Releases: airlock/microgateway
4.1.3
Version 4.1.3
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
The Airlock Microgateway 4.1.3 release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-3569 Base images updated, Go updated to 1.21.5, statstd exporter updated to 0.26.0, Redis updated to 7.2.3
- FIX: AM-3609 Calculating least offset in streaming helper
4.1.2
Version 4.1.2
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
The Airlock Microgateway 4.1.2 release contains security, regular updates of dependencies and improvements.
IMPORTANT NOTICE
Airlock Microgateway CNI and Operator must be updated in order to function properly. Update the Airlock Microgateway CNI first during the update procedure.
Explanation:
With Microgateway 4.1.0 a nodeSelector has been set on the Pod that is secured by Airlock Microgateway. The nodeSelector matched a label that the Airlock Microgateway CNI wrote on the Kubernetes node. This ensured that the Pod was only scheduled, if Airlock Microgateway CNI was properly installed.
With Microgateway 4.1.2 an initContainer is added to the protected Pod. It makes sure that the network traffic is routed properly through the Airlock Microgateway Engine. If the Airlock Microgateway CNI did not configure the network correctly or there is none installed, the initContainer will fail. Then, you need to check the Airlock Microgateway installation and restart the Pod.
The previous solution with nodeSelector is replaced with the improved solution with the initContainer. So, the Kubernetes node is not labeled anymore and there is no nodeSelector set on the secured Pod.
Helpful links:
Changelog
- SEC: AM-3313 HTTP/2 settings set to protect against HTTP/2 Rapid Reset Attack (CVE-2023-44487)
- NEW: AM-3319 Injecting initContainer Network Validator to ensure traffic is rerouted through Engine container
- NEW: AM-3324 CNI Helm Chart extended with new installMode
- NEW: AM-3448 Version check for CNI plugin implemented
- FIX: AM-3452 License steps described in quickstart guide in Github
- CHG: AM-3323 Deploy CNI installer with hostNetwork true
- CHG: AM-3455 Removed labeling the Kubernetes node with cni.microgateway.airlock.com/isInstalled
4.1.1
Version 4.1.1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
The Airlock Microgateway 4.1.1 release contains security and regular updates of dependencies.
Helpful links:
Changelog
- SEC: AM-3334 Update Envoy to v1.27.1 (CVE-2023-44487)
4.1.0
Version 4.1.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
NOTE
To use Airlock Microgateway 4.1 you must first install the Airlock Microgateway CNI plugin as described in the installation guide.
Main new features:
- CNI plugin for traffic redirection to sidecar container
- OpenAPI specification enforcement
Breaking changes:
The following changes are breaking:
- The network manager is discontinued. As a replacement the CNI plugin can be used. The benefits are:
- No elevated permissions required for the ServiceAccount of the protected Pod.
- The way the metrics can be scraped from the Airlock Microgatway has changed. See the documentation for an example metrics scraping configuration.
- The engine metrics have been renamed to a more descriptive name:
- name in 4.0: envoy_license_ratelimit_requests_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_total
- name in 4.0: envoy_license_ratelimit_requests_allowed_within_limit_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_allowed_within_limit_total
- name in 4.0: envoy_license_ratelimit_requests_allowed_service_error_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_allowed_service_error_total
- name in 4.0: envoy_license_ratelimit_requests_blocked_service_error_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_blocked_service_error_total
- name in 4.0: envoy_license_ratelimit_requests_blocked_over_limit_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_blocked_over_limit_total
- name in 4.0: envoy_license_ratelimit_requests_blocked_unlicensed_total => name in 4.1: airlock_microgateway_engine_license_ratelimit_requests_blocked_unlicensed_total
- Log correlation between access log and application log
- access log in 4.0:
"airlock": { ... "log_correlation": "[C0][S9283181206918669277]", .... }
- application log in 4.0:
{ "@timestamp":"2023-08-31T10:42:05.720+02:00", ... , "message":"[C0][S9283181206918669277] ..." }
- access log in 4.1:
"airlock": { ... "log_correlation": { "connection_id": 0, "stream_id": 9283181206918669277 }, .... }
- application log in 4.1:
{ "@timestamp":"2023-08-31T10:42:05.720+02:00", ... , "message":"[Tags: \"ConnectionId\":\"0\",\"StreamId\":\"9283181206918669277\"] ..." }
Notice:
Microgateway Engine containers report the current usage to the Microgateway License Guard service. In the Community edition a percentage of requests are blocked if the real throughput exceeds the licensed throughput. No requests are blocked in the Premium edition but this might change in the future.
Known issues:
In the unlikely event of an ungraceful node restart, there is a possibility of a race condition between the Airlock Microgateway CNI Plugin installation and the Airlock Microgateway Engine startup. It is therefore recommended to restart Pods protected by Airlock Microgateway running on the restarted node after making sure the Airlock Microgateway CNI is successfully restarted.
Helpful links:
Changelog
- UPD: AM-2782 Update Envoy to 1.27.0
- UPD: AM-2913 Jsoncons updated to 0.171.0
- NEW: AM-2603 Improved resources request and limits settings for cpu and ram
- NEW: AM-2503 Microgateway lab for "Policy enformcement"
- NEW: AM-2764 Microgateway lab for "Setup"
- CHG: AM-2694 StatsD exporter integrated in Microgateway License Guard image
- FIX: AM-2994 Blocked requests could lead to duplicate access log entries
- CHG: AM-2916 Engine metrics renamed to a more descriptive name
- NEW: AM-2435 Metric to show the Microgateway Engine version
- NEW: AM-2952 CRD Telemetry extended to configure the behavior of received UUIDs in the X-Request-ID header
- CHG: AM-2999 Use Chainguard image as base image for Operator, License Guard and CNI Installer
- FIX: AM-2887 JSON limits in log only mode logged several times
- FIX: AM-2645 CRD Limits treat bodySize=0 as unlimited
- FIX AM-2686: Improved handling of resource update conflicts to avoid error log spam
- NEW: AM-3186 CRD DenyRule allow deny rule exceptions only with JSON path
- NEW AM-3015 CRD SidecarGateway extended to configure the handling for the X-Forwarded-Client-Cert header
- FIX: AM-3163 app.kubernetes/version removed from matchLabels in spec.selector in the Deployment
- NEW: AM-2038 Support for proxying Websocket connections
- NEW: AM-3067 Metric to show which deny rule has been triggered
- NEW: AM-2291 Metric to show the blocked requests by Airlock Microgateway filter
- NEW: AM-3278 CRD SidecarGateway extended to configure the upstream timeout for a route
- NEW: AM-2244 OpenAPI specification enforcement
- FIX: AM-3001 Logging value of threat_handling_mode in snake case
- NEW: AM-3139 Metric to show which limit has been triggered
- NEW: AM-3166 Operator pod can be scaled horizontally
4.0.2
Version 4.0.2
Release description
The Airlock Microgateway 4.0.2 release contains various security and regular updates of dependencies.
Helpful links:
Changelog
- SEC: AM-2946 Envoy updated to v1.26.3
- FIX: AM-2930 Set NetworkManager securityContext correctly
4.0.1
Version 4.0.1
Release description
The Airlock Microgateway 4.0.1 release contains various security and regular updates of dependencies.
Helpful links:
Changelog
- SEC: AM-2904 Go updated to 1.20.6, Envoy updated to v1.26.2, gRPC updated to v1.56.2, Redis updated to 7.0.12
4.0.0
Version 4.0.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and implement ZeroTrust.
Main new features:
- Kubernetes-native integration
- Custom resource definitions (CRDs)
- Its own operator
- Deny rules for OWASP Top 10
- Header rewrites
- Inject security headers
- Remove untrustworthy headers
- Limits to restrict the number of parameters, path length and much more
- Support for built-in Envoy http filters
- Telemetry
- Access log containing all relevant information
- Metrics to observe the traffic
Breaking changes:
Airlock Microgateway 4.0 differs from previous releases in many ways. Some of them are mentioned below:
- Kubernetes-native integration
- Requires a Kubernetes distribution
- Configuration format (Custom Resource vs. previously config.yaml)
- Proxy
- Envoy vs. previously Apache / Security Gatekeeper
- Streams by default
How to migrate?
- Re-integrate the web application
- Use the old configuration file as a reference
- Configure allowed request/response headers in Header rewrites
- Start with the old Deny Rules configuration as a reference
- Security Level
- Deny Rule exceptions
Do not copy & paste the following settings from previous releases:
- Limits
- Use the new and recommended default values and only increase them if really required.
- This setting restricts the parsed bodies like JSON documents in POST requests and not uploaded files (formUpload).
This behavior has changed from Microgateway 3.3 to 4.0.
Notice:
Microgateway Engine containers report the current usage to the Microgateway License Guard service. In the Community edition, if the real throughput exceeds the licensed throughput, a percentage of requests are blocked. In the Premium edition, no requests are blocked but this behavior might change in the future.
Helpful links:
Changelog
- NEW: AM-2211 CRD DenyRules extended to support custom deny rules
- NEW: AM-2445 Configuration examples in Github repository
- NEW: AM-2439 CRD Limits extended to restrict body size
- NEW: AM-2152 CRD DenyRules extended to configure exceptions with JSONPath
- NEW: AM-2140 CRD SidecarGateway extended to configure HTTP 1.1 and HTTP 2.0 for upstream and downstream connections
- NEW: AM-2109 CRD DenyRules extended with operationalMode
- NEW: AM-2267 CRD SidecarGateway extended to configure downstream TLS for client certificate verification
- NEW: AM-2360 CRD DenyRules extended to configure exceptions and custom deny rules with JSONKeys
- NEW: AM-2094 Miscellaneous security settings in Kubernetes manifest enabled
- NEW: AM-2081 Log level can be configured for Operator and Network Manager
- NEW: AM-2070 CRD HeaderRewrites extended with custom rules for response header add
- NEW: AM-2068 CRD HeaderRewrites extended with custom rules for request header add
- NEW: AM-2057 Access log of Microgateway Engine extended with a log_correlation to correlate with the application log
- NEW: AM-2052 Envoy command operator created to enrich the logs
- NEW: AM-2051 Default access log format defined according to ECS (Elastic Common Schema)
- NEW: AM-2047 Support for custom access log format
- NEW: AM-2023 Configuration options for remote IP (X-Forwarded-For)
- NEW: AM-2013 Support for JSON filtering
- NEW: AM-1741 Microgateway Operator supports the termination log
- NEW: AM-1736 Anthos Service Mesh on GKE support for Airlock Microgateway
- NEW: AM-1732 Network Manager supports IPTables variants "legacy" and "nft"
- NEW: AM-1726 Kubernetes manifest files for deployment
- NEW: AM-1483 Network Manager extended to exclude ports to be filtered by Airlock Microgateway
- NEW: AM-1421 Deny rules for OWASP Top 10
- NEW: AM-1415 Microgateway Operator watches the annotation for automated sidecar injection
- NEW: AM-1410 Openshift support for Airlock Microgateway
- NEW: AM-1290 Distroless as base image for Microgateway Operator, Network Manager and Engine
- NEW: AM-1251 Readiness and liveness probes for Microgateway Operator
- NEW: AM-1250 Readiness and Liveness probes for Microgateway Engine
- NEW: AM-1215 Microgateway Engine container template can be customized
- NEW: AM-1214 Network Manager container template can be customized
- NEW: AM-1825 Log level can be configured for Engine
- NEW: AM-1804 CRD HeaderRewrites extended with built-in rules for response header remove
- NEW: AM-1803 CRD HeaderRewrites extended with built-in rules for response header add
- NEW: AM-1801 CRD HeaderRewrites extended with built-in rules for response header allow
- NEW: AM-1798 CRD HeaderRewrites extended with built-in rules for request header remove
- NEW: AM-1797 CRD HeaderRewrites extended with built-in rules for request header allow
- NEW: AM-1918 CRD HeaderRewrites extended with custom rules for response header remove
- NEW: AM-1917 CRD HeaderRewrites extended with custom rules for request header remove
- NEW: AM-1916 CRD HeaderRewrites extended with custom rules for response header allow
- NEW: AM-1915 CRD HeaderRewrites extended with custom rules for request header allow
- NEW: AM-1908 CRD SidecarGateway extended to configure different security settings for each containerPort
- NEW: AM-1658 Remove server header from HTTP responses
- NEW: AM-1645 CRD SidecarGateway extended with the configuration options normalizePath and mergeSlashes
- NEW: AM-1966 Secured xDS communication between Operator and Engine
- NEW: AM-1356 CRD EnvoyHTTPFilter and EnvoyCluster allows to configure built-in Envoy functionality
- NEW: AM-1346 GKE support for Airlock Microgateway
- NEW: AM-1344 Engine's Envoy bootstrap config can be customized
- NEW: AM-1318 Microgateway Engine decodes percent encoded parameters
- NEW: AM-1317 Microgateway Engine decodes HTML entities
- NEW: AM-1314 Microgateway Engine decodes form-urlencoded parameters
- NEW: AM-1312 Microgateway Engine decodes UTF-8
- NEW: AM-1129 Microgateway Operator supports installation mode "allNamespace"
- NEW: AM-1574 CRD SidecarGateway extended to exclude paths that should not be filtered
- NEW: AM-1573 CRD SidecarGateway extended to configure different security settings for each path
- NEW: AM-1571 CRD SidecarGateway extended to configure downstream TLS settings
- NEW: AM-1570 CRD SidecarGateway extended to configure upstream TLS settings
- NEW: AM-2095 CRD Limits extended to restrict JSON nesting depth, number of keys and number of total entries
- NEW: AM-1334 CRD Limits extended to restrict the number of parameters
- NEW: AM-1333 CRD Limits extended to restrict name and value length for JSON and http parameters
- NEW AM-2399: Microgateway License Guard provides licensing metrics
4.0.0-beta1
Version 4.0.0-beta1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and implement ZeroTrust.
Main new features:
- Kubernetes-native integration
- Custom resource definitions (CRDs)
- Its own Operator
- Deny rules for OWASP Top 10
- Header rewrites
- Inject security headers
- Remove untrustworthy headers
- Support for built-in Envoy http filters
- Telemetry
- Access log containing all relevant information
- Metrics to observe the traffic
Beta release:
Please note that this is a beta version. Therefore, don’t use it for productive environment. The final 4.0.0 release is coming shortly.
Remarks for the beta version:
- License
- A license is pre-packed in the image. You don’t need to request one.
- The license allows all features to use
- The license does not restrict the throughput
- The license does not restrict the number of sidecars
- The license expires on 1st of July 2023
- Work in progress
- The licensing mechanism is not yet finished. Once the final 4.0.0 is released, a license is required (either a premium license or community license (free) requested through a web form)
- The web form to request a community license is not yet published
- The feature “Limits” is not yet finished. The configuration, logging or behavior might change in the final 4.0.0 release.
Breaking changes:
- Airlock Microgateway 4.0 is a Kubernetes-native integration and differs from previous releases in many ways (architecture, core, configuration format, ...). Therefore, it is highly suggested to re-integrate the web application and use the old configuration file as a reference to know what had to be adjusted previously.
Helpful links:
Changelog
- NEW: AM-1483 Network Manager extended to exclude ports to be filtered by Airlock Microgateway
- NEW: AM-2211 CRD DenyRules extended to support custom deny rules
- NEW: AM-1356 CRD EnvoyHTTPFilter and EnvoyCluster allows to configure built-in Envoy functionality
- NEW: AM-1346 GKE support for Airlock Microgateway
- NEW: AM-1344 Engine's Envoy bootstrap config can be customized
- NEW: AM-1574 CRD SidecarGateway extended to exclude paths that should not be filtered
- NEW: AM-1573 CRD SidecarGateway extended to configure different security settings for each path
- NEW: AM-1571 CRD SidecarGateway extended to configure downstream TLS settings
- NEW: AM-1570 CRD SidecarGateway extended to configure upstream TLS settings
- NEW: AM-1421 Deny rules for OWASP Top 10
- NEW: AM-1415 Microgateway Operator watches the annotation for automated sidecar injection
- NEW: AM-1410 Openshift support for Airlock Microgateway
- NEW: AM-1129 Microgateway Operator supports installation mode "allNamespace"
- NEW: AM-1251 Readiness and liveness probes for Microgateway Operator
- NEW: AM-1250 Readiness and Liveness probes for Microgateway Engine
- NEW: AM-1215 Microgateway Engine container template can be customized
- NEW: AM-1214 Network Manager container template can be customized
- NEW: AM-2070 CRD HeaderRewrites extended with custom rules for response header add
- NEW: AM-2068 CRD HeaderRewrites extended with custom rules for request header add
- NEW: AM-2057 Access log of Microgateway Engine extended with a log_correlation to correlate with the application log
- NEW: AM-2052 Envoy command operator created to enrich the logs
- NEW: AM-2051 Default access log format defined according to ECS (Elastic Common Schema)
- NEW: AM-2047 Support for custom access log format
- NEW: AM-2013 Support for JSON filtering
- NEW: AM-2094 Miscellaneous security settings in Kubernetes manifest enabled
- NEW: AM-2081 Log level can be configured for Operator and Network Manager
- NEW: AM-1645 CRD SidecarGateway extended with the configuration options normalizePath and mergeSlashes
- NEW: AM-1741 Microgateway Operator supports the termination log
- NEW: AM-1736 Anthos Service Mesh on GKE support for Airlock Microgateway
- NEW: AM-1658 Remove server header from HTTP responses
- NEW: AM-1804 CRD HeaderRewrites extended with built-in rules for response header remove
- NEW: AM-1803 CRD HeaderRewrites extended with built-in rules for response header add
- NEW: AM-1801 CRD HeaderRewrites extended with built-in rules for response header allow
- NEW: AM-1798 CRD HeaderRewrites extended with built-in rules for request header remove
- NEW: AM-1797 CRD HeaderRewrites extended with built-in rules for request header allow
- NEW: AM-1726 Kubernetes manifest files for deployment
- NEW: AM-1732 Network Manager supports IPTables variants "legacy" and "nft"
- NEW: AM-2140 CRD SidecarGateway extended to configure HTTP 1.1 and HTTP 2.0 for upstream and downstream connections
- NEW: AM-1825 Log level can be configured for Engine
- NEW: AM-1918 CRD HeaderRewrites extended with custom rules for response header remove
- NEW: AM-1917 CRD HeaderRewrites extended with custom rules for request header remove
- NEW: AM-1916 CRD HeaderRewrites extended with custom rules for response header allow
- NEW: AM-1915 CRD HeaderRewrites extended with custom rules for request header allow
- NEW: AM-1908 CRD SidecarGateway extended to configure different security settings for each containerPort
- NEW: AM-1318 Microgateway Engine decodes percent encoded parameters
- NEW: AM-1317 Microgateway Engine decodes HTML entities
- NEW: AM-1314 Microgateway Engine decodes form-urlencoded parameters
- NEW: AM-1312 Microgateway Engine decodes UTF-8
- NEW: AM-1290 Distroless as base image for Microgateway Operator, Network Manager and Engine
- NEW: AM-1966 Secured xDS communication between Operator and Engine
- NEW: AM-2023 Configuration options for remote IP (X-Forwarded-For)
- NEW: AM-2109 CRD DenyRules extended with operationalMode
- NEW: AM-2152 CRD DenyRules extended to configure exceptions with JSONPath
- NEW: AM-2267 CRD SidecarGateway extended to configure downstream TLS for client certificate verification
- NEW: AM-2360 CRD DenyRules extended to configure exceptions and custom deny rules with JSONKeys