Common Object Types
Definition of objects shared by different APIs.
ConfigGenerationMetadata
ConfigGenerationMetadata
allows to setup extra metadata that will be added in the final Istio generated configurations.
Like new labels or annotations.
Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default
values for those configs that belong to it.
Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the
ones defined in the tenancy resources.
Field | Description | Validation Rule |
---|---|---|
labels | map<string, string> | – |
annotations | map<string, string> | – |
NamespaceSelector
NamespaceSelector
selects a set of namespaces across one or more
clusters in a tenant. Namespace selectors can be used at Workspace
level to carve out a chunk of resources under a tenant into an
isolated configuration domain. They can be used in a Traffic,
Security, or a Gateway group to further scope the set of namespaces
that will belong to a specific configuration group.
Names in namespaces selector must be in the form cluster/namespace
where:
-
cluster must be a cluster name or an
*
to mean all clusters -
namespace must be a namespace name, an
*
to mean all namespaces or a prefix likens-*
to mean all those namespaces starting byns-
Field | Description | Validation Rule |
---|---|---|
names | List of string
| repeated = { |
PortSelector
PortSelector is the criteria for specifying if a policy can be applied to a listener having a specific port.
Field | Description | Validation Rule |
---|---|---|
number | uint32 | uint32 = { |
RegionalFailover
Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
Field | Description | Validation Rule |
---|---|---|
from | string | – |
to | string | – |
ServiceSelector
ServiceSelector represents the match criteria to select services within a particular scope (namespace, workspace, cluster etc)
Field | Description | Validation Rule |
---|---|---|
serviceLabels | map<string, string> | map = { |
TrafficSelector
TrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.types.v2.WorkloadMode | enum = { |
ports | List of tetrateio.api.tsb.types.v2.PortSelector If one of the given | – |
WasmExtensionAttachment
WasmExtensionAttachment defines the WASM extension attached to this resource including the name to identify the extension and also the specific configuration that will override the global extension configuration. Only those extensions globally enabled will be considered although they can be associated to the target resources. Match configuration allows you to specify which traffic is sent through the Wasm extension. Users can select the traffic based on different workload modes and ports.
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
name: ingress-bookinfo
group: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
workloadSelector:
namespace: ns1
labels:
app: gateway
extension:
- fqn: hello-world # fqn of imported extensions in TSB
config:
foo: bar
match:
- ports:
- number: 80
mode: CLIENT_AND_SERVER
http:
- name: bookinfo
port: 80
hostname: bookinfo.com
routing:
rules:
- route:
host: ns1/productpage.ns1.svc.cluster.local
Field | Description | Validation Rule |
---|---|---|
fqn | string | string = { |
config | google.protobuf.Struct | – |
match | List of tetrateio.api.tsb.types.v2.TrafficSelector | – |
WorkloadSelector
WorkloadSelector
selects one or more workloads in a
namespace. WorkloadSelector
can be used in TrafficSetting,
SecuritySetting, and Gateway APIs in BRIDGED
mode to scope the
configuration to a specific set of workloads.
Field | Description | Validation Rule |
---|---|---|
namespace | string | string = { |
labels | map<string, string> | map = { |
Object
Format for all API objects in TSB as exposed in the CLI.
Field | Description | Validation Rule |
---|---|---|
apiVersion | string | string = { |
kind | string | string = { |
metadata | – | |
spec | google.protobuf.Any | – |
status | map<string, string> | – |
ObjectMeta
Metadata associated with each API Object.
Field | Description | Validation Rule |
---|---|---|
name | string | – |
namespace | string | – |
tenant | string | – |
workspace | string | – |
group | string | – |
resourceVersion | string | – |
labels | map<string, string> | – |
annotations | map<string, string> | – |
displayName | string | – |
description | string | – |
organization | string | – |
application | string | – |
api | string | – |
service | string | – |
telemetrySource | string | – |
fqn | string | – |
IstioObjectSpec
Contains the raw type of an Istio object. This is used to generate the documentation examples when showing the serialized form of Istio direct mode resources.
Field | Description | Validation Rule |
---|---|---|
type | – |
TypeInfo
TypeInfo provides metadata describing a message type.
Field | Description | Validation Rule |
---|---|---|
generatesConfig | bool | – |
aggregatesStatus | bool | – |
dependencies | List of string | – |
lastEventXcpAccepted | bool | – |
CreateIstioObjectRequest
Request to create an Istio Object
Field | Description | Validation Rule |
---|---|---|
parent | string | string = { |
name | string | string = { |
object | tetrateio.api.tsb.types.v2.IstioObject | message = { |
DeleteIstioObjectRequest
Request to delete a Istio Object.
Field | Description | Validation Rule |
---|---|---|
fqn | string | string = { |
GetIstioObjectRequest
Request to retrieve a Istio Object.
Field | Description | Validation Rule |
---|---|---|
fqn | string | string = { |
IstioObject
Wrapper for Istio direct mode objects with all the details needed to add it to the TSB resource hierarchy.
Field | Description | Validation Rule |
---|---|---|
metadata | tetrateio.api.tsb.types.v2.IstioObject.ConfigMeta | – |
spec | google.protobuf.Any | – |
ConfigMeta
Field | Description | Validation Rule |
---|---|---|
apiVersion | string | string = { |
kind | string | string = { |
name | string | – |
namespace | string | – |
labels | map<string, string> | – |
annotations | map<string, string> | – |
ListIstioObjectsRequest
Request to list Istio Object.
Field | Description | Validation Rule |
---|---|---|
parent | string | string = { |
ListIstioObjectsResponse
List of Istio direct mode objects
Field | Description | Validation Rule |
---|---|---|
objects | – |
ConfigMode
The configuration mode used by a traffic, security or a gateway group.
Field | Number | Description |
---|---|---|
BRIDGED | 0 | Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood. |
DIRECT | 1 | Indicates that the configurations to be added to the group will directly use Istio APIs. |
PropagationStrategy
The PropagationStrategy is the key differentiating factor to decide how a security policy should be propagated and applied at runtime across clusters. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting. The STRICTER PropagationStrategy on the other hand makes sure the default SecuritySettings configured at the parent level are always enforced and propagated down the hierarchy unless additional SecuritySettings are defined and restricted further in the configuration hierarchy.
REPLACE
should be used when resources in the hierarchy are allowed to override the default settings configured at the higher levels.STRICTER
should be used when the default settings must prevail, and the settings can only be made more restrictive by child resources at lower levels of the hierarchy.
When a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless
of the defined strategy (REPLACE
or STRICTER
), a parent defined resource or a property of the
resource will be used (propagated) in absence of a child resource or a property of it.
For example, the following policy configures optional mTLS for traffic within the workspace, but
it allows SecuritySettings to modify it. The example shows a workspace that configures
service-to-service access so that only services in the same workspace can talk to each other.
The REPLACE
propagation policy allows individual settings to override it. In the example, the
SecuritySettings allows services within that group to be reachable from any
service in the cluster, regardless for the workspace they belong to, even though the Workspace
restricts service-to-service access to only services in the Workspace.
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: mycompany
organization: myorg
spec:
defaultSecuritySetting:
propagationStrategy: REPLACE
authorization:
mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: CLUSTER
STRICTER
propagation configures defaults that can be only be restricted down the hierarchy.
The following example configures the same WorkspaceSetting but with a STRICTER
propagation mode.
The defaults
SecuritySetting further narrows down that access to the GROUP
scope, which is
allowed because GROUP is more strict than WORKSPACE. However, the defaults-invalid
SecuritySetting
configures CLUSTER
access, which would widen the scope defined at the Workspace. That settings will
not be allowed based on the STRICTER
propagation policy.
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: mycompany
organization: myorg
spec:
defaultSecuritySetting:
propagationStrategy: STRICTER
authorization:
mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: GROUP
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults-invalid
group: t2
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: CLUSTER
Further details of how security settings are resolved between in STRICTER
mode between a parent and a
child resource can be found in the SecuritySettings reference.
Field | Number | Description |
---|---|---|
REPLACE | 0 | Is the default configuration propagation strategy. A lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy. Otherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will prevail. For instance, a defined default propagation strategy for workspace default security settings will replace tenant's defined default security settings. |
STRICTER | 1 | STRICTER propagation strategy propagates the strictest configuration between a defined higher level and a defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy is not defined, the higher one will prevail. Which configuration is stricter than the other is defined by each concrete configuration that allows specifying a propagation strategy. |
WorkloadMode
WorkloadMode allows selection of the role of the underlying workload in network traffic. A workload is considered as acting as a SERVER if it is the destination of the traffic (that is, traffic direction, from the perspective of the workload is inbound). If the workload is the source of the network traffic, it is considered to be in CLIENT mode (traffic is outbound from the workload).
Field | Number | Description |
---|---|---|
UNDEFINED | 0 | Default value, which will be interpreted by its own usage. |
CLIENT | 1 | Selects for scenarios when the workload is the source of the network traffic. In addition, if the workload is a gateway, selects this. |
SERVER | 2 | Selects for scenarios when the workload is the destination of the network traffic. |
CLIENT_AND_SERVER | 3 | Selects for scenarios when the workload is either the source or destination of the network traffic. |