Skip to main content
logoTetrate Service ExpressVersion: Latest

WAF Settings

The differences between TSB and TSE API

Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: tse
  organization: tse
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: tse
  organization: tse
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: tse
  organization: tse
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: tse
  organization: tse
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com

WAFSettings

WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives

FieldDescriptionValidation Rule

rules

List of string
REQUIRED
Rules to be leveraged by WAF. The parser evaluates the list of rules from the top to the bottom.

repeated = {
  min_items: 1
  items: {string:{min_len:1}}
}