Skip to content

4.3.0
Compare
Choose a tag to compare
@airlockgithubci airlockgithubci released this 12 Jul 13:20
· 2 commits to main since this release
4.3.0
590bf07

Version 4.3.0

Release description

Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.

Main new features:

  • GraphQL schema validation
  • Own- and Multi-Namespace support
  • Grafana Dashboards
  • OIDC RP improvements
  • Extend limit checks to support OpenAPI and GraphQL requests and additional content type: multipart/form-data

Action required:

  • If the experimental OIDC Relying Party feature is used it is now required to deploy a Redis and configure a SessionHandling CR which is referenced in the SidecarGateway CR.
  • The upgrade to 4.3 must be done without using the new Own- and Multi-Namespace feature.

Breaking changes:
The following changes are breaking:

  • The behavior of value "auto" for upstream protocol in the SidecarGateway CRD has changed. In the case where no TLS is configured for the upstream connection, the HTTP protocol used by the downstream connection is also used for the upstream connection. Previously "auto" for upstream connections caused that always HTTP/1.1 was used.
  • Various behavior and defaults of the Limit CRD have changed
    • Split up general.bodySize limit into specific limits limited.json.bodySize and limited.parameter.bodySize (default values: 100Ki)
    • general.bodySize limit is fron now on only applied to unparsed requests with unknown content-types such as application/octet stream (old behavior: applied only to parsed requests e.g. JSON data). Hence this is not a global default.
    • Default value of general.bodySize was increased to 100Mi (old default: 100Ki)
    • WebSocket and gRPC requests currently do not have specific limit settings and always use an unlimited, non-configurable body size to avoid problems
  • Microgateway configured as OIDC Relying Party requires now a Redis being deployed and session handling configured. The OIDC configuration itself is unchanged.
  • The Engine metrics have changed to simplify future extensions:
    • Regarding requests
      • Added a new metric microgateway_http_downstream_rq_threats_blocked_total to measure the total number of requests blocked by an Engine filter. This metric now contains the block_type label with the value of the block category that triggered the block action.
      • Added a new metric microgateway_http_downstream_rq_threats_logged_total to measure the total number of requests logged by an Engine filter. This metric now contains the block_type label with the value of the block category that would trigger a block action.
      • Removed the metrics microgateway_http_downstream_rq_blocked_total, microgateway_http_downstream_rq_deny_rule_total and microgateway_http_downstream_rq_limit_total. Please migrate to the above-mentioned metrics instead.
    • Regarding respones
      • Added a new metric microgateway_http_downstream_rs_threats_blocked_total to measure the total number of responses blocked by an Engine filter. This metric now contains the block_type label with the value of the block category that triggered the block action.
      • Added a new metric microgateway_http_downstream_rs_threats_logged_total to measure the total number of responses logged by an Engine filter. This metric now contains the block_type label with the value of the block category that would trigger a block action.
      • Removed the metric microgateway_http_downstream_rs_blocked_total. Please migrate to the above-mentioned metric instead.

Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.

Helpful links:

Changelog

  • NEW: AM-1751 Extend Access Log with Correlation ID
  • NEW: AM-3107 Added new RedisProvider CRD
  • NEW: AM-3239 gRPC proxying support improved
  • NEW: AM-3879 Add new timing metrics rq_processing_time_ms, rs_processing_time_ms, upstream_responsiveness_ms
  • NEW: AM-3993 Add gRPC proxying support
  • NEW: AM-4126 Introduce GraphQL CRD
  • NEW: AM-4153 Add Airlock Microgateway Session Store to Helm Chart
  • NEW: AM-4154 Add Airlock Microgateway Session Agent container
  • NEW: AM-4155 Added new SessionHandling CRD
  • NEW: AM-4171 Optionally deploy a Grafana Dashboard for licensing statistics
  • NEW: AM-4175 Optionally deploy an Overview Dashboard for Microgateway statistics in Grafana
  • NEW: AM-4176 Optionally deploy a dashboard detailing statistics on blocked requests
  • NEW: AM-4177 Optionally deploy a dashboard with log details on blocked requests
  • NEW: AM-4182 add querySize, nestingDepth and valueLength keys to the Limits CRD to define limits for GraphQL requests
  • NEW: AM-4209 Introduce bodySize key per content type to the Limits CRD to restrict the total request body size
  • NEW: AM-4218 Add support for Single/Own-Namespace Operator installation
  • NEW: AM-4274 Add support in Deny Rules for GraphQL (exceptions, overrides and custom deny rules)
  • NEW: AM-4298 Added Readiness and Liveness probes for Microgateway Session Agent
  • NEW: AM-4361 Validate AccessControl CR is properly configured for OIDC which requires SessionHandling CR.
  • NEW: AM-4416 Add length exception for fields, arguments and values to Limits CRD for GraphQL requests.
  • FIX: AM-4205 Fixed invalid config events/conditions not being emitted when OIDC is configured and the initial configuration after pod startup is rejected by the Engine
  • CHG: Metrics deny_rule_total and limit_total replaced with blocked_total
  • CHG: AM-3991 Limit the total number of active downstream connections allowed across all listeners
  • CHG: AM-3995 Double max-age value of HSTS header to 31536000 (one year)
  • CHG: AM-4187 Split up blocked_total metric into threats_blocked_total and threats_logged_total
  • CHG: AM-4231 Change behavior of "auto" value for upstream protocol in SidecarGateway CRD
  • CHG: AM-4243 Improved validation of trustedCA certificate secret contents
  • CHG: AM-4301 Operator now distinguishes between managed and unmanaged Pods/Sidecars (= managed by a different Operator instance) and no longer attempts configuration updates for the latter
  • CHG: AM-4331 The internal EnvoyConfiguration CRD now stores the Engine configuration in a compressed format in order to support larger configurations without reaching the Kubernetes request size limit
  • CHG: AM-4407 Various deny-rule improvements
  • CHG: AM-4469 Removed finalizers for Pod and EnvoyConfiguration resources
  • UPD: AM-4213 Update Envoy to 1.30.1
Assets 2