319 preconfigured WAF evaluation. The field value
320 must be given if the field operator is not
321 EQUALS_ANY, and cannot be given if the field
322 operator is EQUALS_ANY.
323 type: string
324 required:
325 - operator
326 type: object
327 type: array
328 requestUri:
329 description: Request URI from the request line to
330 be excluded from inspection during preconfigured
331 WAF evaluation. When specifying this field, the
332 query or fragment part should be excluded.
333 items:
334 properties:
335 operator:
336 description: 'You can specify an exact match
337 or a partial match by using a field operator
338 and a field value. Available options: EQUALS:
339 The operator matches if the field value equals
340 the specified value. STARTS_WITH: The operator
341 matches if the field value starts with the
342 specified value. ENDS_WITH: The operator matches
343 if the field value ends with the specified
344 value. CONTAINS: The operator matches if the
345 field value contains the specified value.
346 EQUALS_ANY: The operator matches if the field
347 value is any value.'
348 type: string
349 value:
350 description: A request field matching the specified
351 value will be excluded from inspection during
352 preconfigured WAF evaluation. The field value
353 must be given if the field operator is not
354 EQUALS_ANY, and cannot be given if the field
355 operator is EQUALS_ANY.
356 type: string
357 required:
358 - operator
359 type: object
360 type: array
361 targetRuleIds:
362 description: A list of target rule IDs under the WAF
363 rule set to apply the preconfigured WAF exclusion.
364 If omitted, it refers to all the rule IDs under
365 the WAF rule set.
366 items:
367 type: string
368 type: array
369 targetRuleSet:
370 description: Target WAF rule set to apply the preconfigured
371 WAF exclusion.
372 type: string
373 required:
374 - targetRuleSet
375 type: object
376 type: array
377 type: object
378 preview:
379 description: When set to true, the action specified above is
380 not enforced. Stackdriver logs for requests that trigger a
381 preview action are annotated as such.
382 type: boolean
383 priority:
384 description: An unique positive integer indicating the priority
385 of evaluation for a rule. Rules are evaluated from highest
386 priority (lowest numerically) to lowest priority (highest
387 numerically) in order.
388 type: integer
389 rateLimitOptions:
390 description: Rate limit threshold for this security policy.
391 Must be specified if the action is "rate_based_ban" or "throttle".
392 Cannot be specified for any other actions.
393 properties:
394 banDurationSec:
395 description: Can only be specified if the action for the
396 rule is "rate_based_ban". If specified, determines the
397 time (in seconds) the traffic will continue to be banned
398 by the rate limit after the rate falls below the threshold.
399 type: integer
400 banThreshold:
401 description: Can only be specified if the action for the
402 rule is "rate_based_ban". If specified, the key will be
403 banned for the configured 'banDurationSec' when the number
404 of requests that exceed the 'rateLimitThreshold' also
405 exceed this 'banThreshold'.
406 properties:
407 count:
408 description: Number of HTTP(S) requests for calculating
409 the threshold.
410 type: integer
411 intervalSec:
412 description: Interval over which the threshold is computed.
413 type: integer
414 required:
415 - count
416 - intervalSec
417 type: object
418 conformAction:
419 description: Action to take for requests that are under
420 the configured rate limit threshold. Valid option is "allow"
421 only.
422 type: string
423 enforceOnKey:
424 description: Determines the key to enforce the rateLimitThreshold
425 on.
426 type: string
427 enforceOnKeyConfigs:
428 description: Immutable. Enforce On Key Config of this security
429 policy.
430 items:
431 properties:
432 enforceOnKeyName:
433 description: 'Rate limit key name applicable only
434 for the following key types: HTTP_HEADER -- Name
435 of the HTTP header whose value is taken as the key
436 value. HTTP_COOKIE -- Name of the HTTP cookie whose
437 value is taken as the key value.'
438 type: string
439 enforceOnKeyType:
440 description: Determines the key to enforce the rate_limit_threshold
441 on.
442 type: string
443 type: object
444 type: array
445 enforceOnKeyName:
446 description: 'Rate limit key name applicable only for the
447 following key types: HTTP_HEADER -- Name of the HTTP header
448 whose value is taken as the key value. HTTP_COOKIE --
449 Name of the HTTP cookie whose value is taken as the key
450 value.'
451 type: string
452 exceedAction:
453 description: Action to take for requests that are above
454 the configured rate limit threshold, to either deny with
455 a specified HTTP response code, or redirect to a different
456 endpoint. Valid options are "deny()" where valid values
457 for status are 403, 404, 429, and 502, and "redirect"
458 where the redirect parameters come from exceedRedirectOptions
459 below.
460 type: string
461 exceedRedirectOptions:
462 description: Parameters defining the redirect action that
463 is used as the exceed action. Cannot be specified if the
464 exceed action is not redirect.
465 properties:
466 target:
467 description: Target for the redirect action. This is
468 required if the type is EXTERNAL_302 and cannot be
469 specified for GOOGLE_RECAPTCHA.
470 type: string
471 type:
472 description: Type of the redirect action.
473 type: string
474 required:
475 - type
476 type: object
477 rateLimitThreshold:
478 description: Threshold at which to begin ratelimiting.
479 properties:
480 count:
481 description: Number of HTTP(S) requests for calculating
482 the threshold.
483 type: integer
484 intervalSec:
485 description: Interval over which the threshold is computed.
486 type: integer
487 required:
488 - count
489 - intervalSec
490 type: object
491 required:
492 - conformAction
493 - exceedAction
494 - rateLimitThreshold
495 type: object
496 redirectOptions:
497 description: Parameters defining the redirect action. Cannot
498 be specified for any other actions.
499 properties:
500 target:
501 description: Target for the redirect action. This is required
502 if the type is EXTERNAL_302 and cannot be specified for
503 GOOGLE_RECAPTCHA.
504 type: string
505 type:
506 description: 'Type of the redirect action. Available options:
507 EXTERNAL_302: Must specify the corresponding target field
508 in config. GOOGLE_RECAPTCHA: Cannot specify target field
509 in config.'
510 type: string
511 required:
512 - type
513 type: object
514 required:
515 - action
516 - match
517 - priority
518 type: object
519 type: array
520 type:
521 description: The type indicates the intended use of the security policy.
522 CLOUD_ARMOR - Cloud Armor backend security policies can be configured
523 to filter incoming HTTP requests targeting backend services. They
524 filter requests before they hit the origin servers. CLOUD_ARMOR_EDGE
525 - Cloud Armor edge security policies can be configured to filter
526 incoming HTTP requests targeting backend services (including Cloud
527 CDN-enabled) as well as backend buckets (Cloud Storage). They filter
528 requests before the request is served from Google's cache.
529 type: string
530 type: object
531 status:
532 properties:
533 conditions:
534 description: |-
535 Conditions represent the latest available observations of the
536 ComputeSecurityPolicy's current state.
537 items:
538 properties:
539 lastTransitionTime:
540 description: Last time the condition transitioned from one status
541 to another.
542 type: string
543 message:
544 description: Human-readable message indicating details about
545 last transition.
546 type: string
547 reason:
548 description: |-
549 Unique, one-word, CamelCase reason for the condition's last
550 transition.
551 type: string
552 status:
553 description: Status is the status of the condition. Can be True,
554 False, Unknown.
555 type: string
556 type:
557 description: Type is the type of the condition.
558 type: string
559 type: object
560 type: array
561 fingerprint:
562 description: Fingerprint of this resource.
563 type: string
564 observedGeneration:
565 description: ObservedGeneration is the generation of the resource
566 that was most recently observed by the Config Connector controller.
567 If this is equal to metadata.generation, then that means that the
568 current reported status reflects the most recent desired state of
569 the resource.
570 type: integer
571 selfLink:
572 description: The URI of the created resource.
573 type: string
574 type: object
575 type: object
576 served: true
577 storage: true
View as plain text