diff --git a/apis/v1alpha1/wafpolicy_types.go b/apis/v1alpha1/wafpolicy_types.go index 8dbe2153ab..638b6c440e 100644 --- a/apis/v1alpha1/wafpolicy_types.go +++ b/apis/v1alpha1/wafpolicy_types.go @@ -35,6 +35,10 @@ type WAFPolicyList struct { } // WAFPolicySpec defines the desired state of a WAFPolicy. +// +// +kubebuilder:validation:XValidation:message="policySource is required when securityLogs are specified",rule="!has(self.securityLogs) || has(self.policySource)" +// +//nolint:lll type WAFPolicySpec struct { // PolicySource defines the source location and configuration for the compiled WAF policy bundle. // diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus index ab1f207aba..bf68260ae1 100644 --- a/build/Dockerfile.nginxplus +++ b/build/Dockerfile.nginxplus @@ -1,4 +1,8 @@ # syntax=docker/dockerfile:1.17 + +# renovate: datasource=docker depName=alpine +ARG ALPINE_VERSION=3.21 + FROM scratch AS nginx-files # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 diff --git a/charts/nginx-gateway-fabric/templates/clusterrole.yaml b/charts/nginx-gateway-fabric/templates/clusterrole.yaml index 1205570535..65619ac983 100644 --- a/charts/nginx-gateway-fabric/templates/clusterrole.yaml +++ b/charts/nginx-gateway-fabric/templates/clusterrole.yaml @@ -109,6 +109,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies {{- if .Values.nginxGateway.snippetsFilters.enable }} - snippetsfilters {{- end }} @@ -122,6 +123,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status {{- if .Values.nginxGateway.snippetsFilters.enable }} - snippetsfilters/status {{- end }} diff --git a/config/crd/bases/gateway.nginx.org_wafpolicies.yaml b/config/crd/bases/gateway.nginx.org_wafpolicies.yaml index c0421251b2..3961df2f2d 100644 --- a/config/crd/bases/gateway.nginx.org_wafpolicies.yaml +++ b/config/crd/bases/gateway.nginx.org_wafpolicies.yaml @@ -384,6 +384,9 @@ spec: required: - targetRef type: object + x-kubernetes-validations: + - message: policySource is required when securityLogs are specified + rule: '!has(self.securityLogs) || has(self.policySource)' status: description: Status defines the state of the WAFPolicy. properties: diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index b067d64141..ff57c6299e 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -7,3 +7,4 @@ resources: - bases/gateway.nginx.org_observabilitypolicies.yaml - bases/gateway.nginx.org_snippetsfilters.yaml - bases/gateway.nginx.org_upstreamsettingspolicies.yaml + - bases/gateway.nginx.org_wafpolicies.yaml diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index 7e29ea1c66..6652fc6b99 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -155,6 +156,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 2c691b9def..56a3344fd9 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -9951,3 +9951,695 @@ spec: storage: true subresources: status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + labels: + gateway.networking.k8s.io/policy: inherited + name: wafpolicies.gateway.nginx.org +spec: + group: gateway.nginx.org + names: + categories: + - nginx-gateway-fabric + kind: WAFPolicy + listKind: WAFPolicyList + plural: wafpolicies + singular: wafpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + WAFPolicy is an Inherited Attached Policy. It provides a way to configure NGINX App Protect Web Application Firewall + for Gateways and Routes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of the WAFPolicy. + properties: + policySource: + description: PolicySource defines the source location and configuration + for the compiled WAF policy bundle. + properties: + authSecret: + description: AuthSecret is the Secret containing authentication + credentials for the WAF policy source. + properties: + name: + description: Name is the name of the Secret containing authentication + credentials for the WAF policy source. + maxLength: 253 + minLength: 1 + pattern: ^[a-zA-Z0-9_-]+$ + type: string + required: + - name + type: object + fileLocation: + description: FileLocation defines the location of the WAF policy + file. + maxLength: 256 + minLength: 1 + type: string + polling: + description: Polling defines the polling configuration for automatic + WAF policy change detection. + properties: + checksumLocation: + description: |- + ChecksumLocation specifies the location of the checksum file for the policy bundle. + If not specified, defaults to .sha256 + maxLength: 2048 + type: string + enabled: + default: false + description: |- + Enabled indicates whether polling is enabled for automatic WAF policy change detection. + When enabled, NGINX Gateway Fabric will periodically check for policy changes using checksum validation. + type: boolean + interval: + default: 5m + description: |- + Interval is the polling interval to check for WAF policy changes. + Must be a valid duration string (e.g., "5m", "30s", "1h"). + Defaults to "5m" if polling is enabled. + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + type: object + retry: + description: Retry defines the retry configuration for WAF policy + fetch failures. + properties: + attempts: + default: 3 + description: |- + Attempts is the number of retry attempts for fetching the WAF policy. + Set to 0 to disable retries. + format: int32 + minimum: 0 + type: integer + backoff: + default: exponential + description: |- + Backoff defines the backoff strategy for retry attempts. + Supported values: "exponential", "linear" + enum: + - exponential + - linear + type: string + maxDelay: + default: 5m + description: |- + MaxDelay is the maximum delay between retry attempts. + Must be a valid duration string (e.g., "5m", "30s"). + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + type: object + timeout: + description: Timeout for policy downloads. + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + validation: + description: Validation defines the validation methods for policy + integrity verification. + properties: + methods: + description: |- + Methods specifies the validation methods to use for policy integrity verification. + Currently supported: ["checksum"] + items: + description: WAFPolicyValidationMethod defines the supported + validation methods. + enum: + - checksum + type: string + type: array + x-kubernetes-list-type: set + type: object + required: + - fileLocation + type: object + securityLogs: + description: |- + SecurityLogs defines the security logging configuration for app_protect_security_log directives. + Multiple logging configurations can be specified to send logs to different destinations. + items: + description: |- + WAFSecurityLog defines the security logging configuration for app_protect_security_log directives. + LogProfile and LogProfileBundle are mutually exclusive per security log entry. + properties: + destination: + description: Destination defines where the security logs should + be sent. + properties: + file: + description: |- + File defines the file destination configuration. + Only valid when type is "file". + properties: + path: + description: |- + Path is the file path where security logs will be written. + Must be accessible to the waf-enforcer container. + maxLength: 256 + minLength: 1 + pattern: ^/.*$ + type: string + required: + - path + type: object + syslog: + description: |- + Syslog defines the syslog destination configuration. + Only valid when type is "syslog". + properties: + server: + description: Server is the syslog server address in + the format "host:port". + maxLength: 253 + minLength: 1 + pattern: ^[a-zA-Z0-9.-]+:[0-9]+$ + type: string + required: + - server + type: object + type: + default: stderr + description: Type identifies the type of security log destination. + enum: + - stderr + - file + - syslog + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: destination.file must be nil if the destination.type + is not file + rule: '!(has(self.file) && self.type != ''file'')' + - message: destination.file must be specified for file destination.type + rule: '!(!has(self.file) && self.type == ''file'')' + - message: destination.syslog must be nil if the destination.type + is not syslog + rule: '!(has(self.syslog) && self.type != ''syslog'')' + - message: destination.syslog must be specified for syslog destination.type + rule: '!(!has(self.syslog) && self.type == ''syslog'')' + logProfile: + description: LogProfile defines the built-in logging profile + to use. + enum: + - log_default + - log_all + - log_illegal + - log_blocked + - log_grpc_all + - log_grpc_blocked + - log_grpc_illegal + type: string + logProfileBundle: + description: LogProfileBundle defines a custom logging profile + bundle, similar to policy bundle. + properties: + authSecret: + description: AuthSecret is the Secret containing authentication + credentials for the WAF policy source. + properties: + name: + description: Name is the name of the Secret containing + authentication credentials for the WAF policy source. + maxLength: 253 + minLength: 1 + pattern: ^[a-zA-Z0-9_-]+$ + type: string + required: + - name + type: object + fileLocation: + description: FileLocation defines the location of the WAF + policy file. + maxLength: 256 + minLength: 1 + type: string + polling: + description: Polling defines the polling configuration for + automatic WAF policy change detection. + properties: + checksumLocation: + description: |- + ChecksumLocation specifies the location of the checksum file for the policy bundle. + If not specified, defaults to .sha256 + maxLength: 2048 + type: string + enabled: + default: false + description: |- + Enabled indicates whether polling is enabled for automatic WAF policy change detection. + When enabled, NGINX Gateway Fabric will periodically check for policy changes using checksum validation. + type: boolean + interval: + default: 5m + description: |- + Interval is the polling interval to check for WAF policy changes. + Must be a valid duration string (e.g., "5m", "30s", "1h"). + Defaults to "5m" if polling is enabled. + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + type: object + retry: + description: Retry defines the retry configuration for WAF + policy fetch failures. + properties: + attempts: + default: 3 + description: |- + Attempts is the number of retry attempts for fetching the WAF policy. + Set to 0 to disable retries. + format: int32 + minimum: 0 + type: integer + backoff: + default: exponential + description: |- + Backoff defines the backoff strategy for retry attempts. + Supported values: "exponential", "linear" + enum: + - exponential + - linear + type: string + maxDelay: + default: 5m + description: |- + MaxDelay is the maximum delay between retry attempts. + Must be a valid duration string (e.g., "5m", "30s"). + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + type: object + timeout: + description: Timeout for policy downloads. + pattern: ^[0-9]{1,4}(ms|s|m|h)?$ + type: string + validation: + description: Validation defines the validation methods for + policy integrity verification. + properties: + methods: + description: |- + Methods specifies the validation methods to use for policy integrity verification. + Currently supported: ["checksum"] + items: + description: WAFPolicyValidationMethod defines the + supported validation methods. + enum: + - checksum + type: string + type: array + x-kubernetes-list-type: set + type: object + required: + - fileLocation + type: object + name: + description: Name is the name of the security log configuration. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z0-9]([a-zA-Z0-9_-]*[a-zA-Z0-9])?$ + type: string + required: + - destination + type: object + x-kubernetes-validations: + - message: only one of logProfile or logProfileBundle may be set + rule: '!(has(self.logProfile) && has(self.logProfileBundle))' + - message: at least one of logProfile or logProfileBundle must be + set + rule: has(self.logProfile) || has(self.logProfileBundle) + maxItems: 32 + type: array + targetRef: + description: |- + TargetRef identifies an API object to apply the policy to. + Object must be in the same namespace as the policy. + Support: Gateway, HTTPRoute, GRPCRoute. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + x-kubernetes-validations: + - message: 'TargetRef Kind must be one of: Gateway, HTTPRoute, or + GRPCRoute' + rule: (self.kind=='Gateway' || self.kind=='HTTPRoute' || self.kind=='GRPCRoute') + - message: TargetRef Group must be gateway.networking.k8s.io. + rule: (self.group=='gateway.networking.k8s.io') + required: + - targetRef + type: object + x-kubernetes-validations: + - message: policySource is required when securityLogs are specified + rule: '!has(self.securityLogs) || has(self.policySource)' + status: + description: Status defines the state of the WAFPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - controllerName + type: object + maxItems: 16 + type: array + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index 199131b2a4..31f1d5c9f3 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -155,6 +156,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index 46844c4e47..1d59b626c8 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -149,6 +149,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -159,6 +160,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index 0dbeac7329..150ffd946b 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -149,6 +149,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -159,6 +160,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 73e985ebc2..dd973bcf0e 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -155,6 +156,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index a2725a6473..a0c9decc54 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -155,6 +156,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index 99485c69bd..f047ca8763 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies verbs: - list - watch @@ -155,6 +156,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status verbs: - update - apiGroups: diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index 6cc0026877..47a36dac99 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies - snippetsfilters verbs: - list @@ -156,6 +157,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status - snippetsfilters/status verbs: - update diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index 9bb597289d..19fd4d9f69 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -145,6 +145,7 @@ rules: - clientsettingspolicies - observabilitypolicies - upstreamsettingspolicies + - wafpolicies - snippetsfilters verbs: - list @@ -156,6 +157,7 @@ rules: - clientsettingspolicies/status - observabilitypolicies/status - upstreamsettingspolicies/status + - wafpolicies/status - snippetsfilters/status verbs: - update