Releases: airlock/microgateway
4.3.4
Version 4.3.4
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- UPD: AM-4902 Envoy updated to 1.30.6, base images updated
4.2.8
Version 4.2.8
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security, regular updates of dependencies and improvements.
Helpful links:
Changelog
- UPD: AM-4900 Envoy updated to 1.29.9, base images updated
4.2.7
Version 4.2.7
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4796 Golang updated to v1.22.7, Base images updated
4.3.3
Version 4.3.3
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4779 Golang updated to v1.22.7, Base images updated
4.3.2
Version 4.3.2
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and a bugfix for the CNI plugin.
Helpful links:
Changelog
- SEC: AM-4744 Base images updated
- FIX: AM-4739 CNI traffic redirection not working properly in certain scenarios when using Istio with Native Sidecar support enabled (CASE-35485)
4.2.6
Version 4.2.6
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and a bugfix for the CNI plugin.
Helpful links:
Changelog
- SEC: AM-4741 Base images updated
- FIX: AM-4739 CNI traffic redirection not working properly in certain scenarios when using Istio with Native Sidecar support enabled (CASE-35485)
4.3.1
Version 4.3.1
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4662 Go updated to v1.22.6, Base images updated
- FIX: AM-4488 Allow empty schemas for binary body validators
- CHG: AM-4577 Switched from busybox to netcat image for Network Validator container
4.2.5
Version 4.2.5
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4663 Go updated to v1.22.6, Base images updated
- CHG: AM-4577 Switched from busybox to netcat image for Network Validator container
4.3.0
Version 4.3.0
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
Main new features:
- GraphQL schema validation
- Own- and Multi-Namespace support
- Grafana Dashboards
- OIDC RP improvements
- Extend limit checks to support OpenAPI and GraphQL requests and additional content type:
multipart/form-data
Action required:
- If the experimental OIDC Relying Party feature is used it is now required to deploy a Redis and configure a SessionHandling CR which is referenced in the SidecarGateway CR.
- The upgrade to 4.3 must be done without using the new Own- and Multi-Namespace feature.
Breaking changes:
The following changes are breaking:
- The behavior of value "auto" for upstream protocol in the SidecarGateway CRD has changed. In the case where no TLS is configured for the upstream connection, the HTTP protocol used by the downstream connection is also used for the upstream connection. Previously "auto" for upstream connections caused that always HTTP/1.1 was used.
- Various behavior and defaults of the Limit CRD have changed
- Split up
general.bodySize
limit into specific limitslimited.json.bodySize
andlimited.parameter.bodySize
(default values:100Ki
) general.bodySize
limit is fron now on only applied to unparsed requests with unknown content-types such asapplication/octet stream
(old behavior: applied only to parsed requests e.g. JSON data). Hence this is not a global default.- Default value of
general.bodySize
was increased to100Mi
(old default:100Ki
) - WebSocket and gRPC requests currently do not have specific limit settings and always use an unlimited, non-configurable body size to avoid problems
- Split up
- Microgateway configured as OIDC Relying Party requires now a Redis being deployed and session handling configured. The OIDC configuration itself is unchanged.
- The Engine metrics have changed to simplify future extensions:
- Regarding requests
- Added a new metric
microgateway_http_downstream_rq_threats_blocked_total
to measure the total number of requests blocked by an Engine filter. This metric now contains theblock_type
label with the value of the block category that triggered the block action. - Added a new metric
microgateway_http_downstream_rq_threats_logged_total
to measure the total number of requests logged by an Engine filter. This metric now contains theblock_type
label with the value of the block category that would trigger a block action. - Removed the metrics
microgateway_http_downstream_rq_blocked_total
,microgateway_http_downstream_rq_deny_rule_total
andmicrogateway_http_downstream_rq_limit_total
. Please migrate to the above-mentioned metrics instead.
- Added a new metric
- Regarding respones
- Added a new metric
microgateway_http_downstream_rs_threats_blocked_total
to measure the total number of responses blocked by an Engine filter. This metric now contains theblock_type
label with the value of the block category that triggered the block action. - Added a new metric
microgateway_http_downstream_rs_threats_logged_total
to measure the total number of responses logged by an Engine filter. This metric now contains theblock_type
label with the value of the block category that would trigger a block action. - Removed the metric
microgateway_http_downstream_rs_blocked_total
. Please migrate to the above-mentioned metric instead.
- Added a new metric
- Regarding requests
Licensing:
In the Community edition, if the real throughput exceeds the licensed throughput, requests are blocked. In the Premium edition, no requests are blocked.
Helpful links:
Changelog
- NEW: AM-1751 Extend Access Log with Correlation ID
- NEW: AM-3107 Added new RedisProvider CRD
- NEW: AM-3239 gRPC proxying support improved
- NEW: AM-3879 Add new timing metrics rq_processing_time_ms, rs_processing_time_ms, upstream_responsiveness_ms
- NEW: AM-3993 Add gRPC proxying support
- NEW: AM-4126 Introduce GraphQL CRD
- NEW: AM-4153 Add Airlock Microgateway Session Store to Helm Chart
- NEW: AM-4154 Add Airlock Microgateway Session Agent container
- NEW: AM-4155 Added new SessionHandling CRD
- NEW: AM-4171 Optionally deploy a Grafana Dashboard for licensing statistics
- NEW: AM-4175 Optionally deploy an Overview Dashboard for Microgateway statistics in Grafana
- NEW: AM-4176 Optionally deploy a dashboard detailing statistics on blocked requests
- NEW: AM-4177 Optionally deploy a dashboard with log details on blocked requests
- NEW: AM-4182 add
querySize
,nestingDepth
andvalueLength
keys to the Limits CRD to define limits for GraphQL requests - NEW: AM-4209 Introduce
bodySize
key per content type to the Limits CRD to restrict the total request body size - NEW: AM-4218 Add support for Single/Own-Namespace Operator installation
- NEW: AM-4274 Add support in Deny Rules for GraphQL (exceptions, overrides and custom deny rules)
- NEW: AM-4298 Added Readiness and Liveness probes for Microgateway Session Agent
- NEW: AM-4361 Validate AccessControl CR is properly configured for OIDC which requires SessionHandling CR.
- NEW: AM-4416 Add length exception for fields, arguments and values to Limits CRD for GraphQL requests.
- FIX: AM-4205 Fixed invalid config events/conditions not being emitted when OIDC is configured and the initial configuration after pod startup is rejected by the Engine
- CHG: Metrics deny_rule_total and limit_total replaced with blocked_total
- CHG: AM-3991 Limit the total number of active downstream connections allowed across all listeners
- CHG: AM-3995 Double max-age value of HSTS header to 31536000 (one year)
- CHG: AM-4187 Split up blocked_total metric into threats_blocked_total and threats_logged_total
- CHG: AM-4231 Change behavior of "auto" value for upstream protocol in SidecarGateway CRD
- CHG: AM-4243 Improved validation of trustedCA certificate secret contents
- CHG: AM-4301 Operator now distinguishes between managed and unmanaged Pods/Sidecars (= managed by a different Operator instance) and no longer attempts configuration updates for the latter
- CHG: AM-4331 The internal EnvoyConfiguration CRD now stores the Engine configuration in a compressed format in order to support larger configurations without reaching the Kubernetes request size limit
- CHG: AM-4407 Various deny-rule improvements
- CHG: AM-4469 Removed finalizers for Pod and EnvoyConfiguration resources
- UPD: AM-4213 Update Envoy to 1.30.1
4.2.4
Version 4.2.4
Release description
Airlock Microgateway helps you to protect your services and APIs from unauthorized or malicious access with little effort. It is a lightweight and Kubernetes-native Web Application and API Protection (WAAP) solution designed to overcome the DevSecOps obstacles and to implement ZeroTrust.
This Airlock Microgateway release contains security and regular updates of dependencies and improvements.
Helpful links:
Changelog
- SEC: AM-4462 Go updated to 1.22.5, Envoy updated to 1.29.7, google.golang.org/grpc to v1.65.0, Base images updated