Tetrate Service BridgeVersion: 1.5.x

API Reference

Packages:

tsb.tetrate.io/v2
application.tsb.tetrate.io/v2
gateway.tsb.tetrate.io/v2
istiointernal.tsb.tetrate.io/v2
rbac.tsb.tetrate.io/v2
security.tsb.tetrate.io/v2
traffic.tsb.tetrate.io/v2

tsb.tetrate.io/v2

Resource Types:

Cluster
Organization
OrganizationSetting
ServiceAccount
Team
Tenant
TenantSetting
Workspace
WorkspaceSetting

Cluster

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	Cluster	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	A Kubernetes cluster managing both pods and VMs.	false
status	object		false

Cluster.spec

^{^{↩ Parent}}

A Kubernetes cluster managing both pods and VMs.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
labels	map[string]string		false
locality	object	Location information about the cluster which can be used for routing.	false
namespaceScope	object	Configure the default scoping of namespaces in this cluster.	false
namespaces	[]object		false
network	string	The network (e.g., VPC) where this cluster is present.	false
state	object		false
tier1Cluster	boolean	Indicates whether this cluster is hosting a tier1 gateway or not.	false
tokenTtl	string	Lifetime of the tokens.	false
trustDomain	string	Trust domain for this cluster, used for multi-cluster routing.	false

Cluster.spec.locality

^{^{↩ Parent}}

Location information about the cluster which can be used for routing.

Name	Type	Description	Required
region	string	The geographic location of the cluster.	false

Cluster.spec.namespaceScope

^{^{↩ Parent}}

Configure the default scoping of namespaces in this cluster.

Name	Type	Description	Required
exceptions	[]string	Namespaces to be excluded form the default scope.	false
scope	enum	Enum: GLOBAL, LOCAL	false

Cluster.spec.namespaces[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
services	[]object		false

Cluster.spec.namespaces[index].services[index]

^{^{↩ Parent}}

Name	Type	Description	Required
canonicalName	string		false
gatewayHost	boolean		false
hostname	string	The hostname by which this service is accessed.	false
kubernetesExternalAddresses	[]string		false
kubernetesServiceFqdn	string		false
kubernetesServiceIp	string		false
meshExternal	boolean		false
name	string		false
namespace	string	namespace associated with the service.	false
numHops	integer	Minimum: 0 Maximum: 4.294967295e+09	false
numKubernetesEndpoints	integer	The number of kubernetes pods providing this service. Minimum: 0 Maximum: 4.294967295e+09	false
numVmEndpoints	integer	The number of VMs providing this service. Minimum: 0 Maximum: 4.294967295e+09	false
ports	[]object	The set of ports on which this service is exposed.	false
selector	map[string]string	label selectors associated with the service.	false
spiffeIds	[]string	List of SPIFFE identities used by the workloads of the service.	false
subsets	[]string		false
tier1GatewayHost	boolean		false
workloads	[]object	Workloads implementing the Service.	false

Cluster.spec.namespaces[index].services[index].ports[index]

^{^{↩ Parent}}

Name	Type	Description	Required
kubernetesNodePort	integer	Minimum: 0 Maximum: 4.294967295e+09	false
name	string	Name assigned to the port.	false
number	integer	A valid non-negative integer port number. Minimum: 0 Maximum: 4.294967295e+09	false

Cluster.spec.namespaces[index].services[index].workloads[index]

^{^{↩ Parent}}

Name	Type	Description	Required
address	string	Routable address of the workload.	false
isVm	boolean	Indicates whether the workload is kubernetes endpoint or vm.	false
name	string	Instance name of the workload.	false
proxy	object	Proxy details.	false

Cluster.spec.namespaces[index].services[index].workloads[index].proxy

^{^{↩ Parent}}

Proxy details.

Name	Type	Description	Required
controlPlaneAddress	string		false
envoyVersion	string	Envoy version of the proxy.	false
istioVersion	string	Istio version of the proxy.	false
status	map[string]string	Sync status for each xDS component.	false

Cluster.spec.state

^{^{↩ Parent}}

Name	Type	Description	Required
istioVersions	[]string	This shows currently running istio versions in the cluster.	false
lastSyncTime	string	Format: date-time	false
provider	string	cluster provider.	false
xcpVersion	string		false

Organization

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	Organization	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`Organization` is the root of the Service Bridge object hierarchy.	false
status	object		false

Organization.spec

^{^{↩ Parent}}

Organization is the root of the Service Bridge object hierarchy.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

OrganizationSetting

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	OrganizationSetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	Settings that apply globally to the entire organization.	false
status	object		false

OrganizationSetting.spec

^{^{↩ Parent}}

Settings that apply globally to the entire organization.

Name	Type	Description	Required
defaultSecuritySetting	object	Security settings for all proxy workloads in this organization.	false
defaultTrafficSetting	object	Traffic settings for all proxy workloads in this organization.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
networkSettings	object	Reachability between clusters on various networks.	false
regionalFailover	[]object	Default locality routing settings for all gateways.	false

OrganizationSetting.spec.defaultSecuritySetting

^{^{↩ Parent}}

Security settings for all proxy workloads in this organization.

Name	Type	Description	Required
authentication	enum	Enum: UNSET, OPTIONAL, REQUIRED	false
authenticationSettings	object		false
authorization	object		false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
propagationStrategy	enum	Enum: REPLACE, STRICTER	false
wafSettings	object	NOTICE: this feature is in alpha stage and under active development.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings

^{^{↩ Parent}}

Name	Type	Description	Required
http	object		false
trafficMode	enum	Enum: UNSET, OPTIONAL, REQUIRED	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization

^{^{↩ Parent}}

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object		false
serviceAccounts	[]string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http

^{^{↩ Parent}}

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules

^{^{↩ Parent}}

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.wafSettings

^{^{↩ Parent}}

NOTICE: this feature is in alpha stage and under active development.

Name	Type	Description	Required
ruleEngineMode	enum	Ad-hoc settings to switch ModSecurity engine mode. Enum: OFF, ON, DETECTION_ONLY	false
ruleSets	[]string	Rulesets to enable.	false

OrganizationSetting.spec.defaultTrafficSetting

^{^{↩ Parent}}

Traffic settings for all proxy workloads in this organization.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
egress	object		false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
rateLimiting	object	Configuration for rate limiting requests.	false
reachability	object		false
resilience	object		false

OrganizationSetting.spec.defaultTrafficSetting.egress

^{^{↩ Parent}}

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	false
port	integer	Deprecated. Format: int32	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

OrganizationSetting.spec.defaultTrafficSetting.reachability

^{^{↩ Parent}}

Name	Type	Description	Required
hosts	[]string		false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

OrganizationSetting.spec.defaultTrafficSetting.resilience

^{^{↩ Parent}}

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Enum: UNSET, LOW, MEDIUM, HIGH	false
httpRequestTimeout	string	Timeout for HTTP requests.	false
httpRetries	object	Retry policy for HTTP requests.	false
keepAlive	object	Keep Alive Settings.	false
tcpKeepalive	boolean	Deprecated.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries

^{^{↩ Parent}}

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	false
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive

^{^{↩ Parent}}

Keep Alive Settings.

Name	Type	Description	Required
tcp	object	TCP Keep Alive settings associated with the upstream and downstream TCP connections.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

^{^{↩ Parent}}

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

Name	Type	Description	Required
downstream	object	TCP Keep Alive Settings associated with the downstream (client) connection.	false
upstream	object	TCP Keep Alive Settings associated with the upstream (backend) connection.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the downstream (client) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the upstream (backend) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

OrganizationSetting.spec.networkSettings

^{^{↩ Parent}}

Reachability between clusters on various networks.

Name	Type	Description	Required
networkReachability	map[string]string	Reachability between clusters on various networks.	false

OrganizationSetting.spec.regionalFailover[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	string	Originating region.	false
to	string		false

ServiceAccount

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	ServiceAccount	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`ServiceAccount` represents a service account that can be used to access the TSB platform.	false
status	object		false

ServiceAccount.spec

^{^{↩ Parent}}

ServiceAccount represents a service account that can be used to access the TSB platform.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
keys	[]object	Keys associated with the service account.	false

ServiceAccount.spec.keys[index]

^{^{↩ Parent}}

Name	Type	Description	Required
defaultToken	string		false
encoding	enum	Format in which the public and private keys are encoded. Enum: PEM, JWK	false
id	string	Unique identifier for this key-pair.	false
privateKey	string	The encoded private key associated with the service account.	false
publicKey	string	The encoded public key associated with the service account.	false

Team

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	Team	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`Team` is a named collection of users under a tenant.	false
status	object		false

Team.spec

^{^{↩ Parent}}

Team is a named collection of users under a tenant.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
members	[]string	List of members under the team.	false
sourceType	enum	Where the team comes from. Enum: INVALID, LDAP, LOCAL, AZURE, MANUAL	false

Tenant

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	Tenant	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`Tenant` is a self-contained entity within an organization in the Service Bridge hierarchy.	false
status	object		false

Tenant.spec

^{^{↩ Parent}}

Tenant is a self-contained entity within an organization in the Service Bridge hierarchy.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

TenantSetting

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	TenantSetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	Default settings that apply to all workspaces under a tenant.	false
status	object		false

TenantSetting.spec

^{^{↩ Parent}}

Default settings that apply to all workspaces under a tenant.

Name	Type	Description	Required
defaultSecuritySetting	object	Security settings for all proxy workloads in this tenant.	false
defaultTrafficSetting	object	Traffic settings for all proxy workloads in this tenant.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

TenantSetting.spec.defaultSecuritySetting

^{^{↩ Parent}}

Security settings for all proxy workloads in this tenant.

Name	Type	Description	Required
authentication	enum	Enum: UNSET, OPTIONAL, REQUIRED	false
authenticationSettings	object		false
authorization	object		false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
propagationStrategy	enum	Enum: REPLACE, STRICTER	false
wafSettings	object	NOTICE: this feature is in alpha stage and under active development.	false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings

^{^{↩ Parent}}

Name	Type	Description	Required
http	object		false
trafficMode	enum	Enum: UNSET, OPTIONAL, REQUIRED	false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

TenantSetting.spec.defaultSecuritySetting.authorization

^{^{↩ Parent}}

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object		false
serviceAccounts	[]string		false

TenantSetting.spec.defaultSecuritySetting.authorization.http

^{^{↩ Parent}}

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules

^{^{↩ Parent}}

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

TenantSetting.spec.defaultSecuritySetting.wafSettings

^{^{↩ Parent}}

NOTICE: this feature is in alpha stage and under active development.

Name	Type	Description	Required
ruleEngineMode	enum	Ad-hoc settings to switch ModSecurity engine mode. Enum: OFF, ON, DETECTION_ONLY	false
ruleSets	[]string	Rulesets to enable.	false

TenantSetting.spec.defaultTrafficSetting

^{^{↩ Parent}}

Traffic settings for all proxy workloads in this tenant.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
egress	object		false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
rateLimiting	object	Configuration for rate limiting requests.	false
reachability	object		false
resilience	object		false

TenantSetting.spec.defaultTrafficSetting.egress

^{^{↩ Parent}}

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	false
port	integer	Deprecated. Format: int32	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

TenantSetting.spec.defaultTrafficSetting.reachability

^{^{↩ Parent}}

Name	Type	Description	Required
hosts	[]string		false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

TenantSetting.spec.defaultTrafficSetting.resilience

^{^{↩ Parent}}

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Enum: UNSET, LOW, MEDIUM, HIGH	false
httpRequestTimeout	string	Timeout for HTTP requests.	false
httpRetries	object	Retry policy for HTTP requests.	false
keepAlive	object	Keep Alive Settings.	false
tcpKeepalive	boolean	Deprecated.	false

TenantSetting.spec.defaultTrafficSetting.resilience.httpRetries

^{^{↩ Parent}}

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	false
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive

^{^{↩ Parent}}

Keep Alive Settings.

Name	Type	Description	Required
tcp	object	TCP Keep Alive settings associated with the upstream and downstream TCP connections.	false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

^{^{↩ Parent}}

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

Name	Type	Description	Required
downstream	object	TCP Keep Alive Settings associated with the downstream (client) connection.	false
upstream	object	TCP Keep Alive Settings associated with the upstream (backend) connection.	false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the downstream (client) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the upstream (backend) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

Workspace

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	Workspace	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	A Workspace is a collection of related namespaces in one or more clusters.	false
status	object		false

Workspace.spec

^{^{↩ Parent}}

A Workspace is a collection of related namespaces in one or more clusters.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
namespaceSelector	object	Set of namespaces owned exclusively by this workspace.	false
privileged	boolean		false

Workspace.spec.namespaceSelector

^{^{↩ Parent}}

Set of namespaces owned exclusively by this workspace.

Name	Type	Description	Required
names	[]string		false

WorkspaceSetting

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	WorkspaceSetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	Default security and traffic settings for all proxy workloads in the workspace.	false
status	object		false

WorkspaceSetting.spec

^{^{↩ Parent}}

Default security and traffic settings for all proxy workloads in the workspace.

Name	Type	Description	Required
defaultSecuritySetting	object	Security settings for all proxy workloads in this workspace.	false
defaultTrafficSetting	object	Traffic settings for all proxy workloads in this workspace.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
regionalFailover	[]object	Locality routing settings for all gateways in the workspace.	false

WorkspaceSetting.spec.defaultSecuritySetting

^{^{↩ Parent}}

Security settings for all proxy workloads in this workspace.

Name	Type	Description	Required
authentication	enum	Enum: UNSET, OPTIONAL, REQUIRED	false
authenticationSettings	object		false
authorization	object		false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
propagationStrategy	enum	Enum: REPLACE, STRICTER	false
wafSettings	object	NOTICE: this feature is in alpha stage and under active development.	false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings

^{^{↩ Parent}}

Name	Type	Description	Required
http	object		false
trafficMode	enum	Enum: UNSET, OPTIONAL, REQUIRED	false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization

^{^{↩ Parent}}

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object		false
serviceAccounts	[]string		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http

^{^{↩ Parent}}

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules

^{^{↩ Parent}}

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

WorkspaceSetting.spec.defaultSecuritySetting.wafSettings

^{^{↩ Parent}}

NOTICE: this feature is in alpha stage and under active development.

Name	Type	Description	Required
ruleEngineMode	enum	Ad-hoc settings to switch ModSecurity engine mode. Enum: OFF, ON, DETECTION_ONLY	false
ruleSets	[]string	Rulesets to enable.	false

WorkspaceSetting.spec.defaultTrafficSetting

^{^{↩ Parent}}

Traffic settings for all proxy workloads in this workspace.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
egress	object		false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
rateLimiting	object	Configuration for rate limiting requests.	false
reachability	object		false
resilience	object		false

WorkspaceSetting.spec.defaultTrafficSetting.egress

^{^{↩ Parent}}

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	false
port	integer	Deprecated. Format: int32	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

WorkspaceSetting.spec.defaultTrafficSetting.reachability

^{^{↩ Parent}}

Name	Type	Description	Required
hosts	[]string		false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience

^{^{↩ Parent}}

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Enum: UNSET, LOW, MEDIUM, HIGH	false
httpRequestTimeout	string	Timeout for HTTP requests.	false
httpRetries	object	Retry policy for HTTP requests.	false
keepAlive	object	Keep Alive Settings.	false
tcpKeepalive	boolean	Deprecated.	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.httpRetries

^{^{↩ Parent}}

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	false
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive

^{^{↩ Parent}}

Keep Alive Settings.

Name	Type	Description	Required
tcp	object	TCP Keep Alive settings associated with the upstream and downstream TCP connections.	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

^{^{↩ Parent}}

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

Name	Type	Description	Required
downstream	object	TCP Keep Alive Settings associated with the downstream (client) connection.	false
upstream	object	TCP Keep Alive Settings associated with the upstream (backend) connection.	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the downstream (client) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the upstream (backend) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

WorkspaceSetting.spec.regionalFailover[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	string	Originating region.	false
to	string		false

application.tsb.tetrate.io/v2

Resource Types:

API
Application

API

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	application.tsb.tetrate.io/v2	true
kind	string	API	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	An API configuring a set of servers and endpoints that expose the Application business logic.	false
status	object		false

API.spec

^{^{↩ Parent}}

An API configuring a set of servers and endpoints that expose the Application business logic.

Name	Type	Description	Required
configResources	[]object	The configuration resources that are related to this API object.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
endpoints	[]object	List of endpoints exposed by this API.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
openapi	string	The raw OpenAPI spec for this API.	false
servers	[]object	List of servers that expose the API.	false
workloadSelector	object		false

API.spec.configResources[index]

^{^{↩ Parent}}

Name	Type	Description	Required
exclusivelyOwned	boolean		false
expectedEtag	string		false
fqn	string	The FQN of the resource this status is computed for.	false

API.spec.endpoints[index]

^{^{↩ Parent}}

Name	Type	Description	Required
hostnames	[]string	The list of hostnames where this endpoint is exposed.	false
methods	[]string	The list of HTTP methods this endpoint supports.	false
path	string	The HTTP path of the endpoint, relative to the hostnames exposed by the API.	false
service	string	The FQN of the service in the service registry that is exposing this endpoint.	false

API.spec.servers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
authentication	object	Configuration to authenticate clients.	false
authorization	object	Configuration to authorize a request.	false
hostname	string	Hostname with which the service can be expected to be accessed by clients.	false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
rateLimiting	object	Configuration for rate limiting requests.	false
routing	object	Routing rules associated with HTTP traffic to this service.	false
tls	object	TLS certificate info.	false
xxxOldAuthentication	object		false
xxxOldAuthorization	object		false

API.spec.servers[index].authentication

^{^{↩ Parent}}

Configuration to authenticate clients.

Name	Type	Description	Required
jwt	object		false

API.spec.servers[index].authentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

API.spec.servers[index].authorization

^{^{↩ Parent}}

Configuration to authorize a request.

Name	Type	Description	Required
external	object		false
local	object		false

API.spec.servers[index].authorization.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

API.spec.servers[index].authorization.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

API.spec.servers[index].authorization.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

API.spec.servers[index].authorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

API.spec.servers[index].authorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

API.spec.servers[index].authorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

API.spec.servers[index].authorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

API.spec.servers[index].authorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

API.spec.servers[index].rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

API.spec.servers[index].rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

API.spec.servers[index].rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

API.spec.servers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

API.spec.servers[index].rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

API.spec.servers[index].rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

API.spec.servers[index].rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

API.spec.servers[index].rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

API.spec.servers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

API.spec.servers[index].rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

API.spec.servers[index].routing

^{^{↩ Parent}}

Routing rules associated with HTTP traffic to this service.

Name	Type	Description	Required
corsPolicy	object	Cross origin resource request policy settings for all routes.	false
rules	[]object	HTTP routes.	false

API.spec.servers[index].routing.corsPolicy

^{^{↩ Parent}}

Cross origin resource request policy settings for all routes.

Name	Type	Description	Required
allowCredentials	boolean		false
allowHeaders	[]string	List of HTTP headers that can be used when requesting the resource.	false
allowMethods	[]string	List of HTTP methods allowed to access the resource.	false
allowOrigin	[]string	The list of origins that are allowed to perform CORS requests.	false
exposeHeaders	[]string	A white list of HTTP headers that the browsers are allowed to access.	false
maxAge	string	Specifies how long the results of a preflight request can be cached.	false

API.spec.servers[index].routing.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
match	[]object	One or more match conditions (OR-ed).	false
modify	object	One or more mutations to be performed before forwarding.	false
redirect	object	Redirect the request to a different host or URL or both.	false
route	object	Forward the request to the specified destination(s).	false

API.spec.servers[index].routing.rules[index].match[index]

^{^{↩ Parent}}

Name	Type	Description	Required
headers	map[string]object	The header keys must be lowercase and use hyphen as the separator, e.g.	false
uri	object	URI to match.	false

API.spec.servers[index].routing.rules[index].match[index].headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

API.spec.servers[index].routing.rules[index].match[index].uri

^{^{↩ Parent}}

URI to match.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

API.spec.servers[index].routing.rules[index].modify

^{^{↩ Parent}}

One or more mutations to be performed before forwarding.

Name	Type	Description	Required
headers	object	Add/remove/overwrite one or more HTTP headers in a request or response.	false
rewrite	object	Rewrite the HTTP Host or URL or both.	false

API.spec.servers[index].routing.rules[index].modify.headers

^{^{↩ Parent}}

Add/remove/overwrite one or more HTTP headers in a request or response.

Name	Type	Description	Required
request	object	Header manipulation rules to apply before forwarding a request to the destination service.	false
response	object	Header manipulation rules to apply before returning a response to the caller.	false

API.spec.servers[index].routing.rules[index].modify.headers.request

^{^{↩ Parent}}

Header manipulation rules to apply before forwarding a request to the destination service.

Name	Type	Description	Required
add	map[string]string		false
remove	[]string	Remove a the specified headers.	false
set	map[string]string	Overwrite the headers specified by key with the given values.	false

API.spec.servers[index].routing.rules[index].modify.headers.response

^{^{↩ Parent}}

Header manipulation rules to apply before returning a response to the caller.

Name	Type	Description	Required
add	map[string]string		false
remove	[]string	Remove a the specified headers.	false
set	map[string]string	Overwrite the headers specified by key with the given values.	false

API.spec.servers[index].routing.rules[index].modify.rewrite

^{^{↩ Parent}}

Rewrite the HTTP Host or URL or both.

Name	Type	Description	Required
authority	string	Rewrite the Authority/Host header with this value.	false
uri	string	Rewrite the path (or the prefix) portion of the URI with this value.	false

API.spec.servers[index].routing.rules[index].redirect

^{^{↩ Parent}}

Redirect the request to a different host or URL or both.

Name	Type	Description	Required
authority	string	On a redirect, overwrite the Authority/Host portion of the URL with this value.	false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
redirectCode	integer	Minimum: 0 Maximum: 4.294967295e+09	false
scheme	string	On a redirect, overwrite the scheme with this one.	false
uri	string	On a redirect, overwrite the Path portion of the URL with this value.	false

API.spec.servers[index].routing.rules[index].route

^{^{↩ Parent}}

Forward the request to the specified destination(s).

Name	Type	Description	Required
host	string		false
port	integer	The port on the service to forward the request to. Minimum: 0 Maximum: 4.294967295e+09	false

API.spec.servers[index].tls

^{^{↩ Parent}}

TLS certificate info.

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string		false

API.spec.servers[index].tls.files

^{^{↩ Parent}}

Name	Type	Required
caCertificates	string	false
privateKey	string	false
serverCertificate	string	false

API.spec.servers[index].xxxOldAuthentication

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

API.spec.servers[index].xxxOldAuthentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

API.spec.servers[index].xxxOldAuthorization

^{^{↩ Parent}}

Name	Type	Description	Required
external	object		false
local	object		false

API.spec.servers[index].xxxOldAuthorization.external

^{^{↩ Parent}}

Name	Type	Description	Required
includeRequestHeaders	[]string		false
uri	string		false

API.spec.servers[index].xxxOldAuthorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

API.spec.servers[index].xxxOldAuthorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

API.spec.servers[index].xxxOldAuthorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

API.spec.workloadSelector

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string		false
namespace	string	The namespace where the workload resides.	false

Application

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	application.tsb.tetrate.io/v2	true
kind	string	Application	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Application.spec

^{^{↩ Parent}}

Name	Type	Description	Required
configResources	[]object	The configuration resources that are related to this Application.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
gatewayGroup	string	Optional FQN of the Gateway Group to be used by the application.	false
namespaceSelector	object	Optional set of namespaces this application can configure.	false
services	[]string	Optional list of services that are part of the application.	false
workspace	string	FQN of the workspace this application is part of.	false

Application.spec.configResources[index]

^{^{↩ Parent}}

Name	Type	Description	Required
exclusivelyOwned	boolean		false
expectedEtag	string		false
fqn	string	The FQN of the resource this status is computed for.	false

Application.spec.namespaceSelector

^{^{↩ Parent}}

Optional set of namespaces this application can configure.

Name	Type	Description	Required
names	[]string		false

gateway.tsb.tetrate.io/v2

Resource Types:

EgressGateway
Group
IngressGateway
Tier1Gateway

EgressGateway

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	gateway.tsb.tetrate.io/v2	true
kind	string	EgressGateway	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`EgressGateway` configures a workload to act as an egress gateway in the mesh.	false
status	object		false

EgressGateway.spec

^{^{↩ Parent}}

EgressGateway configures a workload to act as an egress gateway in the mesh.

Name	Type	Description	Required
authorization	[]object	The description of which service accounts can access which hosts.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
workloadSelector	object		false

EgressGateway.spec.authorization[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	The workloads or service accounts this authorization rule applies to.	false
to	[]string	The external hostnames the workload(s) described in this rule can access.	false

EgressGateway.spec.authorization[index].from

^{^{↩ Parent}}

The workloads or service accounts this authorization rule applies to.

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object		false
serviceAccounts	[]string		false

EgressGateway.spec.authorization[index].from.http

^{^{↩ Parent}}

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

EgressGateway.spec.authorization[index].from.http.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

EgressGateway.spec.authorization[index].from.http.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

EgressGateway.spec.authorization[index].from.http.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

EgressGateway.spec.authorization[index].from.http.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

EgressGateway.spec.authorization[index].from.http.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

EgressGateway.spec.authorization[index].from.http.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

EgressGateway.spec.authorization[index].from.http.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

EgressGateway.spec.authorization[index].from.rules

^{^{↩ Parent}}

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

EgressGateway.spec.authorization[index].from.rules.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

EgressGateway.spec.authorization[index].from.rules.allow[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

EgressGateway.spec.authorization[index].from.rules.allow[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

EgressGateway.spec.authorization[index].from.rules.deny[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

EgressGateway.spec.authorization[index].from.rules.deny[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

EgressGateway.spec.authorization[index].from.rules.deny[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

EgressGateway.spec.workloadSelector

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string		false
namespace	string	The namespace where the workload resides.	false

Group

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	gateway.tsb.tetrate.io/v2	true
kind	string	Group	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Group.spec

^{^{↩ Parent}}

Name	Type	Description	Required
configMode	enum	Enum: BRIDGED, DIRECT	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
namespaceSelector	object	Set of namespaces owned exclusively by this group.	false

Group.spec.namespaceSelector

^{^{↩ Parent}}

Set of namespaces owned exclusively by this group.

Name	Type	Description	Required
names	[]string		false

IngressGateway

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	gateway.tsb.tetrate.io/v2	true
kind	string	IngressGateway	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`IngressGateway` configures a workload to act as an ingress gateway into the mesh.	false
status	object		false

IngressGateway.spec

^{^{↩ Parent}}

IngressGateway configures a workload to act as an ingress gateway into the mesh.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
http	[]object	One or more HTTP or HTTPS servers exposed by the gateway.	false
tcp	[]object		false
tlsPassthrough	[]object	One or more TLS servers exposed by the gateway.	false
workloadSelector	object		false

IngressGateway.spec.http[index]

^{^{↩ Parent}}

Name	Type	Description	Required
authentication	object	Configuration to authenticate clients.	false
authorization	object	Configuration to authorize a request.	false
hostname	string	Hostname with which the service can be expected to be accessed by clients.	false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
rateLimiting	object	Configuration for rate limiting requests.	false
routing	object	Routing rules associated with HTTP traffic to this service.	false
tls	object	TLS certificate info.	false
xxxOldAuthentication	object		false
xxxOldAuthorization	object		false

IngressGateway.spec.http[index].authentication

^{^{↩ Parent}}

Configuration to authenticate clients.

Name	Type	Description	Required
jwt	object		false

IngressGateway.spec.http[index].authentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

IngressGateway.spec.http[index].authorization

^{^{↩ Parent}}

Configuration to authorize a request.

Name	Type	Description	Required
external	object		false
local	object		false

IngressGateway.spec.http[index].authorization.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

IngressGateway.spec.http[index].authorization.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

IngressGateway.spec.http[index].authorization.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

IngressGateway.spec.http[index].authorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

IngressGateway.spec.http[index].authorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

IngressGateway.spec.http[index].authorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

IngressGateway.spec.http[index].authorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

IngressGateway.spec.http[index].rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

IngressGateway.spec.http[index].rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

IngressGateway.spec.http[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

IngressGateway.spec.http[index].rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

IngressGateway.spec.http[index].rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

IngressGateway.spec.http[index].rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

IngressGateway.spec.http[index].rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

IngressGateway.spec.http[index].routing

^{^{↩ Parent}}

Routing rules associated with HTTP traffic to this service.

Name	Type	Description	Required
corsPolicy	object	Cross origin resource request policy settings for all routes.	false
rules	[]object	HTTP routes.	false

IngressGateway.spec.http[index].routing.corsPolicy

^{^{↩ Parent}}

Cross origin resource request policy settings for all routes.

Name	Type	Description	Required
allowCredentials	boolean		false
allowHeaders	[]string	List of HTTP headers that can be used when requesting the resource.	false
allowMethods	[]string	List of HTTP methods allowed to access the resource.	false
allowOrigin	[]string	The list of origins that are allowed to perform CORS requests.	false
exposeHeaders	[]string	A white list of HTTP headers that the browsers are allowed to access.	false
maxAge	string	Specifies how long the results of a preflight request can be cached.	false

IngressGateway.spec.http[index].routing.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
match	[]object	One or more match conditions (OR-ed).	false
modify	object	One or more mutations to be performed before forwarding.	false
redirect	object	Redirect the request to a different host or URL or both.	false
route	object	Forward the request to the specified destination(s).	false

IngressGateway.spec.http[index].routing.rules[index].match[index]

^{^{↩ Parent}}

Name	Type	Description	Required
headers	map[string]object	The header keys must be lowercase and use hyphen as the separator, e.g.	false
uri	object	URI to match.	false

IngressGateway.spec.http[index].routing.rules[index].match[index].headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

IngressGateway.spec.http[index].routing.rules[index].match[index].uri

^{^{↩ Parent}}

URI to match.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

IngressGateway.spec.http[index].routing.rules[index].modify

^{^{↩ Parent}}

One or more mutations to be performed before forwarding.

Name	Type	Description	Required
headers	object	Add/remove/overwrite one or more HTTP headers in a request or response.	false
rewrite	object	Rewrite the HTTP Host or URL or both.	false

IngressGateway.spec.http[index].routing.rules[index].modify.headers

^{^{↩ Parent}}

Add/remove/overwrite one or more HTTP headers in a request or response.

Name	Type	Description	Required
request	object	Header manipulation rules to apply before forwarding a request to the destination service.	false
response	object	Header manipulation rules to apply before returning a response to the caller.	false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.request

^{^{↩ Parent}}

Header manipulation rules to apply before forwarding a request to the destination service.

Name	Type	Description	Required
add	map[string]string		false
remove	[]string	Remove a the specified headers.	false
set	map[string]string	Overwrite the headers specified by key with the given values.	false

IngressGateway.spec.http[index].routing.rules[index].modify.headers.response

^{^{↩ Parent}}

Header manipulation rules to apply before returning a response to the caller.

Name	Type	Description	Required
add	map[string]string		false
remove	[]string	Remove a the specified headers.	false
set	map[string]string	Overwrite the headers specified by key with the given values.	false

IngressGateway.spec.http[index].routing.rules[index].modify.rewrite

^{^{↩ Parent}}

Rewrite the HTTP Host or URL or both.

Name	Type	Description	Required
authority	string	Rewrite the Authority/Host header with this value.	false
uri	string	Rewrite the path (or the prefix) portion of the URI with this value.	false

IngressGateway.spec.http[index].routing.rules[index].redirect

^{^{↩ Parent}}

Redirect the request to a different host or URL or both.

Name	Type	Description	Required
authority	string	On a redirect, overwrite the Authority/Host portion of the URL with this value.	false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
redirectCode	integer	Minimum: 0 Maximum: 4.294967295e+09	false
scheme	string	On a redirect, overwrite the scheme with this one.	false
uri	string	On a redirect, overwrite the Path portion of the URL with this value.	false

IngressGateway.spec.http[index].routing.rules[index].route

^{^{↩ Parent}}

Forward the request to the specified destination(s).

Name	Type	Description	Required
host	string		false
port	integer	The port on the service to forward the request to. Minimum: 0 Maximum: 4.294967295e+09	false

IngressGateway.spec.http[index].tls

^{^{↩ Parent}}

TLS certificate info.

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string		false

IngressGateway.spec.http[index].tls.files

^{^{↩ Parent}}

Name	Type	Required
caCertificates	string	false
privateKey	string	false
serverCertificate	string	false

IngressGateway.spec.http[index].xxxOldAuthentication

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

IngressGateway.spec.http[index].xxxOldAuthentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

IngressGateway.spec.http[index].xxxOldAuthorization

^{^{↩ Parent}}

Name	Type	Description	Required
external	object		false
local	object		false

IngressGateway.spec.http[index].xxxOldAuthorization.external

^{^{↩ Parent}}

Name	Type	Description	Required
includeRequestHeaders	[]string		false
uri	string		false

IngressGateway.spec.http[index].xxxOldAuthorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

IngressGateway.spec.http[index].xxxOldAuthorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

IngressGateway.spec.tcp[index]

^{^{↩ Parent}}

Name	Type	Description	Required
hostname	string	Hostname to identify the service.	false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
route	object	Forward the connection to the specified destination.	false
tls	object		false

IngressGateway.spec.tcp[index].route

^{^{↩ Parent}}

Forward the connection to the specified destination.

Name	Type	Description	Required
host	string		false
port	integer	The port on the service to forward the request to. Minimum: 0 Maximum: 4.294967295e+09	false

IngressGateway.spec.tcp[index].tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string		false

IngressGateway.spec.tcp[index].tls.files

^{^{↩ Parent}}

Name	Type	Required
caCertificates	string	false
privateKey	string	false
serverCertificate	string	false

IngressGateway.spec.tlsPassthrough[index]

^{^{↩ Parent}}

Name	Type	Description	Required
hostname	string	Hostname with which the service can be expected to be accessed by clients.	false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
route	object	Forward the connection to the specified destination.	false

IngressGateway.spec.tlsPassthrough[index].route

^{^{↩ Parent}}

Forward the connection to the specified destination.

Name	Type	Description	Required
host	string		false
port	integer	The port on the service to forward the request to. Minimum: 0 Maximum: 4.294967295e+09	false

IngressGateway.spec.workloadSelector

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string		false
namespace	string	The namespace where the workload resides.	false

Tier1Gateway

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	gateway.tsb.tetrate.io/v2	true
kind	string	Tier1Gateway	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`Tier1Gateway` configures a workload to act as a tier1 gateway into the mesh.	false
status	object		false

Tier1Gateway.spec

^{^{↩ Parent}}

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
externalServers	[]object	One or more servers exposed by the gateway externally.	false
fqn	string	Fully-qualified name of the resource.	false
internalServers	[]object	One or more servers exposed by the gateway internally for cross cluster forwarding.	false
passthroughServers	[]object	One or more tls passthrough servers exposed by the gateway externally.	false
tcpExternalServers	[]object	One or more tcp servers exposed by the gateway externally.	false
tcpInternalServers	[]object	One or more tcp servers exposed by the gateway for mesh internal traffic.	false
workloadSelector	object		false

Tier1Gateway.spec.externalServers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
authentication	object		false
authorization	object	Authorization is used to configure authorization of end users.	false
clusters	[]object		false
hostname	string		false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
rateLimiting	object	Configuration for rate limiting requests.	false
redirect	object	Redirect allows configuring HTTP redirect.	false
tls	object	TLS certificate info.	false

Tier1Gateway.spec.externalServers[index].authentication

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

Tier1Gateway.spec.externalServers[index].authentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

Tier1Gateway.spec.externalServers[index].authorization

^{^{↩ Parent}}

Authorization is used to configure authorization of end users.

Name	Type	Description	Required
external	object		false
local	object		false

Tier1Gateway.spec.externalServers[index].authorization.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

Tier1Gateway.spec.externalServers[index].authorization.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

Tier1Gateway.spec.externalServers[index].authorization.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

Tier1Gateway.spec.externalServers[index].authorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

Tier1Gateway.spec.externalServers[index].authorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

Tier1Gateway.spec.externalServers[index].clusters[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels associated with the cluster.	false
name	string	The name of the destination cluster.	false
network	string	The network associated with the destination clusters.	false
weight	integer	The weight for traffic to a given destination. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.externalServers[index].rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

Tier1Gateway.spec.externalServers[index].rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

Tier1Gateway.spec.externalServers[index].rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

Tier1Gateway.spec.externalServers[index].redirect

^{^{↩ Parent}}

Redirect allows configuring HTTP redirect.

Name	Type	Description	Required
authority	string	On a redirect, overwrite the Authority/Host portion of the URL with this value.	false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
redirectCode	integer	Minimum: 0 Maximum: 4.294967295e+09	false
scheme	string	On a redirect, overwrite the scheme with this one.	false
uri	string	On a redirect, overwrite the Path portion of the URL with this value.	false

Tier1Gateway.spec.externalServers[index].tls

^{^{↩ Parent}}

TLS certificate info.

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string		false

Tier1Gateway.spec.externalServers[index].tls.files

^{^{↩ Parent}}

Name	Type	Required
caCertificates	string	false
privateKey	string	false
serverCertificate	string	false

Tier1Gateway.spec.internalServers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
authentication	object		false
authorization	object	Authorization is used to configure authorization of end user and traffic.	false
clusters	[]object		false
hostname	string		false
name	string	A name assigned to the server.	false

Tier1Gateway.spec.internalServers[index].authentication

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

Tier1Gateway.spec.internalServers[index].authentication.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

Tier1Gateway.spec.internalServers[index].authorization

^{^{↩ Parent}}

Authorization is used to configure authorization of end user and traffic.

Name	Type	Description	Required
external	object		false
local	object		false

Tier1Gateway.spec.internalServers[index].authorization.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

Tier1Gateway.spec.internalServers[index].authorization.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

Tier1Gateway.spec.internalServers[index].authorization.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

Tier1Gateway.spec.internalServers[index].authorization.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

Tier1Gateway.spec.internalServers[index].authorization.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

Tier1Gateway.spec.internalServers[index].clusters[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels associated with the cluster.	false
name	string	The name of the destination cluster.	false
network	string	The network associated with the destination clusters.	false
weight	integer	The weight for traffic to a given destination. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.passthroughServers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
clusters	[]object		false
hostname	string		false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.passthroughServers[index].clusters[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels associated with the cluster.	false
name	string	The name of the destination cluster.	false
network	string	The network associated with the destination clusters.	false
weight	integer	The weight for traffic to a given destination. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.tcpExternalServers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
clusters	[]object	The destination clusters contain ingress gateways exposing the service.	false
hostname	string		false
name	string	A name assigned to the server.	false
port	integer	The port where the server is exposed. Minimum: 0 Maximum: 4.294967295e+09	false
tls	object	TLS certificate information to terminate TLS.	false

Tier1Gateway.spec.tcpExternalServers[index].clusters[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels associated with the cluster.	false
name	string	The name of the destination cluster.	false
network	string	The network associated with the destination clusters.	false
weight	integer	The weight for traffic to a given destination. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.tcpExternalServers[index].tls

^{^{↩ Parent}}

TLS certificate information to terminate TLS.

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string		false

Tier1Gateway.spec.tcpExternalServers[index].tls.files

^{^{↩ Parent}}

Name	Type	Required
caCertificates	string	false
privateKey	string	false
serverCertificate	string	false

Tier1Gateway.spec.tcpInternalServers[index]

^{^{↩ Parent}}

Name	Type	Description	Required
clusters	[]object	The destination clusters contain ingress gateways exposing the service.	false
hostname	string	The name of the service used.	false
name	string	A name assigned to the server.	false

Tier1Gateway.spec.tcpInternalServers[index].clusters[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels associated with the cluster.	false
name	string	The name of the destination cluster.	false
network	string	The network associated with the destination clusters.	false
weight	integer	The weight for traffic to a given destination. Minimum: 0 Maximum: 4.294967295e+09	false

Tier1Gateway.spec.workloadSelector

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string		false
namespace	string	The namespace where the workload resides.	false

istiointernal.tsb.tetrate.io/v2

Resource Types:

Group

Group

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	istiointernal.tsb.tetrate.io/v2	true
kind	string	Group	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Group.spec

^{^{↩ Parent}}

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
namespaceSelector	object	Set of namespaces owned exclusively by this group.	false

Group.spec.namespaceSelector

^{^{↩ Parent}}

Set of namespaces owned exclusively by this group.

Name	Type	Description	Required
names	[]string		false

rbac.tsb.tetrate.io/v2

Resource Types:

APInAccessBindings
AccessBindings
ApplicationAccessBindings
GatewayAccessBindings
IstioInternalAccessBindings
OrganizationAccessBindings
Role
SecurityAccessBindings
TenantAccessBindings
TrafficAccessBindings
WorkspaceAccessBindings

APInAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	APInAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`APInAccessBindings` assigns permissions to users of APIs.	false
status	object		false

APInAccessBindings.spec

^{^{↩ Parent}}

APInAccessBindings assigns permissions to users of APIs.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

APInAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

APInAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

AccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	AccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`AccessBindings` assigns permissions to users of any TSB resource.	false
status	object		false

AccessBindings.spec

^{^{↩ Parent}}

AccessBindings assigns permissions to users of any TSB resource.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false

AccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

AccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

ApplicationAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	ApplicationAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`ApplicationAccessBindings` assigns permissions to users of applications.	false
status	object		false

ApplicationAccessBindings.spec

^{^{↩ Parent}}

ApplicationAccessBindings assigns permissions to users of applications.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

ApplicationAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

ApplicationAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

GatewayAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	GatewayAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`GatewayAccessBindings` assigns permissions to users of gateway groups.	false
status	object		false

GatewayAccessBindings.spec

^{^{↩ Parent}}

GatewayAccessBindings assigns permissions to users of gateway groups.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

GatewayAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

GatewayAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

IstioInternalAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	IstioInternalAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`IstioInternalAccessBindings` assigns permissions to users of istio internal groups.	false
status	object		false

IstioInternalAccessBindings.spec

^{^{↩ Parent}}

IstioInternalAccessBindings assigns permissions to users of istio internal groups.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

IstioInternalAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

IstioInternalAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

OrganizationAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	OrganizationAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`OrganizationAccessBindings` assigns permissions to users of organizations.	false
status	object		false

OrganizationAccessBindings.spec

^{^{↩ Parent}}

OrganizationAccessBindings assigns permissions to users of organizations.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

OrganizationAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

OrganizationAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

Role

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	Role	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Role.spec

^{^{↩ Parent}}

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
rules	[]object	A set of rules that define the permissions associated with each API group.	false

Role.spec.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
permissions	[]enum	The set of actions allowed for these APIs.	false
types	[]object	The set of API groups and the api Kinds within the group on which this rule is applicable.	false

Role.spec.rules[index].types[index]

^{^{↩ Parent}}

Name	Type	Description	Required
apiGroup	string	A specific API group such as traffic.tsb.tetrate.io/v2.	false
kinds	[]string	Specific kinds of APIs under the API group.	false

SecurityAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	SecurityAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`SecurityAccessBindings` assigns permissions to users of security groups.	false
status	object		false

SecurityAccessBindings.spec

^{^{↩ Parent}}

SecurityAccessBindings assigns permissions to users of security groups.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

SecurityAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

SecurityAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

TenantAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	TenantAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`TenantAccessBindings` assigns permissions to users of tenants.	false
status	object		false

TenantAccessBindings.spec

^{^{↩ Parent}}

TenantAccessBindings assigns permissions to users of tenants.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

TenantAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

TenantAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

TrafficAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	TrafficAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`TrafficAccessBindings` assigns permissions to users of traffic groups.	false
status	object		false

TrafficAccessBindings.spec

^{^{↩ Parent}}

TrafficAccessBindings assigns permissions to users of traffic groups.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

TrafficAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

TrafficAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

WorkspaceAccessBindings

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	rbac.tsb.tetrate.io/v2	true
kind	string	WorkspaceAccessBindings	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object	`WorkspaceAccessBindings` assigns permissions to users of workspaces.	false
status	object		false

WorkspaceAccessBindings.spec

^{^{↩ Parent}}

WorkspaceAccessBindings assigns permissions to users of workspaces.

Name	Type	Description	Required
allow	[]object		false
description	string	A description of the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false

WorkspaceAccessBindings.spec.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
role	string		false
subjects	[]object		false

WorkspaceAccessBindings.spec.allow[index].subjects[index]

^{^{↩ Parent}}

Name	Type	Description	Required
serviceAccount	string	A service account in TSB.	false
team	string	A team in TSB, created through LDAP sync or API.	false
user	string	A user in TSB, created through LDAP sync or API.	false

security.tsb.tetrate.io/v2

Resource Types:

Group
SecuritySetting

Group

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	security.tsb.tetrate.io/v2	true
kind	string	Group	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Group.spec

^{^{↩ Parent}}

Name	Type	Description	Required
configMode	enum	Enum: BRIDGED, DIRECT	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
namespaceSelector	object	Set of namespaces owned exclusively by this group.	false

Group.spec.namespaceSelector

^{^{↩ Parent}}

Set of namespaces owned exclusively by this group.

Name	Type	Description	Required
names	[]string		false

SecuritySetting

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	security.tsb.tetrate.io/v2	true
kind	string	SecuritySetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

SecuritySetting.spec

^{^{↩ Parent}}

Name	Type	Description	Required
authentication	enum	Enum: UNSET, OPTIONAL, REQUIRED	false
authenticationSettings	object		false
authorization	object		false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
propagationStrategy	enum	Enum: REPLACE, STRICTER	false
wafSettings	object	NOTICE: this feature is in alpha stage and under active development.	false

SecuritySetting.spec.authenticationSettings

^{^{↩ Parent}}

Name	Type	Description	Required
http	object		false
trafficMode	enum	Enum: UNSET, OPTIONAL, REQUIRED	false

SecuritySetting.spec.authenticationSettings.http

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object		false

SecuritySetting.spec.authenticationSettings.http.jwt

^{^{↩ Parent}}

Name	Type	Description	Required
audiences	[]string		false
issuer	string	Identifies the issuer that issued the JWT.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string		false

SecuritySetting.spec.authorization

^{^{↩ Parent}}

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object		false
serviceAccounts	[]string		false

SecuritySetting.spec.authorization.http

^{^{↩ Parent}}

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

SecuritySetting.spec.authorization.http.external

^{^{↩ Parent}}

Name	Type	Required
includeRequestHeaders	[]string	false
tls	object	false
uri	string	false

SecuritySetting.spec.authorization.http.external.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

SecuritySetting.spec.authorization.http.external.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

SecuritySetting.spec.authorization.http.local

^{^{↩ Parent}}

Name	Type	Description	Required
rules	[]object		false

SecuritySetting.spec.authorization.http.local.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	[]object		false
name	string	A friendly name to identify the binding.	false
to	[]object		false

SecuritySetting.spec.authorization.http.local.rules[index].from[index]

^{^{↩ Parent}}

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt

^{^{↩ Parent}}

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

SecuritySetting.spec.authorization.http.local.rules[index].to[index]

^{^{↩ Parent}}

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

SecuritySetting.spec.authorization.rules

^{^{↩ Parent}}

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

SecuritySetting.spec.authorization.rules.allow[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

SecuritySetting.spec.authorization.rules.allow[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

SecuritySetting.spec.authorization.rules.allow[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

SecuritySetting.spec.authorization.rules.deny[index]

^{^{↩ Parent}}

Name	Type	Description	Required
from	object	From specifies the source of a request.	false
to	object	To specifies the destination of a request.	false

SecuritySetting.spec.authorization.rules.deny[index].from

^{^{↩ Parent}}

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

SecuritySetting.spec.authorization.rules.deny[index].to

^{^{↩ Parent}}

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

SecuritySetting.spec.wafSettings

^{^{↩ Parent}}

NOTICE: this feature is in alpha stage and under active development.

Name	Type	Description	Required
ruleEngineMode	enum	Ad-hoc settings to switch ModSecurity engine mode. Enum: OFF, ON, DETECTION_ONLY	false
ruleSets	[]string	Rulesets to enable.	false

traffic.tsb.tetrate.io/v2

Resource Types:

Group
ServiceRoute
TrafficSetting

Group

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	traffic.tsb.tetrate.io/v2	true
kind	string	Group	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

Group.spec

^{^{↩ Parent}}

Name	Type	Description	Required
configMode	enum	Enum: BRIDGED, DIRECT	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
namespaceSelector	object	Set of namespaces owned exclusively by this group.	false

Group.spec.namespaceSelector

^{^{↩ Parent}}

Set of namespaces owned exclusively by this group.

Name	Type	Description	Required
names	[]string		false

ServiceRoute

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	traffic.tsb.tetrate.io/v2	true
kind	string	ServiceRoute	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

ServiceRoute.spec

^{^{↩ Parent}}

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
httpRoutes	[]object		false
portLevelSettings	[]object	In order to support multi-protocol routing, a list of all port/protocol combinations is needed.	false
service	string	The service on which the configuration is being applied.	false
stickySession	object		false
subsets	[]object		false
tcpRoutes	[]object	TCPRoutes match TCP traffic based on port number.	false

ServiceRoute.spec.httpRoutes[index]

^{^{↩ Parent}}

Name	Type	Required
destination	[]object	false
match	[]object	false
name	string	false

ServiceRoute.spec.httpRoutes[index].destination[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationHost	string	Service host where traffic should be routed to.	false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
subset	string		false
weight	integer	Minimum: 0 Maximum: 4.294967295e+09	false

ServiceRoute.spec.httpRoutes[index].match[index]

^{^{↩ Parent}}

Name	Type	Description	Required
headers	map[string]object		false
name	string		false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
uri	object		false

ServiceRoute.spec.httpRoutes[index].match[index].headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

ServiceRoute.spec.httpRoutes[index].match[index].uri

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

ServiceRoute.spec.portLevelSettings[index]

^{^{↩ Parent}}

Name	Type	Description	Required
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
stickySession	object		false
trafficType	enum	Enum: HTTP, TCP, TLS_PASSTHROUGH	false

ServiceRoute.spec.portLevelSettings[index].stickySession

^{^{↩ Parent}}

Name	Type	Description	Required
cookie	object	Hash based on HTTP cookie.	false
header	string	Hash based on a specific HTTP header.	false
useSourceIp	boolean	Hash based on the source IP address.	false

ServiceRoute.spec.portLevelSettings[index].stickySession.cookie

^{^{↩ Parent}}

Hash based on HTTP cookie.

Name	Type	Description	Required
name	string	Name of the cookie.	false
path	string	Path to set for the cookie.	false
ttl	string	Lifetime of the cookie.	false

ServiceRoute.spec.stickySession

^{^{↩ Parent}}

Name	Type	Description	Required
cookie	object	Hash based on HTTP cookie.	false
header	string	Hash based on a specific HTTP header.	false
useSourceIp	boolean	Hash based on the source IP address.	false

ServiceRoute.spec.stickySession.cookie

^{^{↩ Parent}}

Hash based on HTTP cookie.

Name	Type	Description	Required
name	string	Name of the cookie.	false
path	string	Path to set for the cookie.	false
ttl	string	Lifetime of the cookie.	false

ServiceRoute.spec.subsets[index]

^{^{↩ Parent}}

Name	Type	Description	Required
labels	map[string]string	Labels apply a filter over the endpoints of a service in the service registry.	false
name	string	Name used to refer to the subset.	false
portLevelSettings	[]object		false
weight	integer	Percentage of traffic to be sent to this subset. Minimum: 0 Maximum: 4.294967295e+09	false

ServiceRoute.spec.subsets[index].portLevelSettings[index]

^{^{↩ Parent}}

Name	Type	Description	Required
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
stickySession	object		false
trafficType	enum	Enum: HTTP, TCP, TLS_PASSTHROUGH	false

ServiceRoute.spec.subsets[index].portLevelSettings[index].stickySession

^{^{↩ Parent}}

Name	Type	Description	Required
cookie	object	Hash based on HTTP cookie.	false
header	string	Hash based on a specific HTTP header.	false
useSourceIp	boolean	Hash based on the source IP address.	false

ServiceRoute.spec.subsets[index].portLevelSettings[index].stickySession.cookie

^{^{↩ Parent}}

Hash based on HTTP cookie.

Name	Type	Description	Required
name	string	Name of the cookie.	false
path	string	Path to set for the cookie.	false
ttl	string	Lifetime of the cookie.	false

ServiceRoute.spec.tcpRoutes[index]

^{^{↩ Parent}}

Name	Type	Required
destination	[]object	false
match	[]object	false
name	string	false

ServiceRoute.spec.tcpRoutes[index].destination[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationHost	string	Service host where traffic should be routed to.	false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false
subset	string		false
weight	integer	Minimum: 0 Maximum: 4.294967295e+09	false

ServiceRoute.spec.tcpRoutes[index].match[index]

^{^{↩ Parent}}

Name	Type	Description	Required
name	string		false
port	integer	Minimum: 0 Maximum: 4.294967295e+09	false

TrafficSetting

^{^{↩ Parent}}

Name	Type	Description	Required
apiVersion	string	traffic.tsb.tetrate.io/v2	true
kind	string	TrafficSetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the `metadata` field.	true
spec	object		false
status	object		false

TrafficSetting.spec

^{^{↩ Parent}}

Name	Type	Description	Required
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
egress	object		false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
rateLimiting	object	Configuration for rate limiting requests.	false
reachability	object		false
resilience	object		false

TrafficSetting.spec.egress

^{^{↩ Parent}}

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	false
port	integer	Deprecated. Format: int32	false

TrafficSetting.spec.rateLimiting

^{^{↩ Parent}}

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

TrafficSetting.spec.rateLimiting.externalService

^{^{↩ Parent}}

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	false
failClosed	boolean		false
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	false
rules	[]object	A set of rate limit rules.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object		false

TrafficSetting.spec.rateLimiting.externalService.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

^{^{↩ Parent}}

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	false
headers	map[string]object		false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

^{^{↩ Parent}}

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

^{^{↩ Parent}}

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	false
headerName	string	The header name to be queried from the request headers.	false

TrafficSetting.spec.rateLimiting.externalService.tls

^{^{↩ Parent}}

Name	Type	Description	Required
files	object		false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
subjectAltNames	[]string		false

TrafficSetting.spec.rateLimiting.externalService.tls.files

^{^{↩ Parent}}

Name	Type	Description	Required
caCertificates	string		false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

TrafficSetting.spec.rateLimiting.settings

^{^{↩ Parent}}

Name	Type	Description	Required
failClosed	boolean		false
rules	[]object	A list of rules for ratelimiting.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

TrafficSetting.spec.rateLimiting.settings.rules[index]

^{^{↩ Parent}}

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	false
limit	object	The ratelimit value that will be configured for the above rules.	false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index]

^{^{↩ Parent}}

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].header

^{^{↩ Parent}}

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	false
value	object	Value of the header to match on if matching on a specific value.	false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].header.value

^{^{↩ Parent}}

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

^{^{↩ Parent}}

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	false

TrafficSetting.spec.rateLimiting.settings.rules[index].limit

^{^{↩ Parent}}

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit. Minimum: 0 Maximum: 4.294967295e+09	false
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	false

TrafficSetting.spec.reachability

^{^{↩ Parent}}

Name	Type	Description	Required
hosts	[]string		false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

TrafficSetting.spec.resilience

^{^{↩ Parent}}

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Enum: UNSET, LOW, MEDIUM, HIGH	false
httpRequestTimeout	string	Timeout for HTTP requests.	false
httpRetries	object	Retry policy for HTTP requests.	false
keepAlive	object	Keep Alive Settings.	false
tcpKeepalive	boolean	Deprecated.	false

TrafficSetting.spec.resilience.httpRetries

^{^{↩ Parent}}

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	false
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

TrafficSetting.spec.resilience.keepAlive

^{^{↩ Parent}}

Keep Alive Settings.

Name	Type	Description	Required
tcp	object	TCP Keep Alive settings associated with the upstream and downstream TCP connections.	false

TrafficSetting.spec.resilience.keepAlive.tcp

^{^{↩ Parent}}

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

Name	Type	Description	Required
downstream	object	TCP Keep Alive Settings associated with the downstream (client) connection.	false
upstream	object	TCP Keep Alive Settings associated with the upstream (backend) connection.	false

TrafficSetting.spec.resilience.keepAlive.tcp.downstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the downstream (client) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

TrafficSetting.spec.resilience.keepAlive.tcp.upstream

^{^{↩ Parent}}

TCP Keep Alive Settings associated with the upstream (backend) connection.

Name	Type	Description	Required
idleTime	integer	Minimum: 0 Maximum: 4.294967295e+09	false
interval	integer	The number of seconds between keep-alive probes. Minimum: 0 Maximum: 4.294967295e+09	false
probes	integer	Minimum: 0 Maximum: 4.294967295e+09	false

API Reference

tsb.tetrate.io/v2​

Cluster​

Cluster.spec​

Cluster.spec.locality​

Cluster.spec.namespaceScope​

Cluster.spec.namespaces[index]​

Cluster.spec.namespaces[index].services[index]​

Cluster.spec.namespaces[index].services[index].ports[index]​

Cluster.spec.namespaces[index].services[index].workloads[index]​

Cluster.spec.namespaces[index].services[index].workloads[index].proxy​

Cluster.spec.state​

Organization​

Organization.spec​

OrganizationSetting​

OrganizationSetting.spec​

OrganizationSetting.spec.defaultSecuritySetting​

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings​

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http​

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt​

OrganizationSetting.spec.defaultSecuritySetting.authorization​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt​

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from​

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to​

OrganizationSetting.spec.defaultSecuritySetting.wafSettings​

OrganizationSetting.spec.defaultTrafficSetting​

OrganizationSetting.spec.defaultTrafficSetting.egress​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress​

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit​

OrganizationSetting.spec.defaultTrafficSetting.reachability​

OrganizationSetting.spec.defaultTrafficSetting.resilience​

OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries​

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive​

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp​

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream​

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream​

OrganizationSetting.spec.networkSettings​

OrganizationSetting.spec.regionalFailover[index]​

ServiceAccount​

ServiceAccount.spec​

ServiceAccount.spec.keys[index]​

Team​

Team.spec​

Tenant​

Tenant.spec​

TenantSetting​

TenantSetting.spec​

TenantSetting.spec.defaultSecuritySetting​

TenantSetting.spec.defaultSecuritySetting.authenticationSettings​

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http​

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt​

TenantSetting.spec.defaultSecuritySetting.authorization​

TenantSetting.spec.defaultSecuritySetting.authorization.http​

tsb.tetrate.io/v2

Cluster

Cluster.spec

Cluster.spec.locality

Cluster.spec.namespaceScope

Cluster.spec.namespaces[index]

Cluster.spec.namespaces[index].services[index]

Cluster.spec.namespaces[index].services[index].ports[index]

Cluster.spec.namespaces[index].services[index].workloads[index]

Cluster.spec.namespaces[index].services[index].workloads[index].proxy

Cluster.spec.state

Organization

Organization.spec

OrganizationSetting

OrganizationSetting.spec

OrganizationSetting.spec.defaultSecuritySetting

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

OrganizationSetting.spec.defaultSecuritySetting.authorization

OrganizationSetting.spec.defaultSecuritySetting.authorization.http

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

OrganizationSetting.spec.defaultSecuritySetting.wafSettings

OrganizationSetting.spec.defaultTrafficSetting

OrganizationSetting.spec.defaultTrafficSetting.egress

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

OrganizationSetting.spec.defaultTrafficSetting.reachability

OrganizationSetting.spec.defaultTrafficSetting.resilience

OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

OrganizationSetting.spec.networkSettings

OrganizationSetting.spec.regionalFailover[index]

ServiceAccount

ServiceAccount.spec

ServiceAccount.spec.keys[index]

Team

Team.spec

Tenant

Tenant.spec

TenantSetting

TenantSetting.spec

TenantSetting.spec.defaultSecuritySetting

TenantSetting.spec.defaultSecuritySetting.authenticationSettings

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

TenantSetting.spec.defaultSecuritySetting.authorization

TenantSetting.spec.defaultSecuritySetting.authorization.http

TenantSetting.spec.defaultSecuritySetting.authorization.http.external