Security Setting
SecuritySetting
allows configuring security related properties
such as TLS authentication and access control for traffic arriving
at a proxy workload in a security group.
This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.
Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.
The following example creates a security group for the proxy workloads in
ns1
, ns2
and ns3
namespaces owned by its parent workspace
w1
under tenant mycompany
and defines a security setting that
only allows mutual TLS authenticated traffic from other proxy workloads in
the same group.
apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
And the associated security settings for all proxy workloads in the group
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: GROUP
The following example customizes the allowedSources
to allow
traffic from the namespaces within the group as well as the
catalog-sa
service account from ns4
namespace.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: custom
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
http:
rules:
jwt:
- issuer: "https://auth.tetrate.io"
jwksUri: "https://oauth2.auth.tetrate.io/certs"
- issuer: "https://auth.tetrate.internal"
jwksUri: "https://oauth2.auth.tetrate.internal/certs"
authorization:
mode: CUSTOM
serviceAccounts:
- "ns1/*"
- "ns2/*"
- "ns3/*"
- "ns4/catalog-sa"
http:
external:
uri: "https://policy.auth.tetrate.io"
includeRequestHeaders:
- authorization
The following example rejects all traffic arriving at workloads from namespaces
that belong to security group t1
.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: RULES
rules:
denyAll: true
The following example accepts all traffic arriving at workloads from namespaces
that belong to security group t1
. All authenticated requests are accepted
because any workload is targeted to be allowed nor denied.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: RULES
The following example accepts all traffic arriving at workloads in namespaces that belong
to security group t1
traffic, except from workloads belonging to workspace w2
.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: RULES
rules:
deny:
- from:
fqn: organizations/myorg/tenants/mycompany/workspaces/w2
to:
fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1
The following example accepts traffic arriving at workloads in namespaces that belong
to security group t1
traffic, from workloads belonging to workspace w2
.
Hence, only authenticated request to workloads in security group t1
coming from
workloads in workspace w2
are accepted. All other request will be rejected.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: RULES
rules:
allow:
- from:
fqn: organizations/myorg/tenants/mycompany/workspaces/w2
to:
fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1
The following example uses a combination of allows and denies to show how rules are evaluated.
Let's say we have a workspace w3
which contains 3 security groups, sg31
, sg32
, and sg33
. Besides we also
have workspace w1
and w2
.
Security group sg31
contains workloads that handle sensitive data, and we want to
only accept requests arriving from the same workspace w3
and explicitly reject requests coming from sg32
.
Hence, only authenticated request to workloads in security group sg31
coming from
workloads in workspace w3
and security group sg31
or sg33
will be accepted. Requests coming from sg32
will be rejected. Moreover, a request coming from any workload that belongs to another
workspace (w1
, or w2
), or security group that belong to another workspace, will also be reject
by default because it is not in the list of allowed resource FQNs.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: sg31
workspace: w3
tenant: mycompany
organization: myorg
spec:
authenticationSettings:
trafficMode: REQUIRED
authorization:
mode: RULES
rules:
allow:
- from:
fqn: organizations/myorg/tenants/mycompany/workspaces/w3
to:
fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
deny:
- from:
fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
to:
fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
The following example customizes the WAFSettings
to enforce Web Application
Firewall rules on sidecars in namespaces reside in SecurityGroup.
Please DO NOT use it in production.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
waf:
rules:
- SecRuleEngine ON
- Include @owasp_crs/*.conf
The following example customizes the Extensions
to enable
the execution of the WasmExtensions list specified, detailing
custom properties for the execution of each extension.
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
extension:
- fqn: hello-world # fqn of imported extensions in TSB
config:
foo: bar
AuthenticationSettings
AuthenticationSettings represents configuration related to authenticating traffic within the mesh and end-user credentials if present. It is HIGHLY RECOMMENDED to enable mutual TLS when end-user credentials are present. Sending credentials like JWT over plaintext is a security risk.
Field | Description | Validation Rule |
---|---|---|
trafficMode | tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode | – |
http | tetrateio.api.tsb.auth.v2.Authentication | – |
AuthorizationRules
AuthorizationRules
specifies which target workloads are allowed or denied.
When the mode is RULES
, by default, if no authorization rules are provided all requests will be accepted.
Currently, when a list of allow or deny rules are provided, a workload can only be targeted
by providing the workspace or security group resource the workload belongs to.
When different target workloads are allowed, denied or all workload are denied,
to evaluate if a request is accepted or rejected, denies are evaluated first, and finally allows.
Accepting or denying a request from a workload is determined by:
-
If deny_all is true, deny the request
-
If deny is defined and there are any denied target workload, deny the request.
-
If there are no allowed target workload, allow the request.
-
If allow is defined and there are any allowed target workload, allow the request.
-
Deny the request.
Field | Description | Validation Rule |
---|---|---|
allow | List of tetrateio.api.tsb.security.v2.Rule | – |
denyAll | bool | – |
deny | List of tetrateio.api.tsb.security.v2.Rule | – |
AuthorizationSettings
AuthorizationSettings
define the set of service accounts in one
or more namespaces allowed to access a workload (and hence its
sidecar) in the mesh.
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.security.v2.AuthorizationSettings.Mode | – |
serviceAccounts | List of string
Namespace should be a valid kubernetes namespace, which follows RFC 1123 Label Names rules. Service account should be a valid kubernetes service account, which follows DNS Subdomain Names rules. | repeated = { |
http | tetrateio.api.tsb.auth.v2.Authorization | – |
rules | tetrateio.api.tsb.security.v2.AuthorizationRules | – |
identityMatch | tetrateio.api.tsb.types.v2.IdentityMatch Possible values for identity_match are:
If identity_match is not explicitly specified, the system defaults to the PERMISSIVE mode, allowing for a more inclusive evaluation of authz rules that accommodates various identity verification strategies. The use of this field is dependent upon the This configuration offers flexibility in adapting the identity verification strategy to the specific security requirements and operational contexts of your environment, ensuring that authz rules are applied effectively and securely based on the desired identity verification method. | – |
Rule
Rule
matches request from a targeted resource (and the workloads that belong to the resource),
to another targeted resource (and the workloads that belong to the resource).
A match occurs when from
and to
matches the request.
Only resources of type Tenant, Workspace, or Security Group can be targeted.
Field | Description | Validation Rule |
---|---|---|
from | tetrateio.api.tsb.security.v2.Rule.From | – |
to | tetrateio.api.tsb.security.v2.Rule.To | – |
From
From includes the target resource (and the workloads that belong to the resource) which will be the source of a request.
Field | Description | Validation Rule |
---|---|---|
fqn | string | – |
To
To includes the target resource (and the workloads that belong to the resource) which will be destination of a request.
Field | Description | Validation Rule |
---|---|---|
fqn | string | – |
SecuritySetting
A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.
Field | Description | Validation Rule |
---|---|---|
authentication | tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode | – |
authorization | tetrateio.api.tsb.security.v2.AuthorizationSettings AuthorizationSettings mode can only be changed from Restricting two | – |
authenticationSettings | tetrateio.api.tsb.security.v2.AuthenticationSettings | – |
waf | tetrateio.api.tsb.security.v2.WAFSettings | – |
propagationStrategy | tetrateio.api.tsb.types.v2.PropagationStrategy Security setting properties affected by the propagation strategy are:
All the other properties will use the default | – |
extension | List of tetrateio.api.tsb.types.v2.WasmExtensionAttachment | – |
configGenerationMetadata | tetrateio.api.tsb.types.v2.ConfigGenerationMetadata | – |
Mode
A short cut for defining the common authorization patterns
Field | Number | Description |
---|---|---|
UNSET | 0 | Inherit from parent if possible. Otherwise treated as |
NAMESPACE | 1 | The workload allows traffic from any other authenticated workload in its own namespace. |
GROUP | 2 | The workload allows traffic from any other authenticated workload in the security group. |
WORKSPACE | 3 | The workload allows traffic from any other authenticated workload in the workspace. |
CLUSTER | 4 | The workload allows traffic from any other authenticated workload in the cluster. |
DISABLED | 5 | Authorization is disabled. |
CUSTOM | 6 | The workload allows traffic from service accounts defined explicitly. |
RULES | 7 | The workload allows or denies traffic from any other authenticated workload that belongs to the specified rules. |
AuthenticationMode
AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.
Field | Number | Description |
---|---|---|
UNSET | 0 | Inherit from parent, if has one. Otherwise treated as OPTIONAL. |
OPTIONAL | 1 | Accept both plaintext and mTLS authenticated connections. |
REQUIRED | 2 | Accept only mutual TLS authenticated connections. |