Skip to main content
logoTetrate Service BridgeVersion: 1.7.x

tsb.tetrate.io/v2

TenantSetting

↩ Parent
NameTypeDescriptionRequired
apiVersionstringtsb.tetrate.io/v2true
kindstringTenantSettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

Default settings that apply to all workspaces under a tenant.

false
statusobject
false

TenantSetting.spec

↩ Parent

Default settings that apply to all workspaces under a tenant.

NameTypeDescriptionRequired
defaultSecuritySettingobject

Security settings for all proxy workloads in this tenant.

false
defaultTrafficSettingobject

Traffic settings for all proxy workloads in this tenant.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false

TenantSetting.spec.defaultSecuritySetting

↩ Parent

Security settings for all proxy workloads in this tenant.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings

↩ Parent
NameTypeDescriptionRequired
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http

↩ Parent
NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
rulesobject

List of rules how to authenticate an HTTP request.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent
NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent
NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]

↩ Parent
NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent
NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

TenantSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent
NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

TenantSetting.spec.defaultSecuritySetting.authorization

↩ Parent
NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

TenantSetting.spec.defaultSecuritySetting.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external

↩ Parent
NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external.tls

↩ Parent
NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local

↩ Parent
NameTypeDescriptionRequired
rules[]object
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

↩ Parent
NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

↩ Parent
NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

TenantSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

↩ Parent
NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules

↩ Parent
NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

↩ Parent
NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

↩ Parent
NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

TenantSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

TenantSetting.spec.defaultSecuritySetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

TenantSetting.spec.defaultSecuritySetting.extension[index]

↩ Parent
NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

TenantSetting.spec.defaultSecuritySetting.extension[index].match[index]

↩ Parent
NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

TenantSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]

↩ Parent
NameTypeDescriptionRequired
numberinteger

Minimum: 0
Maximum: 4.294967295e+09

false

TenantSetting.spec.defaultSecuritySetting.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

TenantSetting.spec.defaultTrafficSetting

↩ Parent

Traffic settings for all proxy workloads in this tenant.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject
false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject
false
resilienceobject
false

TenantSetting.spec.defaultTrafficSetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

TenantSetting.spec.defaultTrafficSetting.egress

↩ Parent
NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

false
portinteger

Deprecated.


Format: int32

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
headersmap[string]object
false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

↩ Parent
NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings

↩ Parent
NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

TenantSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

TenantSetting.spec.defaultTrafficSetting.reachability

↩ Parent
NameTypeDescriptionRequired
hosts[]string
false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

TenantSetting.spec.defaultTrafficSetting.resilience

↩ Parent
NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

Timeout for HTTP requests.

false
httpRetriesobject

Retry policy for HTTP requests.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

TenantSetting.spec.defaultTrafficSetting.resilience.httpRetries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

false
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

TCP Keep Alive Settings associated with the upstream (backend) connection.

false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
intervalinteger

The number of seconds between keep-alive probes.


Minimum: 0
Maximum: 4.294967295e+09

false
probesinteger

Minimum: 0
Maximum: 4.294967295e+09

false

TenantSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

↩ Parent

TCP Keep Alive Settings associated with the upstream (backend) connection.

NameTypeDescriptionRequired
idleTimeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
intervalinteger

The number of seconds between keep-alive probes.


Minimum: 0
Maximum: 4.294967295e+09

false
probesinteger

Minimum: 0
Maximum: 4.294967295e+09

false