Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

security.tsb.tetrate.io/v2

Resource Types:

Group

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

Group.spec

↩ Parent

NameTypeDescriptionRequired
configModeenum

Enum: BRIDGED, DIRECT

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

false
securityDomainstring

Security domains can be used to group different resources under the same security domain.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string
false

ServiceSecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringServiceSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

ServiceSecuritySetting.spec

↩ Parent

NameTypeDescriptionRequired
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
servicestring

The service on which the configuration is being applied.

false
settingsobject

Security settings to apply to this service.

false
subsets[]object
false

ServiceSecuritySetting.spec.settings

↩ Parent

Security settings to apply to this service.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.settings.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

ServiceSecuritySetting.spec.settings.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

ServiceSecuritySetting.spec.settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.settings.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

ServiceSecuritySetting.spec.settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

ServiceSecuritySetting.spec.subsets[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Name used to refer to the subset.

false
settingsobject

Security settings to apply to this service subset.

false

ServiceSecuritySetting.spec.subsets[index].settings

↩ Parent

Security settings to apply to this service subset.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

ServiceSecuritySetting.spec.subsets[index].settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

SecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

SecuritySetting.spec

↩ Parent

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

SecuritySetting.spec.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

SecuritySetting.spec.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject
false

SecuritySetting.spec.authenticationSettings.http.jwt

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false

SecuritySetting.spec.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

SecuritySetting.spec.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

SecuritySetting.spec.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

SecuritySetting.spec.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject
false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
subjectAltNames[]string
false

SecuritySetting.spec.authorization.http.external.tls.files

↩ Parent

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

SecuritySetting.spec.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

SecuritySetting.spec.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

SecuritySetting.spec.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

SecuritySetting.spec.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

SecuritySetting.spec.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

SecuritySetting.spec.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

SecuritySetting.spec.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

SecuritySetting.spec.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false

SecuritySetting.spec.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false