Tetrate Service Bridge API (1.6.x)

Download OpenAPI specification:Download

URL: https://www.tetrate.io/tetrate-service-bridge/

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters

code	string OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.
error	string OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong. Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError
state required	string The state parameter sent to the OIDC provider on the authorization request.
errorDescription	string Optional error description sent by the OIDC provider when an error occurs.
errorUri	string Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

200
default

Content type

application/json

{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters

redirectUri

string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

200
default

Content type

application/json

{ }

Applications

List all existing applications for the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"applications": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workspace": "string",
"namespaceSelector": {"names": ["string"
]
},
"gatewayGroup": "string",
"services": ["string"
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}
]
}

Creates a new Application in TSB.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

required	object (v2Application) An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"application": {"displayName": "string",
"etag": "string",
"description": "string",
"workspace": "string",
"namespaceSelector": {"names": ["string"
]
},
"gatewayGroup": "string",
"services": ["string"
]
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workspace": "string",
"namespaceSelector": {"names": ["string"
]
},
"gatewayGroup": "string",
"services": ["string"
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}

Get the details of an existing application.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workspace": "string",
"namespaceSelector": {"names": ["string"
]
},
"gatewayGroup": "string",
"services": ["string"
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}

Modify an existing application.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup	string Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (`/`) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.
	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services	Array of strings Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by by another application, application creation/modification will fail.
workspace required	string FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"gatewayGroup": "string",
"namespaceSelector": {"names": ["string"
]
},
"services": ["string"
],
"workspace": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workspace": "string",
"namespaceSelector": {"names": ["string"
]
},
"gatewayGroup": "string",
"services": ["string"
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all APIs attached to the given application.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"apis": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"openapi": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"servers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": null,
"headers": { }
}
],
"modify": {"rewrite": {"uri": null,
"authority": null
},
"headers": {"request": null,
"response": null
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [null
],
"limit": {"requestsPerUnit": null,
"unit": null
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [null
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"endpoints": [{"path": "string",
"methods": ["string"
],
"hostnames": ["string"
],
"service": "string"
}
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}
]
}

Attach a new API to the given application.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

required	object (v2API) An API configuring a set of servers and endpoints that expose the Application business logic.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"api": {"displayName": "string",
"etag": "string",
"description": "string",
"openapi": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
}
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"openapi": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"servers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"endpoints": [{"path": "string",
"methods": ["string"
],
"hostnames": ["string"
],
"service": "string"
}
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}

Get the details of an API.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"openapi": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"servers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"endpoints": [{"path": "string",
"methods": ["string"
],
"hostnames": ["string"
],
"service": "string"
}
],
"configResources": [{"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
]
}

Delete an existing API.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{ }

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"extensions": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}
]
}

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2WasmExtension)

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"wasmExtension": {"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}

Get a WASM extension

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}

Modify an existing WasmExtension. When modifying the details of an extension in use, such as the image property, enabled flag, phase, or default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live traffic in all those places that reference the extension. Similarly, changes to the allowed_in property may trigger the removal of the extension from all places where the extension was in use that are not allowed to use it anymore, affecting live traffic on the relevant namespaces as well.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

allowedIn	Array of strings List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.
config	object Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.
description	string (A description of the extension. $hide_from_yaml)
displayName	string (User friendly name for the extension. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
image required	string Repository and tag of the OCI image containing the WASM extension.
imagePullPolicy	string (WasmExtensionPullPolicy) Default: "UNSPECIFIED_POLICY" Enum: "UNSPECIFIED_POLICY" "IfNotPresent" "Always" The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour. UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag `latest`, for which the default will be Always. IfNotPresent: If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version. Always: We will always pull the latest version of an image when changing this plugin. Note that the change includes `metadata` field as well.
imagePullSecret	string Credentials to use for OCI image pulling. Name of a K8s Secret in the same namespace as the `WasmPlugin` that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image.
phase	string (Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase) Default: "UNSPECIFIED_PHASE" Enum: "UNSPECIFIED_PHASE" "AUTHN" "AUTHZ" "STATS" UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others. AUTHN: Insert plugin before Istio authentication filters. AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters. STATS: Insert plugin before Istio stats filters and after Istio authorization filters.
priority	integer <int32> Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.
source	string (Source to find the code for the WASM extension)
	object (v2VmConfig) Configuration for a Wasm VM. more details can be found here.

Responses

Request samples

Payload

Content type

application/json

{"allowedIn": ["string"
],
"config": { },
"description": "string",
"displayName": "string",
"etag": "string",
"image": "string",
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"source": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{ }

Gateway

List all gateway groups that exist in the workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"groups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Group) A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"group": {"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Get the details of the given gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

update the given gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

configMode	string (v2ConfigMode) Default: "BRIDGED" Enum: "BRIDGED" "DIRECT" The configuration mode used by a traffic, security or a gateway group. BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Payload

Content type

application/json

{"configMode": "BRIDGED",
"description": "string",
"displayName": "string",
"etag": "string",
"namespaceSelector": {"names": ["string"
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all Egress Gateway objects in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"egressGateways": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": null,
"privateKey": null,
"caCertificates": null
},
"subjectAltNames": [null
]
}
},
"local": {"rules": [{"name": null,
"from": [ ],
"to": [ ]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": null
},
"to": {"fqn": null
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": null
},
"to": {"fqn": null
}
}
]
}
},
"to": ["string"
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
]
}
]
}

Create an Egress Gateway object in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

required	object (v2EgressGateway) `EgressGateway` configures a workload to act as an egress gateway in the mesh. -->
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"egressGateway": {"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"to": ["string"
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
]
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"to": ["string"
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
]
}

Get the details of the given Egress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"to": ["string"
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
]
}

Modify the given Egress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

	Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts) The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2WasmExtensionAttachment) Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.
required	object (v2WorkloadSelector) `WorkloadSelector` selects one or more workloads in a namespace. `WorkloadSelector` can be used in TrafficSetting, SecuritySetting, and Gateway APIs in `BRIDGED` mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Payload

Content type

application/json

{"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"to": ["string"
]
}
],
"description": "string",
"displayName": "string",
"etag": "string",
"extension": [{"fqn": "string",
"config": { }
}
],
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"authorization": [{"from": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"to": ["string"
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
]
}

Delete the given Egress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all Ingress Gateway objects in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"ingressGateways": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": null,
"headers": { }
}
],
"modify": {"rewrite": {"uri": null,
"authority": null
},
"headers": {"request": null,
"response": null
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [null
],
"limit": {"requestsPerUnit": null,
"unit": null
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [null
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}
]
}

Create an Ingress Gateway object in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

required	object (v2IngressGateway) `IngressGateway` configures a workload to act as an ingress gateway into the mesh.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"ingressGateway": {"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": null,
"prefix": null,
"regex": null
},
"headers": {"property1": null,
"property2": null
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": { },
"add": { },
"remove": [ ]
},
"response": {"set": { },
"add": { },
"remove": [ ]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": null,
"header": null
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": null,
"destinationCluster": null,
"remoteAddress": null,
"requestHeaders": null,
"headerValueMatch": null
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

Get the details of the given Ingress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

Modify the given Ingress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2WasmExtensionAttachment) Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.
	Array of objects (v2HttpServer) One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, etc.
	Array of objects (One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS)
	Array of objects (v2TLSPassthroughServer) One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.
	object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)
required	object (v2WorkloadSelector) `WorkloadSelector` selects one or more workloads in a namespace. `WorkloadSelector` can be used in TrafficSetting, SecuritySetting, and Gateway APIs in `BRIDGED` mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"extension": [{"fqn": "string",
"config": { }
}
],
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"waf": {"rules": ["string"
]
},
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"http": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"xxxOldAuthentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"xxxOldAuthorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
]
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"routing": {"corsPolicy": {"allowOrigin": ["string"
],
"allowMethods": ["string"
],
"allowHeaders": ["string"
],
"exposeHeaders": ["string"
],
"maxAge": "string",
"allowCredentials": true
},
"rules": [{"match": [{"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
}
}
],
"modify": {"rewrite": {"uri": "string",
"authority": "string"
},
"headers": {"request": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
},
"response": {"set": {"property1": null,
"property2": null
},
"add": {"property1": null,
"property2": null
},
"remove": [null
]
}
}
},
"route": {"host": "string",
"port": 0
},
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
}
}
]
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"tlsPassthrough": [{"name": "string",
"port": 0,
"hostname": "string",
"route": {"host": "string",
"port": 0
}
}
],
"tcp": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"route": {"host": "string",
"port": 0
}
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

Delete the given Ingress Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all Tier1 Gateway objects that have been created in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"tier1Gateways": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [null
],
"limit": {"requestsPerUnit": null,
"unit": null
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [null
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}
]
}

Create a Tier1 Gateway object in the gateway group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2Tier1Gateway) `Tier1Gateway` configures a workload to act as a tier1 gateway into the mesh.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"tier1Gateway": {"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": null,
"header": null
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": null,
"destinationCluster": null,
"remoteAddress": null,
"requestHeaders": null,
"headerValueMatch": null
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

get the details of the given Tier1 Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

Gateway_UpdateTier1Gateway

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2WasmExtensionAttachment) Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.
	Array of objects (v2Tier1ExternalServer) One or more servers exposed by the gateway externally.
	Array of objects (v2Tier1InternalServer) One or more servers exposed by the gateway internally for cross cluster forwarding.
	Array of objects (v2Tier1PassthroughServer) One or more tls passthrough servers exposed by the gateway externally.
	Array of objects (v2Tier1TCPExternalServer) One or more tcp servers exposed by the gateway externally.
	Array of objects (v2Tier1TCPInternalServer) One or more tcp servers exposed by the gateway for mesh internal traffic.
	object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)
required	object (v2WorkloadSelector) `WorkloadSelector` selects one or more workloads in a namespace. `WorkloadSelector` can be used in TrafficSetting, SecuritySetting, and Gateway APIs in `BRIDGED` mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"extension": [{"fqn": "string",
"config": { }
}
],
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"waf": {"rules": ["string"
]
},
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"externalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
},
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"redirect": {"uri": "string",
"authority": "string",
"redirectCode": 0,
"port": 0,
"scheme": "string"
},
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
],
"internalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"authentication": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
},
"authorization": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
}
}
],
"passthroughServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"tcpExternalServers": [{"name": "string",
"port": 0,
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
],
"tls": {"mode": "DISABLED",
"secretName": "string",
"files": {"serverCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
}
}
}
],
"tcpInternalServers": [{"name": "string",
"hostname": "string",
"clusters": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"network": "string",
"weight": 0
}
]
}
],
"extension": [{"fqn": "string",
"config": { }
}
],
"waf": {"rules": ["string"
]
}
}

Delete the given Tier1 Gateway object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

IstioInternal

List all Istio internal groups in the given workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"groups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
]
}

Create a new Istio internal group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Group) A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"group": {"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Get the details of the given Istio internal group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Modify a Istio internal group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"namespaceSelector": {"names": ["string"
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Delete the given Istio internal group. Note that deleting resources in TSB is a recursive operation. Deleting a Istio internal group will delete all configuration objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

Metrics

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
extension required	string Extension name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
extension required	string Extension name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
service required	string Service name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
service required	string Service name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
team required	string Team name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
team required	string Team name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters

organization required	string Organization name.
user required	string User name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"metrics": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}
]
}

Get the details of an existing telemetry metric.

path Parameters

organization required	string Organization name.
user required	string User name.
source required	string Source name.
metric required	string Metric name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"observedResource": "string",
"measure": {"name": "string",
"unit": "string"
},
"type": {"name": "INVALID_METRIC_TYPE",
"labels": [{"key": "string",
"value": "string"
}
]
},
"origin": "INVALID_METRIC_ORIGIN",
"detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

Sources

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
extension required	string Extension name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
service required	string Service name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
service required	string Service name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
team required	string Team name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
team required	string Team name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization

required

string

Organization name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters

organization required	string Organization name.
user required	string User name.

query Parameters

scopeTypes	Array of strings Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION" The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned. SERVICE: A telemetry source service based scope. INGRESS: A telemetry source ingress's hostname based scope. RELATION: A telemetry source relation based scope.
belongTos	Array of strings Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.
existed.since	string <date-time> Moment in time since we retrieve Telemetry Sources.
existed.until	string <date-time> Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

200
default

Content type

application/json

{"sources": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}
]
}

Get the details of an existing telemetry source.

path Parameters

organization required	string Organization name.
user required	string User name.
source required	string Source name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"belongsTo": "string",
"metricSourceKey": "string",
"type": "INVALID",
"scope": {"serviceScopes": {"scopes": [{"type": "INVALID",
"scope": {"instance": "string",
"subset": "string",
"service": "string",
"namespace": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"ingressScopes": {"scopes": [{"type": "INVALID",
"scope": {"hostname": "string",
"ingressService": "string",
"cluster": "string"
},
"deployment": "string"
}
]
},
"relationScopes": {"scopes": [{"type": "INVALID",
"scope": {"serviceRelation": {"source": "string",
"target": "string"
}
}
}
]
}
}
}

Approvals

GetPolicy returns the approval policy for the given resource.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_1

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_2

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_5

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_3

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_4

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_6

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_10

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_9

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_8

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_11

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_12

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_13

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_15

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_14

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_16

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_17

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_18

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_19

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_20

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_21

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_22

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_24

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_23

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

GetPolicy returns the approval policy for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

	Array of objects (v2Access) Approved is a list of subjects that are approved to access the resource.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2Metadata) Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.
mode required	string (ApprovalPolicyMode) Default: "UNRESTRICTED" Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL" UNRESTRICTED: Allows all subjects in the same policy class to access the resource. ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource. REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
	Array of objects (v2Access) Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Payload

Content type

application/json

{"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"etag": "string",
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
},
"mode": "UNRESTRICTED",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Approvals_QueryPolicies_variant_7

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

includeDetails	boolean IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.
includePermissions	boolean IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.
types required	Array of strings Type is the type of the resources to query for policies.

Responses

Request samples

Payload

Content type

application/json

{"includeDetails": true,
"includePermissions": true,
"types": ["string"
]
}

Response samples

200
default

Content type

application/json

{"policies": [{"etag": "string",
"mode": "UNRESTRICTED",
"resource": "string",
"requested": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"approved": [{"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": null,
"kinds": [ ]
}
],
"permissions": ["INVALID"
]
}
]
}
}
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}
]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

required	object (v2Access) Access is an access request for a subject with a set of permission. Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"access": {"subject": "string",
"permissions": ["string"
],
"metadata": {"details": {"name": "string",
"description": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
},
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

subject

required

string

Subject for which the access request is made.

Responses

Request samples

Payload

Content type

application/json

{"subject": "string"
}

Response samples

200
default

Content type

application/json

{ }

Permissions

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

QueryResourcePermission looks up permissions that are allowed for the current principal. Multiple records can be queried with a single request. Query limit is 100, multiple requests are required to lookup more than the limit.

Request Body schema: application/json
required

Request to query permissions on multiple records.

Example: QueryResourcePermissionsRequest { Queries: []Query{ Query{ QueryID: "1234", Kind: Query_Fqn{ Fqn: "tetrate/tenants/default/workspaces/example" } } } }

Array of objects (Query format of the resource lookup for the permission check)

One or more resources to query permissions on, limited to 100 per request.

Array

queryId	string Optional ID that is an open string the caller can use for correlation purposes.
fqn	string Fully-qualified name of the resource.

Responses

Request samples

Payload

Content type

application/json

{"queries": [{"queryId": "string",
"fqn": "string"
}
]
}

Response samples

200
default

Content type

application/json

{"results": [{"request": {"queryId": "string",
"fqn": "string"
},
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
]
}

Policy

Get the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description	string (A description of the resource. $hide_from_yaml)
	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Payload

Content type

application/json

{"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Response samples

200
default

Content type

application/json

{ }

Get the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description	string (A description of the resource. $hide_from_yaml)
	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Payload

Content type

application/json

{"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
service required	string Service name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the access policy for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"etag": "string",
"description": "string",
"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
]
}

Set the access policy for the given resource.

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

	Array of objects (v2Binding) The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.
description	string (A description of the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"allow": [{"role": "string",
"subjects": [{"user": "string",
"team": "string",
"serviceAccount": "string"
}
]
}
],
"description": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{ }

RBAC

List all existing roles.

Responses

Response samples

200
default

Content type

application/json

{"roles": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
]
}

Create a new role.

Request Body schema: application/json
required

Request to create a Role.

name required	string The short name for the resource to be created.
required	object (v2Role) `Role` is a named collection of permissions that can be assigned to any user or team in the system.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"role": {"displayName": "string",
"etag": "string",
"description": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

Get the details of the given role.

path Parameters

rba

required

string

Rba name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

Modify a role.

path Parameters

rba

required

string

Rba name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (A rule defines the set of api groups) A set of rules that define the permissions associated with each API group.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"rules": [{"types": [{"apiGroup": "string",
"kinds": ["string"
]
}
],
"permissions": ["INVALID"
]
}
]
}

Delete a role. NRoles that are in use by policies attached to existing resources cannot be deleted.

path Parameters

rba

required

string

Rba name.

Responses

Response samples

200
default

Content type

application/json

{ }

Lookup

Get all the services in the registry that are part of the given selector. This method can be used to resolve the registered services that are part of a workspace or group. This method can be also used to figure out how applying a selector could affect the platform and have an understanding of which of the existing services would be included in the selection.

Request Body schema: application/json
required

Request for all the services in the registry that are part of the given selector.

required

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

parent

required

string (The FQN of the parent object where services will be looked up)

Responses

Request samples

Payload

Content type

application/json

{"selector": {"names": ["string"
]
},
"parent": "string"
}

Response samples

200
default

Content type

application/json

{"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}

Get all the groups that configure the given service in the registry.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"trafficGroups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
],
"securityGroups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED",
"securityDomain": "string"
}
],
"gatewayGroups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
],
"istioInternalGroups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
}
}
]
}

Registration

List the services that have been registered in an organization

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}

Register the given service in the organization. Services in the registry are deduplicated so that the same service running in different clusters are represented as a single entity in the registry. The service returned by this method is the result of deduplicating the service. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

canonicalName	string optional canonical name that identify this service.
cluster required	string Name of the cluster where the service belongs to. This will be used to load the deduplication settings that have been configured for the cluster where the service belongs.
externalAddresses	Array of strings For kubernetes services of type load balancer, this field contains the list of lb hostnames or IPs assigned to the service.
hostnames	Array of strings The hostnames by which this service is accessed. Can correspond to the hostname of an internal service or that ones of a virtual host on a gateway.
namespace required	string Namespace associated with the service. It will be used in deduplication logic.
	Array of objects (v2Port) The set of ports on which this service is exposed.
serviceType required	string (v2ServiceType) Default: "INVALID_TYPE" Enum: "INVALID_TYPE" "INTERNAL" "LOADBALANCER" "MESH_EXTERNAL" ServiceType denotes the exposition of a service in the mesh. INTERNAL: A regular service that is not directly exposed to the outside world. LOADBALANCER: A load balancer service running only the proxy as the workload. MESH_EXTERNAL: A mesh external service.
shortName required	string Short name for the service, used to uniquely identify it within the organization.
source required	string Source of the service: Kubernetes, Istio, Consul, etc.
spiffeIds	Array of strings List of SPIFFE identities used by the workloads of the service.
state required	string (v2State) Default: "INVALID_STATE" Enum: "INVALID_STATE" "EXTERNAL" "OBSERVED" "CONTROLLED" State denotes how deep is the knowledge of a service by the mesh. Meaning that if a service can be controlled, observed or none of these. EXTERNAL: An external service is a service that is known, but that cannot be observed (we can't get metrics for it) and cannot be controlled. OBSERVED: An observed service is a known service that we can have metrics for. For example, a service running the Skywalking agents. CONTROLLED: A controlled service is a service that is part of the mesh and has a proxy we can configure.
subsets	Array of strings Subset denotes a specific version of a service. By default the 'version' label is used to designate subsets of a workload. Known subsets for the service.

Responses

Request samples

Payload

Content type

application/json

{"canonicalName": "string",
"cluster": "string",
"externalAddresses": ["string"
],
"hostnames": ["string"
],
"namespace": "string",
"ports": [{"number": 0,
"name": "string"
}
],
"serviceType": "INVALID_TYPE",
"shortName": "string",
"source": "string",
"spiffeIds": ["string"
],
"state": "INVALID_STATE",
"subsets": ["string"
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}

Remove the given service from the organization registry. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

cluster required	string Name of the cluster of the service.
namespace required	string Namespace of the service.
shortName required	string (Name attribute of the service)

Responses

Request samples

Payload

Content type

application/json

{"cluster": "string",
"namespace": "string",
"shortName": "string"
}

Response samples

200
default

Content type

application/json

{ }

Get the details of a registered service

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}

Security

List all security groups in the given workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"groups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
]
}

Create a new security group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Group) A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"group": {"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Get the details of the given security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Modify a security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

configMode	string (v2ConfigMode) Default: "BRIDGED" Enum: "BRIDGED" "DIRECT" The configuration mode used by a traffic, security or a gateway group. BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
securityDomain	string Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format `organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Security group, all the children resources will belong to that security domain in the same way a Security setting belongs to a Security group, a Security setting will also belong to the security domain assigned to the Security group. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Payload

Content type

application/json

{"configMode": "BRIDGED",
"description": "string",
"displayName": "string",
"etag": "string",
"namespaceSelector": {"names": ["string"
]
},
"securityDomain": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Delete the given security group. Note that deleting resources in TSB is a recursive operation. Deleting a security group will delete all configuration objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all service security settings objects that have been attached to the security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": [null
],
"tls": {"mode": null,
"files": null,
"subjectAltNames": [ ]
}
},
"local": {"rules": [null
]
}
},
"rules": {"allow": [{"from": null,
"to": null
}
],
"denyAll": true,
"deny": [{"from": null,
"to": null
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": [null
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}
]
}

Create a service security settings object in the security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2ServiceSecuritySetting) A service security setting applies configuration to a service in a security group. Missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": null,
"privateKey": null,
"caCertificates": null
},
"subjectAltNames": [null
]
}
},
"local": {"rules": [{"name": null,
"from": [ ],
"to": [ ]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": null
},
"to": {"fqn": null
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": null
},
"to": {"fqn": null
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}

Get the details of the given service security settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
servicesetting required	string Servicesetting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}

Modify the given service security settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
servicesetting required	string Servicesetting name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
service required	string The service on which the configuration is being applied. Must be in namespace/FQDN format.
	object (v2SecuritySetting) A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.
	Array of objects (ServiceSecuritySettingSubset) Subset specific settings that will replace the service wide settings for the specified service subsets.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"service": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"subsets": [{"name": "string",
"settings": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}
]
}

Delete the given service security settings from the group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
servicesetting required	string Servicesetting name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all security settings objects that have been attached to the security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
]
}

Create a security settings object in the security group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2SecuritySetting) A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": "string",
"sub": "string",
"other": {"property1": null,
"property2": null
}
}
}
],
"to": [{"paths": ["string"
],
"methods": ["string"
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}

Get the details of the given security settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": "string",
"sub": "string",
"other": {"property1": null,
"property2": null
}
}
}
],
"to": [{"paths": ["string"
],
"methods": ["string"
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}

Modify the given security settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Request Body schema: application/json
required

authentication	string (SecuritySettingAuthenticationMode) Default: "UNSET" Enum: "UNSET" "OPTIONAL" "REQUIRED" AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well. UNSET: Inherit from parent, if has one. Otherwise treated as OPTIONAL. OPTIONAL: Accept both plaintext and mTLS authenticated connections. REQUIRED: Accept only mutual TLS authenticated connections.
	object (v2AuthenticationSettings) AuthenticationSettings represents configuration related to authenticating traffic within the mesh and end-user credentials if present. It is HIGHLY RECOMMENDED to enable mutual TLS when end-user credentials are present. Sending credentials like JWT over plaintext is a security risk.
	object (v2AuthorizationSettings) `AuthorizationSettings` define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2WasmExtensionAttachment) Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enabling and priority that will condition the execution of the assigned extensions.
propagationStrategy	string (v2PropagationStrategy) Default: "REPLACE" Enum: "REPLACE" "STRICTER" The PropagationStrategy is the key differentiating factor to decide how a security policy should be propagated and applied at runtime across clusters. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting. The STRICTER PropagationStrategy on the other hand makes sure the default SecuritySettings configured at the parent level are always enforced and propagated down the hierarchy unless additional SecuritySettings are defined and restricted further in the configuration hierarchy. `REPLACE` should be used when resources in the hierarchy are allowed to override the default settings configured at the higher levels. `STRICTER` should be used when the default settings must prevail, and the settings can only be made more restrictive by child resources at lower levels of the hierarchy. When a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless of the defined strategy (`REPLACE` or `STRICTER`), a parent defined resource or a property of the resource will be used (propagated) in absence of a child resource or a property of it. For example, the following policy configures optional mTLS for traffic within the workspace, but it allows SecuritySettings to modify it. The example shows a workspace that configures service-to-service access so that only services in the same workspace can talk to each other. The `REPLACE` propagation policy allows individual settings to override it. In the example, the SecuritySettings allows services within that group to be reachable from any service in the cluster, regardless for the workspace they belong to, even though the Workspace restricts service-to-service access to only services in the Workspace. `apiVersion: api.tsb.tetrate.io/v2 kind: WorkspaceSetting metadata: name: w1-settings workspace: w1 tenant: mycompany organization: myorg spec: defaultSecuritySetting: propagationStrategy: REPLACE authorization: mode: WORKSPACE --- apiVersion: security.tsb.tetrate.io/v2 kind: SecuritySetting metadata: name: defaults group: t1 workspace: w1 tenant: mycompany organization: myorg spec: authorization: mode: CLUSTER` `STRICTER` propagation configures defaults that can be only be restricted down the hierarchy. The following example configures the same WorkspaceSetting but with a `STRICTER` propagation mode. The `defaults` SecuritySetting further narrows down that access to the `GROUP` scope, which is allowed because GROUP is more strict than WORKSPACE. However, the `defaults-invalid` SecuritySetting configures `CLUSTER` access, which would widen the scope defined at the Workspace. That settings will not be allowed based on the `STRICTER` propagation policy. apiVersion: api.tsb.tetrate.io/v2 kind: WorkspaceSetting metadata: name: w1-settings workspace: w1 tenant: mycompany organization: myorg spec: defaultSecuritySetting: propagationStrategy: STRICTER authorization: mode: WORKSPACE --- apiVersion: security.tsb.tetrate.io/v2 kind: SecuritySetting metadata: name: defaults group: t1 workspace: w1 tenant: mycompany organization: myorg spec: authorization: mode: GROUP --- apiVersion: security.tsb.tetrate.io/v2 kind: SecuritySetting metadata: name: defaults-invalid group: t2 workspace: w1 tenant: mycompany organization: myorg spec: authorization: mode: CLUSTER Further details of how security settings are resolved between in `STRICTER` mode between a parent and a child resource can be found in the SecuritySettings reference. REPLACE: Is the default configuration propagation strategy. A lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy. Otherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will prevail. For instance, a defined default propagation strategy for workspace default security settings will replace tenant's defined default security settings. STRICTER: STRICTER propagation strategy propagates the strictest configuration between a defined higher level and a defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy is not defined, the higher one will prevail. Which configuration is stricter than the other is defined by each concrete configuration that allows specifying a propagation strategy.
	object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

Responses

Request samples

Payload

Content type

application/json

{"authentication": "UNSET",
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": "string",
"sub": "string",
"other": {"property1": null,
"property2": null
}
}
}
],
"to": [{"paths": ["string"
],
"methods": ["string"
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"description": "string",
"displayName": "string",
"etag": "string",
"extension": [{"fqn": "string",
"config": { }
}
],
"propagationStrategy": "REPLACE",
"waf": {"rules": ["string"
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": "string",
"sub": "string",
"other": {"property1": null,
"property2": null
}
}
}
],
"to": [{"paths": ["string"
],
"methods": ["string"
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
}

Delete the given security settings from the group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

Traffic

List all traffic groups in the given workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"groups": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}
]
}

Create a new traffic group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

required	object (v2Group) A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"group": {"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Get the details of the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Modify the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

configMode	string (v2ConfigMode) Default: "BRIDGED" Enum: "BRIDGED" "DIRECT" The configuration mode used by a traffic, security or a gateway group. BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Payload

Content type

application/json

{"configMode": "BRIDGED",
"description": "string",
"displayName": "string",
"etag": "string",
"namespaceSelector": {"names": ["string"
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"configMode": "BRIDGED"
}

Delete the given traffic group. Note that deleting resources in TSB is a recursive operation. Deleting a traffic group will delete all configuration objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all service routes that have been attached to the traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"serviceRoutes": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}
]
}

Create a new service route in the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2ServiceRoute) A service route controls routing configurations for traffic to a service in a traffic group.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"serviceRoute": {"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}

Get the details of the given service route.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}

Modify a service route.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2HTTPRoute) HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers and port and destination routes need to be set using subset-weight combinations specified within the route. Note: If a route is specified, then the global subset-weight combinations (specified under subsets) will be ignored for the matched port, as subsets within route will take effect.
	Array of objects (In order to support multi-protocol routing, a list of all port/protocol combinations is needed. These port settings are applied to all the subsets)
service required	string The service on which the configuration is being applied. Must be in namespace/FQDN format.
	object (ServiceRouteStickySession) If set, all requests from a client will be forward to the same backend.
required	Array of objects (ServiceRouteSubset) The set of versions of a service and the percentage of traffic to send to each version.
	Array of objects (v2TCPRoute) TCPRoutes match TCP traffic based on port number. The subset-weight configuration and priority have the same behaviour as HTTPRoutes.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"service": "string",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"service": "string",
"subsets": [{"name": "string",
"labels": {"property1": "string",
"property2": "string"
},
"weight": 0,
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
]
}
],
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
},
"portLevelSettings": [{"port": 0,
"trafficType": "HTTP",
"stickySession": {"header": "string",
"cookie": {"name": "string",
"path": "string",
"ttl": "string"
},
"useSourceIp": true
}
}
],
"httpRoutes": [{"name": "string",
"match": [{"name": "string",
"uri": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"headers": {"property1": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"property2": {"exact": "string",
"prefix": "string",
"regex": "string"
}
},
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
],
"tcpRoutes": [{"name": "string",
"match": [{"name": "string",
"port": 0
}
],
"destination": [{"subset": "string",
"weight": 0,
"port": 0,
"destinationHost": "string"
}
]
}
]
}

Delete the given service route.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all the settings objects that have been attached to the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
]
}

Create a settings object for the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2TrafficSetting) A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}

Get the details for the given settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}

Modify the given settings in the given traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
	object (TrafficSettingEgressGateway) EgressGateway specifies the gateway where traffic external to the mesh will be redirected.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (v2RateLimiting) Configuration for ratelimiting HTTP/gRPC requests can be rate limited based on a variety of attributes in the request such as headers (including cookies), URL path/prefixes, client remote address etc.
	object (v2ReachabilitySettings) `ReachabilitySettings` define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.
	object (v2ResilienceSettings) ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or proxy workload.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"egress": {"host": "string",
"port": 0
},
"etag": "string",
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
},
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": "string",
"prefix": "string",
"regex": "string"
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": {"exact": null,
"prefix": null,
"regex": null
},
"property2": {"exact": null,
"prefix": null,
"regex": null
}
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}

Delete the given settings object from the traffic group.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

Clusters

Get the list of all clusters that have been onboarded into the platform.

path Parameters

organization

required

string

Organization name.

query Parameters

fetchWorkloads

boolean

Flag to fetch the workload information for all the clusters as well. Note that by default workload information is not returned as it may be expensive to retrieve.

Responses

Response samples

200
default

Content type

application/json

{"clusters": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"tokenTtl": "string",
"network": "string",
"tier1Cluster": true,
"namespaces": [{"name": "string",
"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": [null
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": [null
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}
],
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"trustDomain": "string",
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
}
}
]
}

Creates a new cluster object in TSB. This is needed during cluster onboarding to let the management plane know about the existence of a cluster. Once a cluster has been created and fully onboarded, the management plane will manage the mesh for that cluster and keep this cluster entity up to date with the information that is reported by the cluster agents. This method returns the created cluster, that will be continuously updated by the local cluster agents. This entity can be monitored to have an overview of the resources (namespaces, services, etc) that are known to be running in the cluster.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

required	object (v2Cluster) A Kubernetes cluster managing both pods and VMs.
name required	string The short name for the resource to be created.

Responses

Request samples

Payload

Content type

application/json

{"cluster": {"displayName": "string",
"etag": "string",
"description": "string",
"tokenTtl": "string",
"network": "string",
"tier1Cluster": true,
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"trustDomain": "string",
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
}
},
"name": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"tokenTtl": "string",
"network": "string",
"tier1Cluster": true,
"namespaces": [{"name": "string",
"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}
],
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"trustDomain": "string",
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
}
}

Get the last known state for an onboarded cluster. Once a cluster has been onboarded into the platform, the agents will keep it up to date with its runtime status. Getting the cluster object will return the last known snapshot of existing namespaces and services running in it.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

query Parameters

fetchWorkloads

boolean

Flag to fetch the workload information as well. Note that by default workload information is not returned as it may be expensive to retrieve.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"tokenTtl": "string",
"network": "string",
"tier1Cluster": true,
"namespaces": [{"name": "string",
"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}
],
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"trustDomain": "string",
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
}
}

Modify an existing cluster. Updates a cluster with the given data. Note that most of the data in the cluster is read-only and automatically populated by the local cluster agents.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (FIXME: this is super clunky to copy each and every metadata field into objects used for multicluster. $hide_from_yaml)
	object (ClusterLocality) The region the cluster resides. Used for failover based routing when configured in the workspace or global settings.
	object (v2NamespaceScoping) Configure the default scoping of namespaces in this cluster.
network	string The network (e.g., VPC) where this cluster is present. All clusters within the same network will be assumed to be reachable for the purposes of multi-cluster routing. In addition, networks marked as reachable from one another in SystemSettings will also be used for multi-cluster routing.
	object (State represents the cluster info learned from the onboarded cluster)
tier1Cluster	boolean Indicates whether this cluster is hosting a tier1 gateway or not. Tier1 clusters cannot host other gateways or workloads. Defaults to false if not specified.
tokenTtl	string Lifetime of the tokens. Defaults to 1hr.
trustDomain	string Trust domain for this cluster, used for multi-cluster routing. It must be unique for every cluster and should match the one configured in the local control plane. This value is optional, and will be updated by the local control plane agents. However, it is recommended to set it, if known, so that multi-cluster routing works without having to wait for the local control planes to update it.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"network": "string",
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
},
"tier1Cluster": true,
"tokenTtl": "string",
"trustDomain": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"tokenTtl": "string",
"network": "string",
"tier1Cluster": true,
"namespaces": [{"name": "string",
"services": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"shortName": "string",
"hostnames": ["string"
],
"ports": [{"number": 0,
"name": "string",
"serviceDeployments": ["string"
]
}
],
"subsets": ["string"
],
"serviceType": "INVALID_TYPE",
"externalAddresses": ["string"
],
"state": "INVALID_STATE",
"metrics": [{"name": "string",
"description": "string",
"aggregationKey": "string",
"type": "INVALID",
"serviceDeployment": "string",
"parentMetric": "string"
}
],
"serviceDeployments": [{"fqn": "string",
"source": "string"
}
],
"subsetDeployments": [{"name": "string",
"serviceDeployments": ["string"
]
}
],
"canonicalName": "string",
"spiffeIds": ["string"
]
}
]
}
],
"labels": {"property1": "string",
"property2": "string"
},
"locality": {"region": "string"
},
"trustDomain": "string",
"namespaceScope": {"scope": "GLOBAL",
"exceptions": ["string"
]
},
"state": {"lastSyncTime": "2019-08-24T14:15:22Z",
"provider": "string",
"istioVersions": ["string"
],
"xcpVersion": "string",
"tsbCpVersion": "string"
}
}

Unregisters a cluster from the platform. Deleting a cluster will unregister it from the management plane, and the agents will stop receiving configuration updates. Agent tokens for the cluster are revoked as well, so agents that are still running will fail to report back cluster status to the management plane. Note that unregistering the cluster is a management plane only operation. This does not uninstall the agents from the local cluster. Agents will continue running and the services that are deployed in that cluster will be able to continue operating with the last applied configuration. Unregistering a cluster from the management plane should not generate downtime to services that are running on that cluster.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{ }

Generate the tokens for the cluster agents so they can talk to the management plane. Once a cluster object has been registered in the management plane, this method can be used to generate the JWT tokens that need to be configured in the local cluster agents in order to let them talk to the management plane. These tokens contain the necessary permissions to allow the agents to download the configuration for their cluster and to push cluster status updates to the management plane.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{"tokens": {"property1": "string",
"property2": "string"
}
}

Organizations

List all existing organizations. $hide_from_docs

Responses

Response samples

200
default

Content type

application/json

{"organizations": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string"
}
]
}

Creates a new Organization in TSB. Organizations are the top-level construct in TSB and contain all the resources such as tenants, workspaces and clusters. $hide_from_docs

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2Organization) `Organization` is the root of the Service Bridge object hierarchy.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"organization": {"displayName": "string",
"etag": "string",
"description": "string"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string"
}

Get the details of an organization.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string"
}

Modify an organization. Update operations are protected against concurrent modifications of the resource. They are required to provide the last version of the `etag` field as part of the update request payload. $hide_from_docs

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string"
}

Delete an organization. Note that deleting resources in TSB is a recursive operation. Deleting an organization will delete all tenants, clusters and all configurations that exist in it. $hide_from_docs

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all the settings objects that have been attached to the given Organization.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": null,
"header": null
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": null,
"destinationCluster": null,
"remoteAddress": null,
"requestHeaders": null,
"headerValueMatch": null
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}
]
}

Create a settings object for the given organization.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2OrganizationSetting) Settings that apply globally to the entire organization.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Get the details for the given settings object.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Modify the given settings in the given Organization.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Request Body schema: application/json
required

	object (v2SecuritySetting) A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.
	object (v2TrafficSetting) A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	object (OrganizationSettingNetworkSettings) Network related settings for clusters.
	Array of objects (v2RegionalFailover) Default locality routing settings for all gateways. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Payload

Content type

application/json

{"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"description": "string",
"displayName": "string",
"etag": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"networkSettings": {"networkReachability": {"property1": "string",
"property2": "string"
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Delete the given settings object from the Organization.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

SyncOrganization is used by processes that monitor the identity providers to synchronize the users and teams with the ones in TSB.

This method will update the state of users and groups in the organization and will create, modify, and delete groups according to the incoming request. Sync requests are assumed to be a full-sync and to contain all existing users and groups. Existing TSB users and groups that are not contained in a sync request will be deleted from the platform, as it will assume they have been removed from the Identity Provider.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

sourceType	string (v2SourceType) Default: "INVALID" Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL" `SourceType` describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane. LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP. LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead. AZURE: AZURE is used for users synchronized from an Azure Active Directory. MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.
	Array of objects (SyncOrganizationRequestSyncTeam)
	Array of objects (SyncOrganizationRequestSyncUser)

Responses

Request samples

Payload

Content type

application/json

{"sourceType": "INVALID",
"teams": [{"id": "string",
"description": "string",
"memberUserIds": ["string"
],
"memberGroupIds": ["string"
],
"displayName": "string"
}
],
"users": [{"id": "string",
"description": "string",
"email": "string",
"loginName": "string",
"displayName": "string"
}
]
}

Response samples

200
default

Content type

application/json

{"failedUsers": {"removal": ["string"
],
"addition": ["string"
],
"update": ["string"
]
},
"failedTeams": {"removal": ["string"
],
"addition": ["string"
],
"update": ["string"
]
}
}

Status

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
cluster required	string Cluster name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
extension required	string Extension name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
service required	string Service name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.
api required	string Api name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
application required	string Application name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
egressgateway required	string Egressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
ingressgateway required	string Ingressgateway name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
gatewaygroup required	string Gatewaygroup name.
tier1gateway required	string Tier1gateway name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
istiointernalgroup required	string Istiointernalgroup name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
securitygroup required	string Securitygroup name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
serviceroute required	string Serviceroute name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
trafficgroup required	string Trafficgroup name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"status": "UNKNOWN",
"resources": [{"status": "UNKNOWN",
"resource": {"fqn": "string",
"expectedEtag": "string",
"exclusivelyOwned": true
}
}
]
}

Teams

List existing Service Accounts.

path Parameters

organization

required

string

Organization name.

query Parameters

keyEncoding

string

Default: "PEM"

Enum: "PEM" "JWK"

The format in which the key pairs for each key will be returned. If not set keys are returned in PEM format.

Responses

Response samples

200
default

Content type

application/json

{"serviceAccounts": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}
]
}

Create Service Account in TSB. Service Accounts are local to TSB and can be used to access the platform using JWT tokens signed with the Service Account's private key for authentication.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

keyEncoding	string (Format in which the keys in this keypair are encoded) Default: "PEM" Enum: "PEM" "JWK"
name required	string The short name for the resource to be created.
required	object (v2ServiceAccount) `ServiceAccount` represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

Responses

Request samples

Payload

Content type

application/json

{"keyEncoding": "PEM",
"name": "string",
"serviceAccount": {"displayName": "string",
"etag": "string",
"description": "string"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}

Get the details of an existing Service Account.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

query Parameters

keyEncoding

string

Default: "PEM"

Enum: "PEM" "JWK"

The format in which the key pairs will be returned. If not set keys are returned in PEM format.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}

Update the details of a service account. Updating the details of the service account does not regenerate its keys.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

description	string A description of the resource.
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}

Delete the given Service account.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{ }

Get all the public keys available in the service account and return them in a JWKS document. See: https://datatracker.ietf.org/doc/html/rfc7517 Requests to this endpoint require read permissions on the service account, or a token signed with one of the service account keys.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"keys": [{"alg": "string",
"kty": "string",
"use": "string",
"n": "string",
"e": "string",
"kid": "string"
}
]
}

Generate a new key-pair for the service account. Note that TSB does not store the generated private key, so the client must read it and store it securely.

path Parameters

organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Request Body schema: application/json
required

keyEncoding

string (Format in which the keys in this keypair are encoded)

Default: "PEM"

Enum: "PEM" "JWK"

Responses

Request samples

Payload

Content type

application/json

{"keyEncoding": "PEM"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}

Delete a key-pair associated the service account.

path Parameters

id required	string ID of the key-pair to delete.
organization required	string Organization name.
serviceaccount required	string Serviceaccount name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"keys": [{"id": "string",
"publicKey": "string",
"privateKey": "string",
"encoding": "PEM",
"defaultToken": "string"
}
]
}

List all existing teams.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"teams": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"members": ["string"
],
"sourceType": "INVALID"
}
]
}

Create a new team.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2Team) `Team` is a named collection of users under a tenant.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"team": {"displayName": "string",
"etag": "string",
"description": "string",
"members": ["string"
],
"sourceType": "INVALID"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"members": ["string"
],
"sourceType": "INVALID"
}

Get the details of an existing team.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"members": ["string"
],
"sourceType": "INVALID"
}

Modify an existing team.

path Parameters

organization required	string Organization name.
team required	string Team name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
members	Array of strings List of members under the team. The elements of this list are the FQNs of the team members. Team members can be users, service accounts or other teams.
sourceType	string (v2SourceType) Default: "INVALID" Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL" `SourceType` describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane. LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP. LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead. AZURE: AZURE is used for users synchronized from an Azure Active Directory. MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"members": ["string"
],
"sourceType": "INVALID"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"members": ["string"
],
"sourceType": "INVALID"
}

Delete a team. Note that deleting a team only deletes the team itself, but not its members.

path Parameters

organization required	string Organization name.
team required	string Team name.

Responses

Response samples

200
default

Content type

application/json

{ }

List existing users.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"users": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"loginName": "string",
"firstName": "string",
"lastName": "string",
"email": "string",
"sourceType": "INVALID"
}
]
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Create a local User in TSB. Local users are like sercice accounts and are mostly used for internal purposes where an authentication token can be issued by the IAM service to be used on behalf of the user.

Note that local users do not exist in the Identity Provider and the normal login process will not allow them to access TSB.

$hide_from_docs

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2User) `User` represents a user from the Identity Provider that is allowed to log into the platform.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"user": {"displayName": "string",
"etag": "string",
"loginName": "string",
"firstName": "string",
"lastName": "string",
"email": "string",
"sourceType": "INVALID"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"loginName": "string",
"firstName": "string",
"lastName": "string",
"email": "string",
"sourceType": "INVALID"
}

Get the details of an existing user.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"loginName": "string",
"firstName": "string",
"lastName": "string",
"email": "string",
"sourceType": "INVALID"
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Modify an existin user.

This operation is expected to be used only for LOCAL users. Users are periodically synchronized from the Identity Provider, and the process may automatically set some properties of the User resource. Modifications made using the TSB APIs may be replaced by the data from the Identity Provider on every synchronization.

$hide_from_docs

path Parameters

organization required	string Organization name.
user required	string User name.

Request Body schema: application/json
required

displayName	string (User friendly name for the resource. $hide_from_yaml)
email	string Email for the user where alerts and other notifications will be sent.
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
firstName	string The first name of the user.
lastName	string The last name of the user, if any.
loginName required	string The username used in the login credentials.
sourceType	string (v2SourceType) Default: "INVALID" Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL" `SourceType` describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane. LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP. LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead. AZURE: AZURE is used for users synchronized from an Azure Active Directory. MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Payload

Content type

application/json

{"displayName": "string",
"email": "string",
"etag": "string",
"firstName": "string",
"lastName": "string",
"loginName": "string",
"sourceType": "INVALID"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"loginName": "string",
"firstName": "string",
"lastName": "string",
"email": "string",
"sourceType": "INVALID"
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Delete an existing user. This operation is expected to be used only for LOCAL users. Users are periodically synchronized from the Identity Provider, so deleting a user that is not a local one may be reverted if the change is not done accordingly in the Identity Provider.

$hide_from_docs

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{ }

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Generate the tokens for a local user account so it can authenticate against management plane. This method will return an error if the user account is not of type MANUAL. Credentials for normal platform users must be configured in the corresponding Identity Provider.

path Parameters

organization required	string Organization name.
user required	string User name.

Responses

Response samples

200
default

Content type

application/json

{"accessToken": "string",
"refreshToken": "string"
}

Tenants

List all tenants that are available.

path Parameters

organization

required

string

Organization name.

Responses

Response samples

200
default

Content type

application/json

{"tenants": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"securityDomain": "string"
}
]
}

Create a new tenant in the platform that will be the home for a set of resources.

path Parameters

organization

required

string

Organization name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2Tenant) `Tenant` is a self-contained entity within an organization in the Service Bridge hierarchy.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"tenant": {"displayName": "string",
"etag": "string",
"description": "string",
"securityDomain": "string"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"securityDomain": "string"
}

Get the details of an existing tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"securityDomain": "string"
}

Modify the details of the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
securityDomain	string Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format `organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Tenant, all the children resources will belong to that security domain in the same way a Workspace belongs to a Tenant, a Workspace will also belong to the security domain assigned to the Tenant. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"securityDomain": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"securityDomain": "string"
}

Delete a tenant from the platform. Deleting a tenant will recursively delete all resources attached to the tenant, so use with caution. It will delete all workspaces and all settings that have been created in that tenant, so this operation should be done carefully, when it's safe to do so.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all the WASM extensions that have been attached to the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"extensions": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"allowedIn": ["string"
],
"image": "string",
"source": "string",
"phase": "UNSPECIFIED_PHASE",
"priority": 0,
"config": { },
"imagePullPolicy": "UNSPECIFIED_POLICY",
"imagePullSecret": "string",
"vmConfig": {"env": [{"name": "string",
"valueFrom": "INLINE",
"value": "string"
}
]
}
}
]
}

List all the settings objects that have made available to the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": null,
"header": null
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": null,
"destinationCluster": null,
"remoteAddress": null,
"requestHeaders": null,
"headerValueMatch": null
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}
]
}

Create a settings object for the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2TenantSetting) Default settings that apply to all workspaces under a tenant.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"setting": {"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Get the details for the given settings object.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Modify the given settings in the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Request Body schema: application/json
required

	object (v2SecuritySetting) A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.
	object (v2TrafficSetting) A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Payload

Content type

application/json

{"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"description": "string",
"displayName": "string",
"etag": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
}
}

Delete the given settings object from the tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

Workspaces

List all existing workspaces for the given tenant.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Responses

Response samples

200
default

Content type

application/json

{"workspaces": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"isolationBoundary": "string",
"securityDomain": "string"
}
]
}

Create a new workspace. The workspace will own exclusively the namespaces configured in the namespaces selector for the workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2Workspace) A Workspace is a collection of related namespaces in one or more clusters.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"workspace": {"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"isolationBoundary": "string",
"securityDomain": "string"
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"isolationBoundary": "string",
"securityDomain": "string"
}

Get the details of an existing workspace

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"isolationBoundary": "string",
"securityDomain": "string"
}

Modify an existing workspace

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
isolationBoundary	string Istio Isolation Boundary name to which this workspace belongs. If not provided explicitly, the workspace looks for an isolation boundary with name set as "global". Therefore, in order to move existing workspaces to isolation boundaries, and be a part of revisioned control plane, it is recommended to configure an isolation boundary with the name "global".
required	object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `` to mean all clusters - namespace must be a namespace name, an `` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
privileged	boolean If set to true, allows Gateways in the workspace to route to services in other workspaces. Set this to true for workspaces owning cluster-wide gateways shared by multiple teams.
securityDomain	string Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format `organizations/myorg/securitydomains/mysecuritydomain`, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Workspace, all the children resources will belong to that security domain in the same way a Security group belongs to a Workspace, a Security group will also belong to the security domain assigned to the Workspace. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Payload

Content type

application/json

{"description": "string",
"displayName": "string",
"etag": "string",
"isolationBoundary": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"securityDomain": "string"
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"namespaceSelector": {"names": ["string"
]
},
"privileged": true,
"isolationBoundary": "string",
"securityDomain": "string"
}

Delete an existing workspace. Note that deleting resources in TSB is a recursive operation. Deleting a workspace will delete all groups and configuration objects that exist in it.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{ }

List all settings available for the given workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Responses

Response samples

200
default

Content type

application/json

{"settings": [{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [null
],
"to": [null
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": null,
"header": null
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": null,
"destinationCluster": null,
"remoteAddress": null,
"requestHeaders": null,
"headerValueMatch": null
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
]
}
]
}

Create default settings for a workspace. Default settings will apply to the services owned by the workspace, unless more specific settings are provided at the group level.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.

Request Body schema: application/json
required

name required	string The short name for the resource to be created.
required	object (v2WorkspaceSetting) Default security and traffic settings for all proxy workloads in the workspace.

Responses

Request samples

Payload

Content type

application/json

{"name": "string",
"settings": {"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": null
}
],
"to": [{"paths": [ ],
"methods": [ ]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": null
},
"header": {"name": null,
"value": null,
"dontMatch": null
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": null,
"descriptorKey": null
},
"headerValueMatch": {"headers": { },
"descriptorValue": null,
"dontMatch": null
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
]
}
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
]
}

Get the details of a settings object for the given workspace.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
]
}

Modify the given workspace settings.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Request Body schema: application/json
required

	Array of objects (v2EastWestGateway) Default east west gateway settings specifies workspace-wide east-west gateway configuration. This is used to configure east-west routing (required for fail-over) for the services that are not exposed on the gateways. All the services matching the specified criteria is picked up for exposing on the east-west gateway workload selected by the workload selector. In case, a service matches selectors in multiple items, the one which comes first is picked up.
	object (v2SecuritySetting) A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.
	object (v2TrafficSetting) A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.
description	string (A description of the resource. $hide_from_yaml)
displayName	string (User friendly name for the resource. $hide_from_yaml)
etag	string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
	Array of objects (v2RegionalFailover) Locality routing settings for all gateways in the workspace. Overrides any global settings. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Payload

Content type

application/json

{"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
],
"defaultSecuritySetting": {"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"description": "string",
"displayName": "string",
"etag": "string",
"regionalFailover": [{"from": "string",
"to": "string"
}
]
}

Response samples

200
default

Content type

application/json

{"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"defaultSecuritySetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"authentication": "UNSET",
"authorization": {"mode": "UNSET",
"serviceAccounts": ["string"
],
"http": {"external": {"uri": "string",
"includeRequestHeaders": ["string"
],
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
},
"local": {"rules": [{"name": "string",
"from": [{"jwt": {"iss": null,
"sub": null,
"other": { }
}
}
],
"to": [{"paths": [null
],
"methods": [null
]
}
]
}
]
}
},
"rules": {"allow": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
],
"denyAll": true,
"deny": [{"from": {"fqn": "string"
},
"to": {"fqn": "string"
}
}
]
}
},
"authenticationSettings": {"trafficMode": "UNSET",
"http": {"jwt": {"issuer": "string",
"audiences": ["string"
],
"jwksUri": "string",
"jwks": "string"
}
}
},
"waf": {"rules": ["string"
]
},
"propagationStrategy": "REPLACE",
"extension": [{"fqn": "string",
"config": { }
}
]
},
"defaultTrafficSetting": {"fqn": "string",
"displayName": "string",
"etag": "string",
"description": "string",
"reachability": {"mode": "UNSET",
"hosts": ["string"
]
},
"resilience": {"httpRequestTimeout": "string",
"httpRetries": {"attempts": 0,
"perTryTimeout": "string",
"retryOn": "string"
},
"tcpKeepalive": true,
"keepAlive": {"tcp": {"downstream": {"probes": 0,
"idleTime": 0,
"interval": 0
},
"upstream": {"probes": 0,
"idleTime": 0,
"interval": 0
}
}
},
"circuitBreakerSensitivity": "UNSET"
},
"egress": {"host": "string",
"port": 0
},
"rateLimiting": {"settings": {"rules": [{"dimensions": [{"remoteAddress": {"value": "string"
},
"header": {"name": "string",
"value": {"exact": null,
"prefix": null,
"regex": null
},
"dontMatch": true
}
}
],
"limit": {"requestsPerUnit": 0,
"unit": "UNKNOWN"
}
}
],
"failClosed": true,
"timeout": "string"
},
"externalService": {"domain": "string",
"failClosed": true,
"rateLimitServerUri": "string",
"rules": [{"dimensions": [{"sourceCluster": { },
"destinationCluster": { },
"remoteAddress": { },
"requestHeaders": {"headerName": "string",
"descriptorKey": "string"
},
"headerValueMatch": {"headers": {"property1": null,
"property2": null
},
"descriptorValue": "string",
"dontMatch": true
}
}
]
}
],
"timeout": "string",
"tls": {"mode": "DISABLED",
"files": {"clientCertificate": "string",
"privateKey": "string",
"caCertificates": "string"
},
"subjectAltNames": ["string"
]
}
}
}
},
"regionalFailover": [{"from": "string",
"to": "string"
}
],
"defaultEastWestGatewaySettings": [{"workloadSelector": {"namespace": "string",
"labels": {"property1": "string",
"property2": "string"
}
},
"exposedServices": [{"serviceLabels": {"property1": "string",
"property2": "string"
}
}
]
}
]
}

Delete the given workspace settings.

path Parameters

organization required	string Organization name.
tenant required	string Tenant name.
workspace required	string Workspace name.
setting required	string Setting name.

Responses

Response samples

200
default

Content type

application/json

{ }

Tetrate Service Bridge API (1.6.x)

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters

Responses

Response samples

Login endpoint to start an OIDC Authentication flow.

query Parameters

Responses

Response samples

Applications

List all existing applications for the given tenant.

path Parameters

Responses

Response samples

Creates a new Application in TSB.

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Get the details of an existing application.

path Parameters

Responses

Response samples

Modify an existing application.

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters

Responses

Response samples

List all APIs attached to the given application.

path Parameters

Responses

Response samples

Attach a new API to the given application.

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Get the details of an API.

path Parameters

Responses

Response samples

Delete an existing API.

path Parameters

Responses

Response samples

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters

Responses

Response samples

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Get a WASM extension

path Parameters

Responses

Response samples

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters

Responses

Response samples

Gateway

List all gateway groups that exist in the workspace.

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required