4.3.2

Version 4.3.2

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and a bugfix for the CNI plugin.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4744 Base images updated
• FIX: AM-4739 CNI traffic redirection not working properly in certain scenarios when using Istio with Native Sidecar support enabled (CASE-35485)

4.2.6

Version 4.2.6

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and a bugfix for the CNI plugin.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4741 Base images updated
• FIX: AM-4739 CNI traffic redirection not working properly in certain scenarios when using Istio with Native Sidecar support enabled (CASE-35485)

4.3.1

Version 4.3.1

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4662 Go updated to v1.22.6, Base images updated
• FIX: AM-4488 Allow empty schemas for binary body validators
• CHG: AM-4577 Switched from busybox to netcat image for Network Validator container

4.2.5

Version 4.2.5

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4663 Go updated to v1.22.6, Base images updated
• CHG: AM-4577 Switched from busybox to netcat image for Network Validator container

4.3.0

Version 4.3.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

• GraphQL schema validation
• Own- and Multi-Namespace support
• Grafana Dashboards
• OIDC RP improvements
• Extend limit checks to support OpenAPI and GraphQL requests and additional content type: multipart/form-data

Action required:

• If the experimental OIDC Relying Party feature is used it is now required to deploy a Redis and configure a SessionHandling CR which is referenced in the SidecarGateway CR.
• The upgrade to 4.3 must be done without using the new Own- and Multi-Namespace feature.

Breaking changes:
The following changes are breaking:

• The behavior of value "auto" for upstream protocol in the SidecarGateway CRD has changed. In the case where no TLS is configured for the upstream connection, the HTTP protocol used by the downstream connection is also used for the upstream connection. Previously "auto" for upstream connections caused that always HTTP/1.1 was used.
• Various behavior and defaults of the Limit CRD have changed
  • Split up general.bodySize limit into specific limits limited.json.bodySize and limited.parameter.bodySize (default values: 100Ki)
  • general.bodySize limit is fron now on only applied to unparsed requests with unknown content-types such as application/octet stream (old behavior: applied only to parsed requests e.g. JSON data). Hence this is not a global default.
  • Default value of general.bodySize was increased to 100Mi (old default: 100Ki)
  • WebSocket and gRPC requests currently do not have specific limit settings and always use an unlimited, non-configurable body size to avoid problems
• Microgateway configured as OIDC Relying Party requires now a Redis being deployed and session handling configured. The OIDC configuration itself is unchanged.
• The Engine metrics have changed to simplify future extensions:
  • Regarding requests
    • Added a new metric microgateway_http_downstream_rq_threats_blocked_total to measure the total number of requests blocked by an Engine filter. This metric now contains the block_type label with the value of the block category that triggered the block action.
    • Added a new metric microgateway_http_downstream_rq_threats_logged_total to measure the total number of requests logged by an Engine filter. This metric now contains the block_type label with the value of the block category that would trigger a block action.
    • Removed the metrics microgateway_http_downstream_rq_blocked_total, microgateway_http_downstream_rq_deny_rule_total and microgateway_http_downstream_rq_limit_total. Please migrate to the above-mentioned metrics instead.
  • Regarding respones
    • Added a new metric microgateway_http_downstream_rs_threats_blocked_total to measure the total number of responses blocked by an Engine filter. This metric now contains the block_type label with the value of the block category that triggered the block action.
    • Added a new metric microgateway_http_downstream_rs_threats_logged_total to measure the total number of responses logged by an Engine filter. This metric now contains the block_type label with the value of the block category that would trigger a block action.
    • Removed the metric microgateway_http_downstream_rs_blocked_total. Please migrate to the above-mentioned metric instead.

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• NEW: AM-1751 Extend Access Log with Correlation ID
• NEW: AM-3107 Added new RedisProvider CRD
• NEW: AM-3239 gRPC proxying support improved
• NEW: AM-3879 Add new timing metrics rq_processing_time_ms, rs_processing_time_ms, upstream_responsiveness_ms
• NEW: AM-3993 Add gRPC proxying support
• NEW: AM-4126 Introduce GraphQL CRD
• NEW: AM-4153 Add Airlock Microgateway Session Store to Helm Chart
• NEW: AM-4154 Add Airlock Microgateway Session Agent container
• NEW: AM-4155 Added new SessionHandling CRD
• NEW: AM-4171 Optionally deploy a Grafana Dashboard for licensing statistics
• NEW: AM-4175 Optionally deploy an Overview Dashboard for Microgateway statistics in Grafana
• NEW: AM-4176 Optionally deploy a dashboard detailing statistics on blocked requests
• NEW: AM-4177 Optionally deploy a dashboard with log details on blocked requests
• NEW: AM-4182 add querySize, nestingDepth and valueLength keys to the Limits CRD to define limits for GraphQL requests
• NEW: AM-4209 Introduce bodySize key per content type to the Limits CRD to restrict the total request body size
• NEW: AM-4218 Add support for Single/Own-Namespace Operator installation
• NEW: AM-4274 Add support in Deny Rules for GraphQL (exceptions, overrides and custom deny rules)
• NEW: AM-4298 Added Readiness and Liveness probes for Microgateway Session Agent
• NEW: AM-4361 Validate AccessControl CR is properly configured for OIDC which requires SessionHandling CR.
• NEW: AM-4416 Add length exception for fields, arguments and values to Limits CRD for GraphQL requests.
• FIX: AM-4205 Fixed invalid config events/conditions not being emitted when OIDC is configured and the initial configuration after pod startup is rejected by the Engine
• CHG: Metrics deny_rule_total and limit_total replaced with blocked_total
• CHG: AM-3991 Limit the total number of active downstream connections allowed across all listeners
• CHG: AM-3995 Double max-age value of HSTS header to 31536000 (one year)
• CHG: AM-4187 Split up blocked_total metric into threats_blocked_total and threats_logged_total
• CHG: AM-4231 Change behavior of "auto" value for upstream protocol in SidecarGateway CRD
• CHG: AM-4243 Improved validation of trustedCA certificate secret contents
• CHG: AM-4301 Operator now distinguishes between managed and unmanaged Pods/Sidecars (= managed by a different Operator instance) and no longer attempts configuration updates for the latter
• CHG: AM-4331 The internal EnvoyConfiguration CRD now stores the Engine configuration in a compressed format in order to support larger configurations without reaching the Kubernetes request size limit
• CHG: AM-4407 Various deny-rule improvements
• CHG: AM-4469 Removed finalizers for Pod and EnvoyConfiguration resources
• UPD: AM-4213 Update Envoy to 1.30.1

4.2.4

Version 4.2.4

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4462 Go updated to 1.22.5, Envoy updated to 1.29.7, google.golang.org/grpc to v1.65.0, Base images updated

4.2.3

Version 4.2.3

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security, regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4345 Go updated to 1.22.4, Envoy updated to 1.29.5, Base images updated

4.2.2

Version 4.2.2

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security, regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4292 Go updated to 1.22.3, Base images updated

4.2.1

Version 4.2.1

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

This Airlock Microgateway release contains security and regular updates of dependencies and improvements.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• SEC: AM-4242 Envoy updated to 1.29.4, Base images updated
• FIX: AM-4245 configuration of engine sidecar resources by annotations

4.2.0

Version 4.2.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

• Helm Chart
• ARM support
• Cilium support
• OIDC relying party (experimental)
• Deny Rule improvements

Action required:

• The licensing model has changed (see "Breaking changes"). Therefore, a new license file is file required to run Microgateway 4.2. Request and deploy a new license file:
  • Community edition: Request a new license through https://airlock.com/microgateway-community
  • Premium edition: Contact Airlock sales
• Uninstall previous installations of Airlock Microgateway CNI and Operator which were done with plain Kubernetes manifest files to ensure a smooth upgrade path in the future.
  Note: In case that Airlock Microgateway CNI has been installed with Helm, it should be possible to perform a helm upgrade instead.
• The Airlock Microgateway CNI must be installed before the Airlock Microgateway Operator.
• The configuration to protect a Pod has switched from annotation to label (see "Breaking changes"). To migrate the existing Pods that are protected by Microgateway, do the following:
  1. Before upgrading: Label the Pod with "sidecar.microgateway.airlock.com/inject=true". Note: It is very important that this step is performed before the upgrade!
  2. After upgrading: In order to upgrade the sidecar to the new version, restart the Pod (run "rollout restart" of the Deployment/StatefulSet/DaemonSet).
• See Microgateway Upgrade for more detailed upgrade instructions.

Breaking changes:
The following changes are breaking:

• The DockerHub repositories docker.io/ergon/* have been moved to quay.io/airlock/*. From Airlock Microgateway 4.2 onward all images are hosted at quay.io/airlock.
• The licensing model has changed from "requests per second" to "requests per month" to resolve the issues with request bursts.
• The configuration steps to instruct the Microgateway Operator to inject the Engine container in a web application Pod have changed:
  • In 4.1: Annotate the Pod with "sidecar.microgateway.airlock.com/inject"
    -> In 4.2: Label the Pod with "sidecar.microgateway.airlock.com/inject"
• The following metrics have been removed because the licensing has changed:
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_total
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_within_limit_total
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_allowed_service_error_total
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_service_error_total
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_over_limit_total
  • Engine: airlock_microgateway_engine_license_ratelimit_requests_blocked_unlicensed_total
  • License guard: airlock_microgateway_license_guard_current_requests_per_second
  • License guard: airlock_microgateway_license_guard_config_load_success_total
  • License guard: airlock_microgateway_license_guard_config_load_error_total
  • License guard: airlock_microgateway_license_guard_grpc_ratelimit_requests_total
  • License guard: airlock_microgateway_license_guard_response_time_seconds
  • License guard: airlock_microgateway_license_guard_errors_total
  • Operator: airlock_microgateway_license_max_requests_per_second
  • Operator: airlock_microgateway_license_rate_limiting_enforced
• The Engine metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
  • In 4.1: airlock_microgateway_engine_triggered_limit_total
    -> In 4.2: microgateway_http_downstream_rq_limit_total
  • In 4.1: airlock_microgateway_engine_triggered_deny_rule_total
    -> In 4.2: microgateway_http_downstream_rq_deny_rule_total
  • In 4.1: airlock_microgateway_engine_http_requests_blocked_total
    -> In 4.2: microgateway_http_downstream_rq_blocked_total (for blocked requests)
    -> In 4.2: microgateway_http_downstream_rs_blocked_total (for blocked responses)
  • In 4.1: airlock_microgateway_engine_build_info
    -> In 4.2: microgateway_build_info
• The Operator metrics have been renamed to fulfill Prometheus best practices and simplify additional metrics:
  • In 4.1: airlock_microgateway_sidecars
    -> In 4.2: microgateway_sidecars
  • In 4.1: airlock_microgateway_license_max_sidecars
    -> In 4.2: microgateway_license_max_sidecars
  • In 4.1: airlock_microgateway_license_valid
    -> In 4.2: microgateway_license_valid
  • In 4.1: airlock_microgateway_license_is_premium
    -> In 4.2: microgateway_license_is_premium
  • In 4.1: airlock_microgateway_license_expiry_timestamp_seconds
    -> In 4.2: microgateway_license_expiry_timestamp_seconds

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

• Documentation
• Airlock Microgateway Labs
• Airlock Community Forum

Changelog

• NEW: AM-1860 Microgateway images are signed with cosign (no longer with Docker Content Trust)
• NEW: AM-2671 Default values of header actions are documented in the API reference
• NEW: AM-2780 Engine runs on ARM plattform
• NEW: AM-3101 Introduce new experimental IdentityPropagation CRD
• NEW: AM-3128 Helm Chart for Airlock Microgateway Operator
• NEW: AM-3147 Deny rules extended to apply rules to path segments
• NEW: AM-3171 CRD Parser extended to configure multipart parsing
• NEW: AM-3264 Operator version available in new metric
• NEW: AM-3311 WebSocket proxying support added
• NEW: AM-3458 Added startup/readiness probes to CNI plugin installer DaemonSet reflecting plugin installation status
• NEW: AM-3516 Operator now actively releases leader lock upon termination
• NEW: AM-3578 CRD Limits allows to configure name and value length exceptions
• NEW: AM-3699 JSONPath syntax errors lead to config rejection
• NEW: AM-3741 Introduced new experimental AccessControl CRD
• NEW: AM-3742 Add new condition indicating the license status on pods with an injected Microgateway Engine
• NEW: AM-3748 Introduced new experimental CRDs OIDCProvider and OIDCRelyingParty
• NEW: AM-3792 Helm Chart allows optional global property in values.json
• NEW: AM-3794 Introduce new metric to count requests for license compliance
• NEW: AM-3813 Authentication information in engine access_log
• NEW: AM-3829 add property for update strategy of operator deployment to Helm Chart
• NEW: AM-3870 Claims from ID token are stored in the metadata
• NEW: AM-4037 Helm Chart allows configuration of resource limits and requests for the Engine container
• FIX: AM-3254 Complex OpenAPI validators have not been applied to paths
• FIX: AM-3291 OpenAPI serialization bug in path parameters
• FIX: AM-3472 Operator logs were logged to stderr instead of stdout
• CHG: AM-1935 CRD HeaderRewrite extended with response header built-in rule PermissionsPolicy
• CHG: AM-2990 Reduced memory consumption by limiting watch to Pods with an inject label
• CHG: AM-3125 CRDs are now distributed with the Helm chart
• CHG: AM-3287 Move from inject annotation to inject label (sidecar.microgateway.airlock.com/inject)
• CHG: AM-3387 Engine metrics renamed to fulfill Prometheus best practices
• CHG: AM-3474 Operator metrics renamed to fulfill Prometheus best practices
• CHG: AM-3570 CRD HeaderRewrite request header allow list extended with header Content-Length
• CHG: AM-3585 Move publishing images and Helm charts from DockerHub to quay.io
• CHG: AM-3596 Helm Chart improvements for Airlock Microgateway CNI
• CHG: AM-3615 Remove obsolete license metrics and add new metric for licensed request count per month
• CHG: AM-3622 Removed obsolete license-guard and license-guard-redis components
• CHG: AM-3743 Operator support for new license format
• CHG: AM-3832 Dynamic configuration errors in the Microgateway CRs (e.g. invalid references) now also lead to a failing envoy-config-valid condition on the affected Pods
• CHG: AM-3902 Write Microgateway Engine application logs to Standard Output (Stdout)
• UPD: AM-3382 Update Envoy to 1.28.0
• UPD: AM-3544 Update jsoncons to 0.172.0
• UPD: AM-3728 Update Envoy to 1.29.1