1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: stable
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: computesecuritypolicies.compute.cnrm.cloud.google.com
27spec:
28 group: compute.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ComputeSecurityPolicy
33 plural: computesecuritypolicies
34 shortNames:
35 - gcpcomputesecuritypolicy
36 - gcpcomputesecuritypolicies
37 singular: computesecuritypolicy
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 adaptiveProtectionConfig:
75 description: Adaptive Protection Config of this security policy.
76 properties:
77 autoDeployConfig:
78 description: Auto Deploy Config of this security policy.
79 properties:
80 confidenceThreshold:
81 description: Rules are only automatically deployed for alerts
82 on potential attacks with confidence scores greater than
83 this threshold.
84 type: number
85 expirationSec:
86 description: Google Cloud Armor stops applying the action
87 in the automatically deployed rule to an identified attacker
88 after this duration. The rule continues to operate against
89 new requests.
90 type: integer
91 impactedBaselineThreshold:
92 description: Rules are only automatically deployed when the
93 estimated impact to baseline traffic from the suggested
94 mitigation is below this threshold.
95 type: number
96 loadThreshold:
97 description: Identifies new attackers only when the load to
98 the backend service that is under attack exceeds this threshold.
99 type: number
100 type: object
101 layer7DdosDefenseConfig:
102 description: Layer 7 DDoS Defense Config of this security policy.
103 properties:
104 enable:
105 description: If set to true, enables CAAP for L7 DDoS detection.
106 type: boolean
107 ruleVisibility:
108 description: 'Rule visibility. Supported values include: "STANDARD",
109 "PREMIUM".'
110 type: string
111 type: object
112 type: object
113 advancedOptionsConfig:
114 description: Advanced Options Config of this security policy.
115 properties:
116 jsonCustomConfig:
117 description: Custom configuration to apply the JSON parsing. Only
118 applicable when JSON parsing is set to STANDARD.
119 properties:
120 contentTypes:
121 description: A list of custom Content-Type header values to
122 apply the JSON parsing.
123 items:
124 type: string
125 type: array
126 required:
127 - contentTypes
128 type: object
129 jsonParsing:
130 description: 'JSON body parsing. Supported values include: "DISABLED",
131 "STANDARD".'
132 type: string
133 logLevel:
134 description: 'Logging level. Supported values include: "NORMAL",
135 "VERBOSE".'
136 type: string
137 type: object
138 description:
139 description: An optional description of this security policy. Max
140 size is 2048.
141 type: string
142 recaptchaOptionsConfig:
143 description: reCAPTCHA configuration options to be applied for the
144 security policy.
145 properties:
146 redirectSiteKeyRef:
147 description: |-
148 A field to supply a reCAPTCHA site key to be used for all the rules
149 using the redirect action with the type of GOOGLE_RECAPTCHA under
150 the security policy. The specified site key needs to be created from
151 the reCAPTCHA API. The user is responsible for the validity of the
152 specified site key. If not specified, a Google-managed site key is
153 used.
154 oneOf:
155 - not:
156 required:
157 - external
158 required:
159 - name
160 - not:
161 anyOf:
162 - required:
163 - name
164 - required:
165 - namespace
166 required:
167 - external
168 properties:
169 external:
170 description: 'Allowed value: The `name` field of a `RecaptchaEnterpriseKey`
171 resource.'
172 type: string
173 name:
174 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
175 type: string
176 namespace:
177 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
178 type: string
179 type: object
180 required:
181 - redirectSiteKeyRef
182 type: object
183 resourceID:
184 description: Immutable. Optional. The name of the resource. Used for
185 creation and acquisition. When unset, the value of `metadata.name`
186 is used as the default.
187 type: string
188 rule:
189 description: The set of rules that belong to this policy. There must
190 always be a default rule (rule with priority 2147483647 and match
191 "*"). If no rules are provided when creating a security policy,
192 a default rule with action "allow" will be added.
193 items:
194 properties:
195 action:
196 description: Action to take when match matches the request.
197 type: string
198 description:
199 description: An optional description of this rule. Max size
200 is 64.
201 type: string
202 headerAction:
203 description: Additional actions that are performed on headers.
204 properties:
205 requestHeadersToAdds:
206 description: The list of request headers to add or overwrite
207 if they're already present.
208 items:
209 properties:
210 headerName:
211 description: The name of the header to set.
212 type: string
213 headerValue:
214 description: The value to set the named header to.
215 type: string
216 required:
217 - headerName
218 type: object
219 type: array
220 required:
221 - requestHeadersToAdds
222 type: object
223 match:
224 description: A match condition that incoming traffic is evaluated
225 against. If it evaluates to true, the corresponding action
226 is enforced.
227 properties:
228 config:
229 description: The configuration options available when specifying
230 versioned_expr. This field must be specified if versioned_expr
231 is specified and cannot be specified if versioned_expr
232 is not specified.
233 properties:
234 srcIpRanges:
235 description: Set of IP addresses or ranges (IPV4 or
236 IPV6) in CIDR notation to match against inbound traffic.
237 There is a limit of 10 IP ranges per rule. A value
238 of '*' matches all IPs (can be used to override the
239 default behavior).
240 items:
241 type: string
242 type: array
243 required:
244 - srcIpRanges
245 type: object
246 expr:
247 description: User defined CEVAL expression. A CEVAL expression
248 is used to specify match criteria such as origin.ip, source.region_code
249 and contents in the request header.
250 properties:
251 expression:
252 description: Textual representation of an expression
253 in Common Expression Language syntax. The application
254 context of the containing message determines which
255 well-known feature set of CEL is supported.
256 type: string
257 required:
258 - expression
259 type: object
260 versionedExpr:
261 description: 'Predefined rule expression. If this field
262 is specified, config must also be specified. Available
263 options: SRC_IPS_V1: Must specify the corresponding
264 src_ip_ranges field in config.'
265 type: string
266 type: object
267 preconfiguredWafConfig:
268 description: Preconfigured WAF configuration to be applied for
269 the rule. If the rule does not evaluate preconfigured WAF
270 rules, i.e., if evaluatePreconfiguredWaf() is not used, this
271 field will have no effect.
272 properties:
273 exclusion:
274 description: An exclusion to apply during preconfigured
275 WAF evaluation.
276 items:
277 properties:
278 requestCookie:
279 description: Request cookie whose value will be excluded
280 from inspection during preconfigured WAF evaluation.
281 items:
282 properties:
283 operator:
284 description: 'You can specify an exact match
285 or a partial match by using a field operator
286 and a field value. Available options: EQUALS:
287 The operator matches if the field value equals
288 the specified value. STARTS_WITH: The operator
289 matches if the field value starts with the
290 specified value. ENDS_WITH: The operator matches
291 if the field value ends with the specified
292 value. CONTAINS: The operator matches if the
293 field value contains the specified value.
294 EQUALS_ANY: The operator matches if the field
295 value is any value.'
296 type: string
297 value:
298 description: A request field matching the specified
299 value will be excluded from inspection during
300 preconfigured WAF evaluation. The field value
301 must be given if the field operator is not
302 EQUALS_ANY, and cannot be given if the field
303 operator is EQUALS_ANY.
304 type: string
305 required:
306 - operator
307 type: object
308 type: array
309 requestHeader:
310 description: Request header whose value will be excluded
311 from inspection during preconfigured WAF evaluation.
312 items:
313 properties:
314 operator:
315 description: 'You can specify an exact match
316 or a partial match by using a field operator
317 and a field value. Available options: EQUALS:
318 The operator matches if the field value equals
319 the specified value. STARTS_WITH: The operator
320 matches if the field value starts with the
321 specified value. ENDS_WITH: The operator matches
322 if the field value ends with the specified
323 value. CONTAINS: The operator matches if the
324 field value contains the specified value.
325 EQUALS_ANY: The operator matches if the field
326 value is any value.'
327 type: string
328 value:
329 description: A request field matching the specified
330 value will be excluded from inspection during
331 preconfigured WAF evaluation. The field value
332 must be given if the field operator is not
333 EQUALS_ANY, and cannot be given if the field
334 operator is EQUALS_ANY.
335 type: string
336 required:
337 - operator
338 type: object
339 type: array
340 requestQueryParam:
341 description: Request query parameter whose value will
342 be excluded from inspection during preconfigured
343 WAF evaluation. Note that the parameter can be
344 in the query string or in the POST body.
345 items:
346 properties:
347 operator:
348 description: 'You can specify an exact match
349 or a partial match by using a field operator
350 and a field value. Available options: EQUALS:
351 The operator matches if the field value equals
352 the specified value. STARTS_WITH: The operator
353 matches if the field value starts with the
354 specified value. ENDS_WITH: The operator matches
355 if the field value ends with the specified
356 value. CONTAINS: The operator matches if the
357 field value contains the specified value.
358 EQUALS_ANY: The operator matches if the field
359 value is any value.'
360 type: string
361 value:
362 description: A request field matching the specified
363 value will be excluded from inspection during
364 preconfigured WAF evaluation. The field value
365 must be given if the field operator is not
366 EQUALS_ANY, and cannot be given if the field
367 operator is EQUALS_ANY.
368 type: string
369 required:
370 - operator
371 type: object
372 type: array
373 requestUri:
374 description: Request URI from the request line to
375 be excluded from inspection during preconfigured
376 WAF evaluation. When specifying this field, the
377 query or fragment part should be excluded.
378 items:
379 properties:
380 operator:
381 description: 'You can specify an exact match
382 or a partial match by using a field operator
383 and a field value. Available options: EQUALS:
384 The operator matches if the field value equals
385 the specified value. STARTS_WITH: The operator
386 matches if the field value starts with the
387 specified value. ENDS_WITH: The operator matches
388 if the field value ends with the specified
389 value. CONTAINS: The operator matches if the
390 field value contains the specified value.
391 EQUALS_ANY: The operator matches if the field
392 value is any value.'
393 type: string
394 value:
395 description: A request field matching the specified
396 value will be excluded from inspection during
397 preconfigured WAF evaluation. The field value
398 must be given if the field operator is not
399 EQUALS_ANY, and cannot be given if the field
400 operator is EQUALS_ANY.
401 type: string
402 required:
403 - operator
404 type: object
405 type: array
406 targetRuleIds:
407 description: A list of target rule IDs under the WAF
408 rule set to apply the preconfigured WAF exclusion.
409 If omitted, it refers to all the rule IDs under
410 the WAF rule set.
411 items:
412 type: string
413 type: array
414 targetRuleSet:
415 description: Target WAF rule set to apply the preconfigured
416 WAF exclusion.
417 type: string
418 required:
419 - targetRuleSet
420 type: object
421 type: array
422 type: object
423 preview:
424 description: When set to true, the action specified above is
425 not enforced. Stackdriver logs for requests that trigger a
426 preview action are annotated as such.
427 type: boolean
428 priority:
429 description: An unique positive integer indicating the priority
430 of evaluation for a rule. Rules are evaluated from highest
431 priority (lowest numerically) to lowest priority (highest
432 numerically) in order.
433 type: integer
434 rateLimitOptions:
435 description: Rate limit threshold for this security policy.
436 Must be specified if the action is "rate_based_ban" or "throttle".
437 Cannot be specified for any other actions.
438 properties:
439 banDurationSec:
440 description: Can only be specified if the action for the
441 rule is "rate_based_ban". If specified, determines the
442 time (in seconds) the traffic will continue to be banned
443 by the rate limit after the rate falls below the threshold.
444 type: integer
445 banThreshold:
446 description: Can only be specified if the action for the
447 rule is "rate_based_ban". If specified, the key will be
448 banned for the configured 'banDurationSec' when the number
449 of requests that exceed the 'rateLimitThreshold' also
450 exceed this 'banThreshold'.
451 properties:
452 count:
453 description: Number of HTTP(S) requests for calculating
454 the threshold.
455 type: integer
456 intervalSec:
457 description: Interval over which the threshold is computed.
458 type: integer
459 required:
460 - count
461 - intervalSec
462 type: object
463 conformAction:
464 description: Action to take for requests that are under
465 the configured rate limit threshold. Valid option is "allow"
466 only.
467 type: string
468 enforceOnKey:
469 description: Determines the key to enforce the rateLimitThreshold
470 on.
471 type: string
472 enforceOnKeyConfigs:
473 description: Immutable. Enforce On Key Config of this security
474 policy.
475 items:
476 properties:
477 enforceOnKeyName:
478 description: 'Rate limit key name applicable only
479 for the following key types: HTTP_HEADER -- Name
480 of the HTTP header whose value is taken as the key
481 value. HTTP_COOKIE -- Name of the HTTP cookie whose
482 value is taken as the key value.'
483 type: string
484 enforceOnKeyType:
485 description: Determines the key to enforce the rate_limit_threshold
486 on.
487 type: string
488 type: object
489 type: array
490 enforceOnKeyName:
491 description: 'Rate limit key name applicable only for the
492 following key types: HTTP_HEADER -- Name of the HTTP header
493 whose value is taken as the key value. HTTP_COOKIE --
494 Name of the HTTP cookie whose value is taken as the key
495 value.'
496 type: string
497 exceedAction:
498 description: Action to take for requests that are above
499 the configured rate limit threshold, to either deny with
500 a specified HTTP response code, or redirect to a different
501 endpoint. Valid options are "deny()" where valid values
502 for status are 403, 404, 429, and 502, and "redirect"
503 where the redirect parameters come from exceedRedirectOptions
504 below.
505 type: string
506 exceedRedirectOptions:
507 description: Parameters defining the redirect action that
508 is used as the exceed action. Cannot be specified if the
509 exceed action is not redirect.
510 properties:
511 target:
512 description: Target for the redirect action. This is
513 required if the type is EXTERNAL_302 and cannot be
514 specified for GOOGLE_RECAPTCHA.
515 type: string
516 type:
517 description: Type of the redirect action.
518 type: string
519 required:
520 - type
521 type: object
522 rateLimitThreshold:
523 description: Threshold at which to begin ratelimiting.
524 properties:
525 count:
526 description: Number of HTTP(S) requests for calculating
527 the threshold.
528 type: integer
529 intervalSec:
530 description: Interval over which the threshold is computed.
531 type: integer
532 required:
533 - count
534 - intervalSec
535 type: object
536 required:
537 - conformAction
538 - exceedAction
539 - rateLimitThreshold
540 type: object
541 redirectOptions:
542 description: Parameters defining the redirect action. Cannot
543 be specified for any other actions.
544 properties:
545 target:
546 description: Target for the redirect action. This is required
547 if the type is EXTERNAL_302 and cannot be specified for
548 GOOGLE_RECAPTCHA.
549 type: string
550 type:
551 description: 'Type of the redirect action. Available options:
552 EXTERNAL_302: Must specify the corresponding target field
553 in config. GOOGLE_RECAPTCHA: Cannot specify target field
554 in config.'
555 type: string
556 required:
557 - type
558 type: object
559 required:
560 - action
561 - match
562 - priority
563 type: object
564 type: array
565 type:
566 description: The type indicates the intended use of the security policy.
567 CLOUD_ARMOR - Cloud Armor backend security policies can be configured
568 to filter incoming HTTP requests targeting backend services. They
569 filter requests before they hit the origin servers. CLOUD_ARMOR_EDGE
570 - Cloud Armor edge security policies can be configured to filter
571 incoming HTTP requests targeting backend services (including Cloud
572 CDN-enabled) as well as backend buckets (Cloud Storage). They filter
573 requests before the request is served from Google's cache.
574 type: string
575 type: object
576 status:
577 properties:
578 conditions:
579 description: Conditions represent the latest available observation
580 of the resource's current state.
581 items:
582 properties:
583 lastTransitionTime:
584 description: Last time the condition transitioned from one status
585 to another.
586 type: string
587 message:
588 description: Human-readable message indicating details about
589 last transition.
590 type: string
591 reason:
592 description: Unique, one-word, CamelCase reason for the condition's
593 last transition.
594 type: string
595 status:
596 description: Status is the status of the condition. Can be True,
597 False, Unknown.
598 type: string
599 type:
600 description: Type is the type of the condition.
601 type: string
602 type: object
603 type: array
604 fingerprint:
605 description: Fingerprint of this resource.
606 type: string
607 observedGeneration:
608 description: ObservedGeneration is the generation of the resource
609 that was most recently observed by the Config Connector controller.
610 If this is equal to metadata.generation, then that means that the
611 current reported status reflects the most recent desired state of
612 the resource.
613 type: integer
614 selfLink:
615 description: The URI of the created resource.
616 type: string
617 type: object
618 type: object
619 served: true
620 storage: true
621 subresources:
622 status: {}
623status:
624 acceptedNames:
625 kind: ""
626 plural: ""
627 conditions: []
628 storedVersions: []
View as plain text