Skip to main content
logoTetrate Istio Subscription PlusVersion: Latest

Tenant Setting

The differences between TSB and Tetrate Istio Subscription Plus (TIS+)

Tetrate Istio Subscription Plus (TIS+) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions.

Tenant Setting allows configuring default settings for the tenant.

This is a global object that uniquely configures the tenant, and there can be only one tenant setting object defined for each tenant.

Traffic and security settings can be defined as default for a tenant, meaning that they will be applied to all the workspaces of the tenant. These defaults settings can be overridden by creating proper WorkspaceSetting, TrafficSetting or SecuritySetting into the desired workspace or group.

kind: TenantSetting
name: tenant-settings
organization: tis+
tenant: tis+
host: bookinfo-perimeter/tsb-egress
trafficMode: REQUIRED
mode: GROUP


Default settings that apply to all workspaces under a tenant.

FieldDescriptionValidation Rule

Security settings for all proxy workloads in this tenant. This can be overridden at WorkspaceSettings or security group's SecuritySetting for specific cases. The override strategy used will be driven by the SecuritySetting propagation strategy. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting defined in the configuration hierarchy. For instance, a WorkspaceSettings defined SecuritySetting will replace any tenant or organization defined SecuritySetting. Proxy workloads without a specific security group will inherit these settings. If omitted, the following semantics apply:

  1. Sidecars will accept connections from clients using Istio Mutual TLS as well as legacy clients using plaintext (i.e. any traffic not using Istio Mutual TLS authentication), i.e. authentication mode defaults to OPTIONAL.

  2. No authorization will be performed, i.e., authorization mode defaults to DISABLED.


Traffic settings for all proxy workloads in this tenant. This can be overridden at WorkspaceSetting or TrafficSetting for specific cases. Proxy workloads without a specific traffic group will inherit these settings. If omitted, the following semantics apply:

  1. Sidecars will be able to reach any service in the cluster, i.e. reachability mode defaults to CLUSTER.

  2. Traffic to unknown destinations will be directly routed from the sidecar to the destination.