Skip to main content
Version: 1.2.x

Security Setting

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a sidecar in a security group.

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other sidecars in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED

And the associated security settings for all sidecars in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authentication: REQUIRED
authorization:
mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: custom
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authentication: REQUIRED
authorization:
mode: CUSTOM
serviceAccounts:
- "ns1/*"
- "ns2/*"
- "ns3/*"
- "ns4/catalog-sa"

AuthorizationSettings

AuthorizationSettings define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

FieldDescriptionValidation Rule

mode

tetrateio.api.tsb.security.v2.AuthorizationSettings.Mode
A short cut for specifying the set of allowed callers.

serviceAccounts

List of string
When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them). Must be in the <namespace>/<service-account-name> format.

- ./* indicates all service accounts in the namespace where the sidecar resides.

- ns1/* indicates all service accounts in the ns1 namespace.

- ns1/svc1-sa indicates svc1-sa service account in ns1 namespace.

repeated = {
  items: {string:{min_len:1}}
}

Mode

A short cut for defining the common authorization patterns

NameNumberDescription

UNSET

0

Inherit from parent if possible. Otherwise treated as DISABLED.

NAMESPACE

1

The workload allows traffic from any other authenticated workload in its own namespace.

GROUP

2

The workload allows traffic from any other authenticated workload in the security group.

WORKSPACE

3

The workload allows traffic from any other authenticated workload in the workspace.

CLUSTER

4

The workload allows traffic from any other authenticated workload in the cluster.

DISABLED

5

Authorization is disabled.

CUSTOM

6

The workload allows traffic from service accounts defined explicitly.

SecuritySetting

A security setting applies configuration to a set of sidecars in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

FieldDescriptionValidation Rule

authentication

tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode
Specifies whether the sidecars should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

authorization

tetrateio.api.tsb.security.v2.AuthorizationSettings
The set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

AuthenticationMode

AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

NameNumberDescription

UNSET

0

Inherit from parent, if has one. Otherwise treated as OPTIONAL.

OPTIONAL

1

Accept both plaintext and mTLS authenticated connections.

REQUIRED

2

Accept only mutual TLS authenticated connections.