From 662eaec2f985fa9b88c335380b2976ecf03b9542 Mon Sep 17 00:00:00 2001 From: Lorcan McVeigh Date: Fri, 7 Nov 2025 10:30:36 +0000 Subject: [PATCH 1/2] Add gatewaywaf CRD --- .../operator.tigera.io_gatewaywaf.yaml | 155 ++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml diff --git a/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml b/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml new file mode 100644 index 0000000000..40dc6d5546 --- /dev/null +++ b/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml @@ -0,0 +1,155 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: gatewaywafs..operator.tigera.io +spec: + group: operator.tigera.io + names: + kind: GatewayWAF + listKind: GatewayWAFList + plural: gatewaywafs + singular: gatewaywaf + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GatewayWAF is the Schema for the gatewaywafs API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GatewayWAFSpec defines the desired state of GatewayWAF + properties: + targetRefs: + description: |- + TargetRefs is a list of references to Gateway API resources that this WAF configuration applies to. + These are typically Gateway resources, but could also be HTTPRoute or other Gateway API resources. + items: + description: TargetRef identifies an API object to apply WAF configuration to. + properties: + group: + description: Group is the group of the target resource. + type: string + kind: + description: Kind is kind of the target resource. + type: string + name: + description: Name is the name of the target resource. + type: string + namespace: + description: |- + Namespace is the namespace of the target resource. For Cluster-scoped resources, + this field is ignored. For namespaced resources, this field is required when + the resource is in a different namespace than the GatewayWAF resource. + type: string + required: + - group + - kind + - name + type: object + type: array + customBeforeRules: + description: |- + CustomBeforeRules contains custom ModSecurity rules to be applied before the Core Rule Set (CRS) is loaded. + This is typically used by plugins or for initial configuration that needs to be processed before the CRS rules. + items: + type: string + type: array + customAfterRules: + description: |- + CustomAfterRules contains custom ModSecurity rules to be applied after the Core Rule Set (CRS) is loaded. + This is typically used to disable specific rules, enable blocking mode, provide additional rules, or rewrite existing rules. + items: + type: string + type: array + required: + - targetRefs + type: object + status: + description: GatewayWAFStatus defines the observed state of GatewayWAF + properties: + conditions: + description: |- + Conditions represents the latest observed set of conditions for the component. A component may be one or more of + Ready, Progressing, Degraded or other customer types. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + description: State provides user-readable status. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} From 97286cc809af16ec6f516a78340f28904c7eabcf Mon Sep 17 00:00:00 2001 From: Lorcan McVeigh Date: Mon, 8 Dec 2025 10:44:07 +0000 Subject: [PATCH 2/2] Add RBAC for new WAF http filter --- .../operator/operator.tigera.io_gatewaywaf.yaml | 4 ++-- pkg/render/gatewayapi/gateway_api.go | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml b/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml index 40dc6d5546..bf70227644 100644 --- a/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml +++ b/pkg/crds/operator/operator.tigera.io_gatewaywaf.yaml @@ -3,9 +3,9 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 - name: gatewaywafs..operator.tigera.io + name: gatewaywafs.applicationlayer.tigera.io spec: - group: operator.tigera.io + group: applicationlayer.tigera.io names: kind: GatewayWAF listKind: GatewayWAFList diff --git a/pkg/render/gatewayapi/gateway_api.go b/pkg/render/gatewayapi/gateway_api.go index f2a75f76ba..6d748b768d 100644 --- a/pkg/render/gatewayapi/gateway_api.go +++ b/pkg/render/gatewayapi/gateway_api.go @@ -1116,6 +1116,21 @@ func (pr *gatewayAPIImplementationComponent) wafHttpFilterClusterRole() *rbacv1. Resources: []string{"tokenreviews"}, Verbs: []string{"create"}, }, + { + APIGroups: []string{"applicationlayer.tigera.io"}, + Resources: []string{"gatewaywafs"}, + Verbs: []string{"get", "list", "update"}, + }, + { + APIGroups: []string{"gateway.networking.k8s.io"}, + Resources: []string{"gateways", "httproutes"}, + Verbs: []string{"get", "list", "update"}, + }, + { + APIGroups: []string{""}, + Resources: []string{"pods"}, + Verbs: []string{"get", "list"}, + }, }, } }