Version 4.4.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features:
- Initial support for Kubernetets Gateway API - Sidecarless data plane mode
- OIDC RP is production ready
- Grafana Dashboards improvements
- 9 months support for minor releases
Breaking changes:
The following changes are breaking:
- To make Grafana dashboard use cases possible, the access log structure has changed slightly.
Please use our Grafana dashboards and let us know about missing visualization to make your experience as smooth as possible. - Signature verification with JWKS must be configured or disabled explicitly in the OIDCProvider Custom Resource. Additionally, an issuer must be configured.
Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.
Helpful links:
Changelog
- NEW: AM-2278 Implemented Kubernetes Gateway API support (Core)
- NEW: AM-3529 Added support for configuring OIDC JWKS for ID Token signature verification
- NEW: AM-3968 Added support for Redis cluster/sentinel for Session-Agent
- NEW: AM-3996 OIDCProvider CRD extended to configure connection and request timeouts for token endpoints
- NEW: AM-4283 Added built-in request header allow action for tracing headers
- NEW: AM-4482 Allow OIDC access token to be configured as a way to propagate identity
- NEW: AM-4535 Added request conditions to access control policies
- NEW: AM-4539 Added support for specifying the session prefix to allow session sharing between different Microgateway deployments
- NEW: AM-4542 Introduce new operator metric microgateway_license_info
- NEW: AM-4547 Grafana Dashboard to display threats logged in log-ony mode
- NEW: AM-4548 Metrics Dashboard for threats logged in threat handling mode LogOnly
- NEW: AM-4549 Grafana Dashboard for Header Rewrite Logs
- NEW: AM-4564 Session lifetime and OIDC flow timeout can be configured in the respective CRDs
- NEW: AM-4566 Added support for using high-availability Redis Sentinel and Cluster deployments for session handling persistence
- NEW: AM-4567 Added support for access control based on OIDC ID Token Claims
- NEW: AM-4571 Added mTLS support for the connection to the SessionHandling Redis
- NEW: AM-4609 Added request conditions to header rewrites
- NEW: AM-4830 Added support for configuring requested OIDC scopes
- NEW: AM-4856 Added support for unconditional deny in access control policies
- NEW: AM-4864 Expose Network Validator init-container resources in Helm Chart
- FIX: AM-4206 Pod events are sometimes emitted more than once
- FIX: AM-4269 Value race in OIDC filter secret reader fixed
- FIX: AM-4378 Resolved race-condition in CA certificate creation with multiple replicas during startup resulting in pod restart
- FIX: AM-4488 Allow empty schemas for binary body validators
- FIX: AM-4525 OpenAPI: Do not buffer payloads that are not validated
- FIX: AM-4739 CNI traffic redirection not working properly in certain scenarios when using Istio with Native Sidecar support enabled (CASE-35485)
- FIX: AM-4819 Segfault when remote JWKS service is configured
- CHG: AM-3095 OIDC state parameter is random
- CHG: AM-4496 Reduced memory consumption when the same CR is referenced multiple times within a SidecarGateway configuration
- CHG: AM-4546 Default Access Log format changed: introduced new actions and summary struct
- CHG: AM-4560 License Dashboard shows detailed information on individual licenses in the cluster
- CHG: AM-4577 Switched from busybox to netcat image for Network Validator container
- CHG: AM-4608 Rename command operator %AUTHENTICATION% to %ACCESS_CONTROL%
- CHG: AM-4615 More restrictive validation of the ID token
- CHG: AM-4753 OIDC Issuer must now be configured in the OIDCProvider CRD
- CHG: AM-4840 attack_type renamed to block_subtype in metrics and logs (incl. dashboards)
- UPD: AM-4611 Update Envoy to v1.31