Configuration Inheritance
As briefly described in the Service Bridge Security section, TSB allows you to define policies and configurations at different levels of the hierarchy. This section will explain how TSB handles the inheritance of these policies and configurations.
Hierarchical Configuration
The Organization Setting object allows configuring global settings for the Organization. Settings such as network reachability or regional fail-over that apply globally to the organization are configured in the Organization Setting object.
Organization Setting is a global object that uniquely configures the organization, and there can be only one Organization Setting object defined for each organization. It also offers a way to provide default Traffic and Security settings for all of TSB, which can be overridden at the Tenant, Workspace, or Group level; if the Propagation Strategy permits.
The Tenant Setting object allows configuring default traffic and security settings for a specific Tenant and will be applicable to all underlying Workspaces.
The example below shows how a TenantSetting object can be created at Tenant 3
to govern the
default settings for all Workspaces below.
The Workspace Setting object allows configuring default traffic and security settings for a specific Workspace and will be applicable to all underlying Groups.
Four different Group types are available in TSB: Security, Traffic, Gateway, and Istio Internal. The Istio Internal group is a special group that is available for customers needing direct access to specific Istio resources. It groups highly coupled and implementation-detailed oriented Istio resources together, that don't provide any TSB guarantees or backward/forward compatibilities that other groups like traffic, security of gateway can provide. Therefore, this group is only meant to be used for users/administrators that are confident with those advanced features, knowing that the defined resources under this group will not interfere with the TSB provided mesh governance functionalities.
The other three groups provide task specific configurations and policies, and each of them have their own settings objects:
Configuration Profiles
Configuration Profiles, a feature introduced in TSB 1.10, adds an enhanced configuration experience for larger-scale TSB deployments. At the core, Configuration Profiles allow for the creation of configuration objects that can be created at the Organization, Tenant, or Workspace level and be attached to multiple resources like Tenants, Workspaces, or Groups in a distinct hierarchical order.
Since there can be a difference between where a Configuration Profile is created and where it is attached, it allows for usage delegation patterns as well as removing the need for duplication of configuration settings amongst the resources needing it.
The example below shows how a Configuration Profile can be created at Tenant 3
to be attached down
in the hierarchy at Workspace 3
and Workspace 5
.
Another trait of Configuration Profiles is the distinction between default settings and mandated settings. When a setting is created as a default, it means it can be overridden by a configuration profile attached lower in the hierarchy. When a setting is created as a mandate, it means it cannot be overridden. Where the hierarchical configuration objects Organization Setting, Tenant Setting, and Workspace Setting only allow for mandates in security settings using the PropagationStrategy property, configuration profiles allow for mandates in all settings types.
Configuration Profiles allow for addressing almost all settings types, except for those that are organization specific (e.g. network reachability) and the Authorization settings as currently found in the Security Settings resources, which deal with platform isolation concerns. These settings will be handled and enhanced in a new feature called segmentation, scheduled for initial release in TSB 1.11.
When creating a Configuration Profile, it is not required to fill in all settings. This allows for the creation of topic-specific configurations. Multiple configuration profiles can be attached to a resource, and the order in which they are attached determines the order in which they are applied.