Service Security Setting

ServiceSecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a particular service in a security group. These settings will replace the security group wide settings for this service.

The following example defines a security setting that applies to the service foo in namespace ns1 that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-auth
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    authentication: REQUIRED
    authorization:
      mode: GROUP

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-wasm-plugin
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    extension:
    - fqn: hello-world # fqn of imported extensions in TSB
      config:
        foo: bar

ServiceSecuritySetting

A service security setting applies configuration to a service in a security group. Missing fields will inherit values from the workspace-wide setting if any.

Field	Description	Validation Rule
service	string REQUIRED The service on which the configuration is being applied. Must be in namespace/FQDN format.	string = { pattern: `^[^/]+/[^/]+$` }
settings	tetrateio.api.tsb.security.v2.SecuritySetting Security settings to apply to this service.	–
subsets	List of tetrateio.api.tsb.security.v2.ServiceSecuritySetting.Subset Subset specific settings that will replace the service wide settings for the specified service subsets.	–
configGenerationMetadata	tetrateio.api.tsb.types.v2.ConfigGenerationMetadata Metadata values that will be add into the Istio generated configurations. When using YAML APIs like`tctl` or `gitops`, put them into the `metadata.labels` or `metadata.annotations` instead. This field is only necessary when using gRPC APIs directly.	–

Subset

Subset allows replacing the settings for a specific version of a service.

Field	Description	Validation Rule
name	string REQUIRED Name used to refer to the subset. This must match a subset defined in the ServiceRoute for this service, else it will be omitted.	string = { min_len: `1` }
settings	tetrateio.api.tsb.security.v2.SecuritySetting REQUIRED Security settings to apply to this service subset.	message = { required: `true` }

TSB

最近更新于 2023-09-19