Tetrate Service BridgeVersion: 1.6.xsecurity.tsb.tetrate.io/v2
Resource Types:
Group
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | Group | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
Group.spec
| Name | Type | Description | Required |
|---|---|---|---|
| configMode | enum | Enum: BRIDGED, DIRECT | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| namespaceSelector | object | Set of namespaces owned exclusively by this group. | false |
| securityDomain | string | Security domains can be used to group different resources under the same security domain. | false |
Group.spec.namespaceSelector
Set of namespaces owned exclusively by this group.
| Name | Type | Description | Required |
|---|---|---|---|
| names | []string | false |
ServiceSecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | ServiceSecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
ServiceSecuritySetting.spec
| Name | Type | Description | Required |
|---|---|---|---|
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| service | string | The service on which the configuration is being applied. | false |
| settings | object | Security settings to apply to this service. | false |
| subsets | []object | false |
ServiceSecuritySetting.spec.settings
Security settings to apply to this service.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | false | |
| authorization | object | false | |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | false | |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
ServiceSecuritySetting.spec.settings.authorization
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | false | |
| serviceAccounts | []string | false |
ServiceSecuritySetting.spec.settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.settings.authorization.rules
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
ServiceSecuritySetting.spec.settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | false |
ServiceSecuritySetting.spec.subsets[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name used to refer to the subset. | false |
| settings | object | Security settings to apply to this service subset. | false |
ServiceSecuritySetting.spec.subsets[index].settings
Security settings to apply to this service subset.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | false | |
| authorization | object | false | |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | false | |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | false | |
| serviceAccounts | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
ServiceSecuritySetting.spec.subsets[index].settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | false |
SecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | SecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | false | |
| status | object | false |
SecuritySetting.spec
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | false | |
| authorization | object | false | |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | false | |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
SecuritySetting.spec.authenticationSettings
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | false | |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
SecuritySetting.spec.authenticationSettings.http
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | false |
SecuritySetting.spec.authenticationSettings.http.jwt
| Name | Type | Description | Required |
|---|---|---|---|
| audiences | []string | false | |
| issuer | string | Identifies the issuer that issued the JWT. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | false |
SecuritySetting.spec.authorization
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | false | |
| serviceAccounts | []string | false |
SecuritySetting.spec.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
SecuritySetting.spec.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
SecuritySetting.spec.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | false | |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| subjectAltNames | []string | false |
SecuritySetting.spec.authorization.http.external.tls.files
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | false | |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
SecuritySetting.spec.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
SecuritySetting.spec.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | []object | false | |
| name | string | A friendly name to identify the binding. | false |
| to | []object | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
SecuritySetting.spec.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
SecuritySetting.spec.authorization.rules
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
SecuritySetting.spec.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
SecuritySetting.spec.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | false |
| to | object | To specifies the destination of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| fqn | string | Fqn of the extension to be executed. | false |
SecuritySetting.spec.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | false |