tsb.tetrate.io/v2
OrganizationSetting
Name | Type | Description | Required |
---|---|---|---|
apiVersion | string | tsb.tetrate.io/v2 | true |
kind | string | OrganizationSetting | true |
metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
spec | object | Settings that apply globally to the entire organization. | false |
status | object | false |
OrganizationSetting.spec
Settings that apply globally to the entire organization.
Name | Type | Description | Required |
---|---|---|---|
defaultSecuritySetting | object | Security settings for all proxy workloads in this organization. | false |
defaultTrafficSetting | object | Traffic settings for all proxy workloads in this organization. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
networkSettings | object | Reachability between clusters on various networks. | false |
regionalFailover | []object | Default locality routing settings for all gateways. | false |
OrganizationSetting.spec.defaultSecuritySetting
Security settings for all proxy workloads in this organization.
Name | Type | Description | Required |
---|---|---|---|
authentication | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
authenticationSettings | object | false | |
authorization | object | false | |
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
etag | string | The etag for the resource. | false |
extension | []object | false | |
fqn | string | Fully-qualified name of the resource. | false |
propagationStrategy | enum | Enum: REPLACE, STRICTER | false |
waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings
Name | Type | Description | Required |
---|---|---|---|
http | object | false | |
trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http
Name | Type | Description | Required |
---|---|---|---|
jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
rules | object | List of rules how to authenticate an HTTP request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
Name | Type | Description | Required |
---|---|---|---|
audiences | []string | false | |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
issuer | string | Identifies the issuer that issued the JWT. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | false | |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | false |
prefix | string | The prefix that should be stripped before decoding the token. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | false |
header | string | The name of the header to be created. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
Name | Type | Description | Required |
---|---|---|---|
jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]
Name | Type | Description | Required |
---|---|---|---|
audiences | []string | false | |
fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
issuer | string | Identifies the issuer that issued the JWT. | false |
jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
jwksUri | string | false | |
outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
outputPayloadToHeader | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
name | string | The HTTP header name. | false |
prefix | string | The prefix that should be stripped before decoding the token. | false |
OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
Name | Type | Description | Required |
---|---|---|---|
claim | string | The name of the claim to be copied from. | false |
header | string | The name of the header to be created. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization
Name | Type | Description | Required |
---|---|---|---|
http | object | This is for configuring HTTP request authorization. | false |
mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
rules | object | false | |
serviceAccounts | []string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http
This is for configuring HTTP request authorization.
Name | Type | Description | Required |
---|---|---|---|
external | object | false | |
local | object | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external
Name | Type | Description | Required |
---|---|---|---|
includeRequestHeaders | []string | false | |
tls | object | false | |
uri | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local
Name | Type | Description | Required |
---|---|---|---|
rules | []object | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]
Name | Type | Description | Required |
---|---|---|---|
from | []object | false | |
name | string | A friendly name to identify the binding. | false |
to | []object | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]
Name | Type | Description | Required |
---|---|---|---|
jwt | object | JWT configuration to identity the subject. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
Name | Type | Description | Required |
---|---|---|---|
iss | string | false | |
other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
sub | string | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]
Name | Type | Description | Required |
---|---|---|---|
methods | []string | The HTTP methods that are allowed by this rule. | false |
paths | []string | The request path where the request is made against. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules
Name | Type | Description | Required |
---|---|---|---|
allow | []object | Allow specifies a list of rules. | false |
deny | []object | Deny specifies a list of rules. | false |
denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]
Name | Type | Description | Required |
---|---|---|---|
from | object | From specifies the source of a request. | false |
to | object | To specifies the destination of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from
From specifies the source of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the source of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to
To specifies the destination of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]
Name | Type | Description | Required |
---|---|---|---|
from | object | From specifies the source of a request. | false |
to | object | To specifies the destination of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from
From specifies the source of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the source of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to
To specifies the destination of a request.
Name | Type | Description | Required |
---|---|---|---|
fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
OrganizationSetting.spec.defaultSecuritySetting.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
OrganizationSetting.spec.defaultSecuritySetting.extension[index]
Name | Type | Description | Required |
---|---|---|---|
config | object | Configuration parameters sent to the WASM plugin execution. | false |
fqn | string | Fqn of the extension to be executed. | false |
match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index]
Name | Type | Description | Required |
---|---|---|---|
mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
ports | []object | Criteria for selecting traffic by their destination port. | false |
OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]
Name | Type | Description | Required |
---|---|---|---|
number | integer | Minimum: 0 | false |
OrganizationSetting.spec.defaultSecuritySetting.waf
NOTICE: this feature is in alpha stage and under active development.
Name | Type | Description | Required |
---|---|---|---|
rules | []string | Rules to be leveraged by WAF. | false |
OrganizationSetting.spec.defaultTrafficSetting
Traffic settings for all proxy workloads in this organization.
Name | Type | Description | Required |
---|---|---|---|
configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
description | string | A description of the resource. | false |
displayName | string | User friendly name for the resource. | false |
egress | object | false | |
etag | string | The etag for the resource. | false |
fqn | string | Fully-qualified name of the resource. | false |
rateLimiting | object | Configuration for rate limiting requests. | false |
reachability | object | false | |
resilience | object | false |
OrganizationSetting.spec.defaultTrafficSetting.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
Name | Type | Description | Required |
---|---|---|---|
annotations | map[string]string | Set of key value paris that will be added into the | false |
labels | map[string]string | Set of key value paris that will be added into the | false |
OrganizationSetting.spec.defaultTrafficSetting.egress
Name | Type | Description | Required |
---|---|---|---|
host | string | Specifies the egress gateway hostname. | false |
port | integer | Deprecated. Format: int32 | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting
Configuration for rate limiting requests.
Name | Type | Description | Required |
---|---|---|---|
externalService | object | Configure ratelimiting using an external ratelimit server. | false |
settings | object | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService
Configure ratelimiting using an external ratelimit server.
Name | Type | Description | Required |
---|---|---|---|
domain | string | The rate limit domain to use when calling the rate limit service. | false |
failClosed | boolean | false | |
rateLimitServerUri | string | The URI at which the external rate limit server can be reached. | false |
rules | []object | A set of rate limit rules. | false |
timeout | string | The timeout in seconds for the external rate limit server RPC. | false |
tls | object | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions that are to be applied for this rate limit configuration. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
destinationCluster | object | Rate limit on destination envoy cluster. | false |
headerValueMatch | object | Rate limit on the existence of certain request headers. | false |
remoteAddress | object | Rate limit on remote address of client. | false |
requestHeaders | object | Rate limit on the value of certain request headers. | false |
sourceCluster | object | Rate limit on source envoy cluster. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch
Rate limit on the existence of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorValue | string | The value to use in the descriptor entry. | false |
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
headers | map[string]object | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders
Rate limit on the value of certain request headers.
Name | Type | Description | Required |
---|---|---|---|
descriptorKey | string | The key to use in the descriptor entry. | false |
headerName | string | The header name to be queried from the request headers. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls
Name | Type | Description | Required |
---|---|---|---|
files | object | TLS key source from files. | false |
mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
secretName | string | TLS key source from a Kubernetes Secret. | false |
subjectAltNames | []string | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files
TLS key source from files.
Name | Type | Description | Required |
---|---|---|---|
caCertificates | string | false | |
clientCertificate | string | Certificate file to authenticate the client. | false |
privateKey | string | Private key file associated with the client certificate. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings
Name | Type | Description | Required |
---|---|---|---|
failClosed | boolean | false | |
rules | []object | A list of rules for ratelimiting. | false |
timeout | string | The timeout in seconds for the rate limit server RPC. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]
Name | Type | Description | Required |
---|---|---|---|
dimensions | []object | A list of dimensions to define each ratelimit rule. | false |
limit | object | The ratelimit value that will be configured for the above rules. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]
Name | Type | Description | Required |
---|---|---|---|
header | object | Rate limit on certain HTTP headers. | false |
remoteAddress | object | Rate limit on the remote address of client. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header
Rate limit on certain HTTP headers.
Name | Type | Description | Required |
---|---|---|---|
dontMatch | boolean | If set to true, the condition will be met when the header value does not match. | false |
name | string | Name of the header to match on. | false |
value | object | Value of the header to match on if matching on a specific value. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value
Value of the header to match on if matching on a specific value.
Name | Type | Description | Required |
---|---|---|---|
exact | string | Exact string match. | false |
prefix | string | Prefix-based match. | false |
regex | string | ECMAscript style regex-based match. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress
Rate limit on the remote address of client.
Name | Type | Description | Required |
---|---|---|---|
value | string | Ratelimit on a specific remote address. | false |
OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit
The ratelimit value that will be configured for the above rules.
Name | Type | Description | Required |
---|---|---|---|
requestsPerUnit | integer | Specifies the value of the rate limit. Minimum: 0 | false |
unit | enum | Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY | false |
OrganizationSetting.spec.defaultTrafficSetting.reachability
Name | Type | Description | Required |
---|---|---|---|
hosts | []string | false | |
mode | enum | A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience
Name | Type | Description | Required |
---|---|---|---|
circuitBreakerSensitivity | enum | Enum: UNSET, LOW, MEDIUM, HIGH | false |
httpRequestTimeout | string | Timeout for HTTP requests. | false |
httpRetries | object | Retry policy for HTTP requests. | false |
keepAlive | object | Keep Alive Settings. | false |
tcpKeepalive | boolean | Deprecated. | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries
Retry policy for HTTP requests.
Name | Type | Description | Required |
---|---|---|---|
attempts | integer | Number of retries for a given request. Format: int32 | false |
perTryTimeout | string | Timeout per retry attempt for a given request. | false |
retryOn | string | Specifies the conditions under which retry takes place. | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive
Keep Alive Settings.
Name | Type | Description | Required |
---|---|---|---|
tcp | object | TCP Keep Alive settings associated with the upstream and downstream TCP connections. | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp
TCP Keep Alive settings associated with the upstream and downstream TCP connections.
Name | Type | Description | Required |
---|---|---|---|
downstream | object | TCP Keep Alive Settings associated with the downstream (client) connection. | false |
upstream | object | TCP Keep Alive Settings associated with the upstream (backend) connection. | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream
TCP Keep Alive Settings associated with the downstream (client) connection.
Name | Type | Description | Required |
---|---|---|---|
idleTime | integer | Minimum: 0 | false |
interval | integer | The number of seconds between keep-alive probes. Minimum: 0 | false |
probes | integer | Minimum: 0 | false |
OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream
TCP Keep Alive Settings associated with the upstream (backend) connection.
Name | Type | Description | Required |
---|---|---|---|
idleTime | integer | Minimum: 0 | false |
interval | integer | The number of seconds between keep-alive probes. Minimum: 0 | false |
probes | integer | Minimum: 0 | false |
OrganizationSetting.spec.networkSettings
Reachability between clusters on various networks.
Name | Type | Description | Required |
---|---|---|---|
networkReachability | map[string]string | Reachability between clusters on various networks. | false |
OrganizationSetting.spec.regionalFailover[index]
Name | Type | Description | Required |
---|---|---|---|
from | string | Originating region. | false |
to | string | false |