Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

Workspace Setting

Workspace Setting allows configuring the default traffic, security and east-west gateway settings for all the workloads in the namespaces owned by the workspace. Any namespace in the workspace that is not part of a traffic or security group with specific settings will use these default settings.

The following example sets the default security policy to accept either mutual TLS or plaintext traffic, and only accept connections at a proxy workload from services within the same namespace. The default traffic policy allows unknown traffic from a proxy workload to be forwarded via an egress gateway tsb-egress in the perimeter namespace in the same cluster.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    authenticationSettings:
      trafficMode: REQUIRED
  defaultTrafficSetting:
    egress:
      host: bookinfo-perimeter/tsb-egress

This other example sets the defaults for east-west traffic configuring gateways for two different app groups. The first setting configures the gateway from the namespace platinum to manage the traffic for all those workloads with the labels tier: platinum and critical: true. The second one configures the gateway from the namespace internal to manage the traffic for all those workloads with the labels app: eshop or internal-critical: true. Setting up multiple east-west gateways allows isolating also the cross-cluster traffic.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultEastWestGatewaySettings:
  - workloadSelector:
      namespace: platinum
      labels:
        app: eastwest-gw
    exposedServices:
    - serviceLabels:
        tier: platinum
        critical: "true"
  - workloadSelector:
      namespace: internal
      labels:
        app: eastwest-gw
    exposedServices:
    - serviceLabels:
        app: eshop
    - serviceLabels:
        internal-critical: "true"

WorkspaceSetting

Default security and traffic settings for all proxy workloads in the workspace.

FieldDescriptionValidation Rule

defaultSecuritySetting

tetrateio.api.tsb.security.v2.SecuritySetting
Security settings for all proxy workloads in this workspace. This can be overridden at security group's SecuritySetting for specific cases. The override strategy used will be driven by the SecuritySetting propagation strategy. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting defined in the configuration hierarchy. Proxy workloads without a specific security group will inherit these settings. If omitted, the following semantics apply:

  1. Sidecars will accept connections from clients using Istio Mutual TLS as well as legacy clients using plaintext (i.e. any traffic not using Istio Mutual TLS authentication), i.e. authentication mode defaults to OPTIONAL.

  2. No authorization will be performed, i.e., authorization mode defaults to DISABLED.

defaultTrafficSetting

tetrateio.api.tsb.traffic.v2.TrafficSetting
Traffic settings for all proxy workloads in this workspace. Proxy workloads without a specific traffic group will inherit these settings. If omitted, the following semantics apply:

  1. Sidecars will be able to reach any service in the cluster, i.e. reachability mode defaults to CLUSTER.

  2. Traffic to unknown destinations will be directly routed from the sidecar to the destination.

regionalFailover

List of tetrateio.api.tsb.types.v2.RegionalFailover
Locality routing settings for all gateways in the workspace. Overrides any global settings.

Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

defaultEastWestGatewaySettings

List of tetrateio.api.tsb.gateway.v2.EastWestGateway
Default east west gateway settings specifies workspace-wide east-west gateway configuration. This is used to configure east-west routing (required for fail-over) for the services that are not exposed on the gateways. All the services matching the specified criteria is picked up for exposing on the east-west gateway workload selected by the workload selector. In case, a service matches selectors in multiple items, the one which comes first is picked up.