Config Protection
Config protection is a feature that helps protect your Istio configuration from accidental changes. This allows you to configure the users who are allowed to make changes to the Istio configuration generated by TSB, protecting your Istio configuration from unintended changes. By default, a user with Kube namespace privileges would be able to create new Istio configurations or edit TSB created configurations. While user managed configurations are not altered, TSB managed configurations when changed, would be overwritten by TSB during the next sync cycle.
This feature is available in two variants:
enableAuthorizedUpdateDeleteOnXcpConfigs
: This allows the user to create and manage Istio configurations that are not managed by TSB. You can add a specific set of users to the authorizedUsers list to give those users the privilege to edit or delete TSB managed configurations.enableAuthorizedCreateUpdateDeleteOnXcpConfigs
: This prevents any unauthorized user from creating, updating or deleting any Istio configuration in the cluster.
You can configure the users who are allowed to make changes to the Istio configuration generated by TSB through your
ControlPlane
CR.
By default, config protection is disabled for all Istio resources created by TSB.
You can enable this feature by adding the following to ControlPlane
CR in XCP component:
configProtection:
enableAuthorizedUpdateDeleteOnXcpConfigs: true
enableAuthorizedCreateUpdateDeleteOnXcpConfigs: true
authorizedUsers:
- user1
- system:serviceaccount:ns1:serviceaccount-1
For more details about ConfigProtection configuration, please refer to the following section Config Protection