Docsright arrowEdge Stackright arrowThe WebApplicationFirewallPolicy Resource (v1alpha1)

4 min • read

The WebApplicationFirewallPolicy Resource (v1alpha1)

The WebApplicationFirewallPolicy resource configures the matching patterns for when WebApplicationFirewalls get executed against requests; while the WebApplicationFirewall resource provides the configuration for an instance of a Web Application Firewall.

This doc is an overview of all the fields on the WebApplicationFirewallPolicy Custom Resource with descriptions of the purpose, type, and default values of those fields. Tutorials and guides for Web Application Firewalls can be found in the usage guides section

WebApplicationFirewallPolicy API Reference

WebApplicationFirewallPolicy Spec

rules[]WafMatchingRuleThis object configures matching requests and executes WebApplicationFirewalls on them. Multiple different rules can be supplied in one WebApplicationFirewallPolicy instead of multiple separate WebApplicationFirewallPolicy resouurces if desired.


hoststringA "glob-string" that matches on the :authority header of the incoming request. If not set, it will match on all incoming requests.
pathstringA "glob-string" that matches on the request path. If not provided, then it will match on all incoming requests.
ifRequestHeaderHTTPHeaderMatchChecks if exact or regular expression matches a value in a request header to determine if the WebApplicationFirewall is executed or not.
wafRefWafReferenceA reference to a WebApplicationFirewall to be applied against the request.
onError.statusCodeintConfigure a response code to be sent to the downstream client when when a request matches the rule but there is a configuration or runtime error. By default, requests are allowed on error if this field is not configured. This covers runtime errors such as those caused by networking/request parsing as well as configuration errors such as if the WebApplicationFirewall that is referenced is misconfigured, cannot be found, or when its configuration cannot be loaded properly. Details about the errors can be found either in the WebApplicationFirewall status or container logs.


Appears On: WafMatchingRule Checks if exact or regular expression matches a value in a request header to determine if the WebApplicationFirewall is executed or not.

typeEnum("Exact","RegularExpression")Specifies how to match against the value of the header. Allowed values are "Exact"/"RegularExpression".
namestringName of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See
valuestringValue of HTTP Header to be matched. If type is RegularExpression, then this must be a valid regex with a length of at least 1.
negateboolAllows the match criteria to be negated or flipped.


Appears On: WafMatchingRule A reference to a WebApplicationFirewall

nameName of the WebApplicationFirewall being referenced
namespaceNamespace of the WebApplicationFirewall. This field is required. It must be a RFC 1123 label. Valid values include: "example". Invalid values include: "" - "." is an invalid character. The maximum allowed length is 63 characters, and the regex pattern ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ is used for validation.

Web Application Firewall Usage Guides

The following guides will help you get started using Web Application Firewalls