apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: appolicies.appprotect.f5.com spec: group: appprotect.f5.com names: kind: APPolicy listKind: APPolicyList plural: appolicies singular: appolicy preserveUnknownFields: false scope: Namespaced versions: - name: v1beta1 schema: openAPIV3Schema: description: APPolicyConfig is the Schema for the APPolicyconfigs API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: APPolicySpec defines the desired state of APPolicy properties: modifications: items: properties: action: type: string description: type: string entity: properties: name: type: string type: object entityChanges: properties: type: type: string type: object type: object x-kubernetes-preserve-unknown-fields: true type: array modificationsReference: properties: link: pattern: ^http type: string type: object policy: description: Defines the App Protect policy properties: applicationLanguage: enum: - iso-8859-10 - iso-8859-6 - windows-1255 - auto-detect - koi8-r - gb18030 - iso-8859-8 - windows-1250 - iso-8859-9 - windows-1252 - iso-8859-16 - gb2312 - iso-8859-2 - iso-8859-5 - windows-1257 - windows-1256 - iso-8859-13 - windows-874 - windows-1253 - iso-8859-3 - euc-jp - utf-8 - gbk - windows-1251 - big5 - iso-8859-1 - shift_jis - euc-kr - iso-8859-4 - iso-8859-7 - iso-8859-15 type: string blocking-settings: properties: evasions: items: properties: description: enum: - '%u decoding' - Apache whitespace - Bad unescape - Bare byte decoding - Directory traversals - IIS backslashes - IIS Unicode codepoints - Multiple decoding type: string enabled: type: boolean maxDecodingPasses: type: integer type: object type: array http-protocols: items: properties: description: enum: - Unescaped space in URL - Unparsable request content - Several Content-Length headers - 'POST request with Content-Length: 0' - Null in request - No Host header in HTTP/1.1 request - Multiple host headers - Host header contains IP address - High ASCII characters in headers - Header name with no header value - CRLF characters before request start - Content length should be a positive number - Chunked request with Content-Length header - Check maximum number of parameters - Check maximum number of headers - Body in GET or HEAD requests - Bad multipart/form-data request parsing - Bad multipart parameters parsing - Bad HTTP version - Bad host header value type: string enabled: type: boolean maxHeaders: type: integer maxParams: type: integer type: object type: array violations: items: properties: alarm: type: boolean block: type: boolean description: type: string name: enum: - VIOL_PARAMETER_VALUE_BASE64 - VIOL_MANDATORY_HEADER - VIOL_HEADER_REPEATED - VIOL_ASM_COOKIE_MODIFIED - VIOL_BLACKLISTED_IP - VIOL_COOKIE_EXPIRED - VIOL_COOKIE_LENGTH - VIOL_COOKIE_MALFORMED - VIOL_COOKIE_MODIFIED - VIOL_DATA_GUARD - VIOL_ENCODING - VIOL_EVASION - VIOL_FILETYPE - VIOL_FILE_UPLOAD - VIOL_FILE_UPLOAD_IN_BODY - VIOL_HEADER_LENGTH - VIOL_HEADER_METACHAR - VIOL_HTTP_PROTOCOL - VIOL_HTTP_RESPONSE_STATUS - VIOL_JSON_FORMAT - VIOL_JSON_MALFORMED - VIOL_JSON_SCHEMA - VIOL_MANDATORY_PARAMETER - VIOL_MANDATORY_REQUEST_BODY - VIOL_METHOD - VIOL_PARAMETER - VIOL_PARAMETER_DATA_TYPE - VIOL_PARAMETER_EMPTY_VALUE - VIOL_PARAMETER_LOCATION - VIOL_PARAMETER_MULTIPART_NULL_VALUE - VIOL_PARAMETER_NAME_METACHAR - VIOL_PARAMETER_NUMERIC_VALUE - VIOL_PARAMETER_REPEATED - VIOL_PARAMETER_STATIC_VALUE - VIOL_PARAMETER_VALUE_LENGTH - VIOL_PARAMETER_VALUE_METACHAR - VIOL_POST_DATA_LENGTH - VIOL_QUERY_STRING_LENGTH - VIOL_RATING_THREAT - VIOL_RATING_NEED_EXAMINATION - VIOL_REQUEST_MAX_LENGTH - VIOL_REQUEST_LENGTH - VIOL_THREAT_CAMPAIGN - VIOL_URL - VIOL_URL_CONTENT_TYPE - VIOL_URL_LENGTH - VIOL_URL_METACHAR - VIOL_XML_FORMAT - VIOL_XML_MALFORMED type: string type: object type: array type: object blockingSettingReference: properties: link: pattern: ^http type: string type: object bot-defense: properties: mitigations: properties: anomalies: items: properties: action: enum: - alarm - block - default - detect - ignore type: string name: type: string scoreThreshold: pattern: '[0-9]|[1-9][0-9]|1[0-4][0-9]|150|default' type: string type: object type: array classes: items: properties: action: enum: - alarm - block - detect - ignore type: string name: enum: - malicious-bot - suspicious-browser - trusted-bot - untrusted-bot type: string type: object type: array signatures: items: properties: action: enum: - alarm - block - detect - ignore type: string name: type: string type: object type: array type: object settings: properties: isEnabled: type: boolean type: object type: object caseInsensitive: type: boolean character-sets: items: properties: characterSet: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array characterSetType: enum: - gwt-content - header - json-content - parameter-name - parameter-value - plain-text-content - url - xml-content type: string type: object type: array characterSetReference: properties: link: pattern: ^http type: string type: object cookie-settings: properties: maximumCookieHeaderLength: pattern: any|\d+ type: string type: object cookieReference: properties: link: pattern: ^http type: string type: object cookieSettingsReference: properties: link: pattern: ^http type: string type: object cookies: items: properties: accessibleOnlyThroughTheHttpProtocol: type: boolean attackSignaturesCheck: type: boolean decodeValueAsBase64: enum: - enabled - disabled - required type: string enforcementType: type: string insertSameSiteAttribute: enum: - lax - none - none-value - strict type: string name: type: string securedOverHttpsConnection: type: boolean signatureOverrides: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array type: enum: - explicit - wildcard type: string type: object type: array data-guard: properties: creditCardNumbers: type: boolean enabled: type: boolean enforcementMode: enum: - ignore-urls-in-list - enforce-urls-in-list type: string enforcementUrls: items: type: string type: array lastCcnDigitsToExpose: type: integer lastSsnDigitsToExpose: type: integer maskData: type: boolean usSocialSecurityNumbers: type: boolean type: object dataGuardReference: properties: link: pattern: ^http type: string type: object description: type: string enablePassiveMode: type: boolean enforcementMode: enum: - transparent - blocking type: string filetypeReference: properties: link: pattern: ^http type: string type: object filetypes: items: properties: allowed: type: boolean checkPostDataLength: type: boolean checkQueryStringLength: type: boolean checkRequestLength: type: boolean checkUrlLength: type: boolean name: type: string postDataLength: type: integer queryStringLength: type: integer requestLength: type: integer responseCheck: type: boolean type: enum: - explicit - wildcard type: string urlLength: type: integer type: object type: array fullPath: type: string general: properties: allowedResponseCodes: items: format: int32 maximum: 999 minimum: 100 type: integer type: array customXffHeaders: items: type: string type: array maskCreditCardNumbersInRequest: type: boolean trustXff: type: boolean type: object generalReference: properties: link: pattern: ^http type: string type: object header-settings: properties: maximumHttpHeaderLength: pattern: any|\d+ type: string type: object headerReference: properties: link: pattern: ^http type: string type: object headerSettingsReference: properties: link: pattern: ^http type: string type: object headers: items: properties: base64Decoding: type: boolean checkSignatures: type: boolean decodeValueAsBase64: enum: - enabled - disabled - required type: string htmlNormalization: type: boolean mandatory: type: boolean maskValueInLogs: type: boolean name: type: string normalizationViolations: type: boolean percentDecoding: type: boolean type: enum: - explicit - wildcard type: string urlNormalization: type: boolean type: object type: array json-profiles: items: properties: attackSignaturesCheck: type: boolean defenseAttributes: properties: maximumArrayLength: pattern: any|\d+ type: string maximumStructureDepth: pattern: any|\d+ type: string maximumTotalLengthOfJSONData: pattern: any|\d+ type: string maximumValueLength: pattern: any|\d+ type: string tolerateJSONParsingWarnings: type: boolean type: object description: type: string hasValidationFiles: type: boolean metacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array name: type: string signatureOverrides: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array validationFiles: items: properties: importUrl: type: string isPrimary: type: boolean jsonValidationFile: properties: contents: type: string fileName: type: string isBase64: type: boolean type: object type: object type: array type: object type: array json-validation-files: items: properties: contents: type: string fileName: type: string isBase64: type: boolean type: object type: array jsonProfileReference: properties: link: pattern: ^http type: string type: object jsonValidationFileReference: properties: link: pattern: ^http type: string type: object methodReference: properties: link: pattern: ^http type: string type: object methods: items: properties: name: type: string type: object type: array name: type: string open-api-files: items: properties: link: pattern: ^http type: string type: object type: array parameterReference: properties: link: pattern: ^http type: string type: object parameters: items: properties: allowEmptyValue: type: boolean allowRepeatedParameterName: type: boolean arraySerializationFormat: enum: - csv - form - label - matrix - multi - multipart - pipe - ssv - tsv type: string attackSignaturesCheck: type: boolean checkMaxValue: type: boolean checkMaxValueLength: type: boolean checkMetachars: type: boolean checkMinValue: type: boolean checkMinValueLength: type: boolean checkMultipleOfValue: type: boolean contentProfile: properties: name: type: string type: object dataType: enum: - alpha-numeric - binary - boolean - decimal - email - integer - none - phone type: string decodeValueAsBase64: enum: - enabled - disabled - required type: string disallowFileUploadOfExecutables: type: boolean enableRegularExpression: type: boolean exclusiveMax: type: boolean exclusiveMin: type: boolean isCookie: type: boolean isHeader: type: boolean level: enum: - global - url type: string maximumLength: type: integer metacharsOnParameterValueCheck: type: boolean minimumLength: type: integer name: type: string nameMetacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array objectSerializationStyle: type: string parameterEnumValues: items: type: string type: array parameterLocation: enum: - any - cookie - form-data - header - path - query type: string regularExpression: type: string sensitiveParameter: type: boolean signatureOverrides: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array staticValues: type: string type: enum: - explicit - wildcard type: string valueMetacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array valueType: enum: - array - auto-detect - dynamic-content - dynamic-parameter-name - ignore - json - object - openapi-array - static-content - user-input - xml type: string type: object type: array response-pages: items: properties: ajaxActionType: enum: - alert-popup - custom - redirect type: string ajaxCustomContent: type: string ajaxEnabled: type: boolean ajaxPopupMessage: type: string ajaxRedirectUrl: type: string responseActionType: enum: - custom - default - erase-cookies - redirect - soap-fault type: string responseContent: type: string responseHeader: type: string responsePageType: enum: - ajax - ajax-login - captcha - captcha-fail - default - failed-login-honeypot - failed-login-honeypot-ajax - hijack - leaked-credentials - leaked-credentials-ajax - mobile - persistent-flow - xml type: string responseRedirectUrl: type: string type: object type: array responsePageReference: properties: link: pattern: ^http type: string type: object sensitive-parameters: items: properties: name: type: string type: object type: array sensitiveParameterReference: properties: link: pattern: ^http type: string type: object server-technologies: items: properties: serverTechnologyName: enum: - Jenkins - SharePoint - Oracle Application Server - Python - Oracle Identity Manager - Spring Boot - CouchDB - SQLite - Handlebars - Mustache - Prototype - Zend - Redis - Underscore.js - Ember.js - ZURB Foundation - ef.js - Vue.js - UIKit - TYPO3 CMS - RequireJS - React - MooTools - Laravel - GraphQL - Google Web Toolkit - Express.js - CodeIgniter - Backbone.js - AngularJS - JavaScript - Nginx - Jetty - Joomla - JavaServer Faces (JSF) - Ruby - MongoDB - Django - Node.js - Citrix - JBoss - Elasticsearch - Apache Struts - XML - PostgreSQL - IBM DB2 - Sybase/ASE - CGI - Proxy Servers - SSI (Server Side Includes) - Cisco - Novell - Macromedia JRun - BEA Systems WebLogic Server - Lotus Domino - MySQL - Oracle - Microsoft SQL Server - PHP - Outlook Web Access - Apache/NCSA HTTP Server - Apache Tomcat - WordPress - Macromedia ColdFusion - Unix/Linux - Microsoft Windows - ASP.NET - Front Page Server Extensions (FPSE) - IIS - WebDAV - ASP - Java Servlets/JSP - jQuery type: string type: object type: array serverTechnologyReference: properties: link: pattern: ^http type: string type: object signature-requirements: items: properties: tag: type: string type: object type: array signature-sets: items: properties: alarm: type: boolean block: type: boolean name: type: string type: object x-kubernetes-preserve-unknown-fields: true type: array signature-settings: properties: attackSignatureFalsePositiveMode: enum: - detect - detect-and-allow - disabled type: string minimumAccuracyForAutoAddedSignatures: enum: - high - low - medium type: string type: object signatureReference: properties: link: pattern: ^http type: string type: object signatureSetReference: properties: link: pattern: ^http type: string type: object signatureSettingReference: properties: link: pattern: ^http type: string type: object signatures: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array softwareVersion: type: string template: properties: name: type: string type: object threat-campaigns: items: properties: isEnabled: type: boolean name: type: string type: object type: array threatCampaignReference: properties: link: pattern: ^http type: string type: object urlReference: properties: link: pattern: ^http type: string type: object urls: items: properties: attackSignaturesCheck: type: boolean description: type: string disallowFileUploadOfExecutables: type: boolean isAllowed: type: boolean mandatoryBody: type: boolean metacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array metacharsOnUrlCheck: type: boolean method: enum: - ACL - BCOPY - BDELETE - BMOVE - BPROPFIND - BPROPPATCH - CHECKIN - CHECKOUT - CONNECT - COPY - DELETE - GET - HEAD - LINK - LOCK - MERGE - MKCOL - MKWORKSPACE - MOVE - NOTIFY - OPTIONS - PATCH - POLL - POST - PROPFIND - PROPPATCH - PUT - REPORT - RPC_IN_DATA - RPC_OUT_DATA - SEARCH - SUBSCRIBE - TRACE - TRACK - UNLINK - UNLOCK - UNSUBSCRIBE - VERSION_CONTROL - X-MS-ENUMATTS - '*' type: string methodOverrides: items: properties: allowed: type: boolean method: enum: - ACL - BCOPY - BDELETE - BMOVE - BPROPFIND - BPROPPATCH - CHECKIN - CHECKOUT - CONNECT - COPY - DELETE - GET - HEAD - LINK - LOCK - MERGE - MKCOL - MKWORKSPACE - MOVE - NOTIFY - OPTIONS - PATCH - POLL - POST - PROPFIND - PROPPATCH - PUT - REPORT - RPC_IN_DATA - RPC_OUT_DATA - SEARCH - SUBSCRIBE - TRACE - TRACK - UNLINK - UNLOCK - UNSUBSCRIBE - VERSION_CONTROL - X-MS-ENUMATTS type: string type: object type: array methodsOverrideOnUrlCheck: type: boolean name: type: string positionalParameters: items: properties: parameter: properties: allowEmptyValue: type: boolean allowRepeatedParameterName: type: boolean arraySerializationFormat: enum: - csv - form - label - matrix - multi - multipart - pipe - ssv - tsv type: string attackSignaturesCheck: type: boolean checkMaxValue: type: boolean checkMaxValueLength: type: boolean checkMetachars: type: boolean checkMinValue: type: boolean checkMinValueLength: type: boolean checkMultipleOfValue: type: boolean contentProfile: properties: name: type: string type: object dataType: enum: - alpha-numeric - binary - boolean - decimal - email - integer - none - phone type: string decodeValueAsBase64: enum: - enabled - disabled - required type: string disallowFileUploadOfExecutables: type: boolean enableRegularExpression: type: boolean exclusiveMax: type: boolean exclusiveMin: type: boolean isCookie: type: boolean isHeader: type: boolean level: enum: - global - url type: string maximumLength: type: integer metacharsOnParameterValueCheck: type: boolean minimumLength: type: integer name: type: string nameMetacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array objectSerializationStyle: type: string parameterEnumValues: items: type: string type: array parameterLocation: enum: - any - cookie - form-data - header - path - query type: string regularExpression: type: string sensitiveParameter: type: boolean signatureOverrides: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array staticValues: type: string type: enum: - explicit - wildcard type: string valueMetacharOverrides: items: properties: isAllowed: type: boolean metachar: type: string type: object type: array valueType: enum: - array - auto-detect - dynamic-content - dynamic-parameter-name - ignore - json - object - openapi-array - static-content - user-input - xml type: string type: object urlSegmentIndex: type: integer type: object type: array protocol: enum: - http - https type: string signatureOverrides: items: properties: enabled: type: boolean name: type: string signatureId: type: integer tag: type: string type: object type: array type: enum: - explicit - wildcard type: string urlContentProfiles: items: properties: headerName: type: string headerOrder: type: string headerValue: type: string name: type: string type: enum: - apply-content-signatures - apply-value-and-content-signatures - disallow - do-nothing - form-data - gwt - json - xml type: string type: object type: array wildcardOrder: type: integer type: object type: array whitelist-ips: items: properties: blockRequests: enum: - always - never - policy-default type: string ipAddress: pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' type: string ipMask: pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' type: string type: object type: array whitelistIpReference: properties: link: pattern: ^http type: string type: object xml-profiles: items: properties: attackSignaturesCheck: type: boolean defenseAttributes: properties: allowCDATA: type: boolean allowDTDs: type: boolean allowExternalReferences: type: boolean allowProcessingInstructions: type: boolean maximumAttributeValueLength: pattern: any|\d+ type: string maximumAttributesPerElement: pattern: any|\d+ type: string maximumChildrenPerElement: pattern: any|\d+ type: string maximumDocumentDepth: pattern: any|\d+ type: string maximumDocumentSize: pattern: any|\d+ type: string maximumElements: pattern: any|\d+ type: string maximumNSDeclarations: pattern: any|\d+ type: string maximumNameLength: pattern: any|\d+ type: string maximumNamespaceLength: pattern: any|\d+ type: string tolerateCloseTagShorthand: type: boolean tolerateLeadingWhiteSpace: type: boolean tolerateNumericNames: type: boolean type: object description: type: string enableWss: type: boolean followSchemaLinks: type: boolean name: type: string type: object type: array xml-validation-files: items: properties: contents: type: string fileName: type: string isBase64: type: boolean type: object type: array xmlProfileReference: properties: link: pattern: ^http type: string type: object xmlValidationFileReference: properties: link: pattern: ^http type: string type: object type: object type: object type: object served: true storage: true