Layer 4 Security Policies
Before getting started, ensure that you have followed the procedures described in the Installation section and have set up your Management Plane and Control Plane with the correct settings.
After verifying that ambient mode is working with automatic mTLS encryption, you can apply Layer 4 security policies to control access between your ambient-enabled workloads. TSB provides multiple levels of security configuration that work seamlessly with ambient mode.
Understanding TSB Security Hierarchy
TSB security policies can be applied at three levels, each providing different scopes of control:
- Workspace Level: Using WorkspaceSetting with defaultSecuritySetting
- Security Group Level: Using SecuritySetting within a SecurityGroup
- Tenant Level: Using TenantSetting with defaultSecuritySetting
For complete details on TSB security APIs, see the Security Setting documentation.
Workspace-Level Security Configuration
The simplest way to apply security policies to your ambient workloads is at the workspace level. This allows you to set default authorization rules for all services within the workspace. Create a workspace-level security setting for your ambient demo: Workspace Security Setting YAML:
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: ambient-demo-security
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
spec:
defaultSecuritySetting:
authorization:
mode: WORKSPACE
This configuration:
- Allows communication only between services within the same workspace (mode: WORKSPACE)
- Automatically denies traffic from services outside the workspace
Security Group-Level Configuration
For more granular control, you can create Security Groups within your workspace and apply specific policies.
Step 1: Create a Security Group for your ambient namespaces:
apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
name: ambient-security-group
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
spec:
namespaceSelector:
names:
- "*/client"
- "*/echo"
configMode: BRIDGED
Step 2: Apply Security Settings to the Security Group:
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: ambient-security-policy
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
group: ambient-security-group
spec:
authorization:
mode: RULES
rules:
allow:
- from:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws
to:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws/securitygroups/ambient-security-group
Deny traffic from specific sources:
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: deny-external-policy
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
group: ambient-security-group
spec:
authorization:
mode: RULES
rules:
deny:
- from:
fqn: organizations/<your-organization>/tenants/<other-tenant>
to:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws/securitygroups/ambient-security-group
For comprehensive security configuration examples and best practices, refer to: