Skip to main content
logoTetrate Service BridgeVersion: next

Layer 4 Security Policies

warning

Before getting started, ensure that you have followed the procedures described in the Installation section and have set up your Management Plane and Control Plane with the correct settings.

After verifying that ambient mode is working with automatic mTLS encryption, you can apply Layer 4 security policies to control access between your ambient-enabled workloads. TSB provides multiple levels of security configuration that work seamlessly with ambient mode.

Understanding TSB Security Hierarchy

TSB security policies can be applied at three levels, each providing different scopes of control:

  • Workspace Level: Using WorkspaceSetting with defaultSecuritySetting
  • Security Group Level: Using SecuritySetting within a SecurityGroup
  • Tenant Level: Using TenantSetting with defaultSecuritySetting

For complete details on TSB security APIs, see the Security Setting documentation.

Workspace-Level Security Configuration

The simplest way to apply security policies to your ambient workloads is at the workspace level. This allows you to set default authorization rules for all services within the workspace. Create a workspace-level security setting for your ambient demo: Workspace Security Setting YAML:

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: ambient-demo-security
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
spec:
defaultSecuritySetting:
authorization:
mode: WORKSPACE

This configuration:

  • Allows communication only between services within the same workspace (mode: WORKSPACE)
  • Automatically denies traffic from services outside the workspace

Security Group-Level Configuration

For more granular control, you can create Security Groups within your workspace and apply specific policies.

Step 1: Create a Security Group for your ambient namespaces:

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
name: ambient-security-group
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
spec:
namespaceSelector:
names:
- "*/client"
- "*/echo"
configMode: BRIDGED

Step 2: Apply Security Settings to the Security Group:

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: ambient-security-policy
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
group: ambient-security-group
spec:
authorization:
mode: RULES
rules:
allow:
- from:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws
to:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws/securitygroups/ambient-security-group

Deny traffic from specific sources:

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: deny-external-policy
organization: <your-organization>
tenant: <your-tenant>
workspace: ambient-demo-ws
group: ambient-security-group
spec:
authorization:
mode: RULES
rules:
deny:
- from:
fqn: organizations/<your-organization>/tenants/<other-tenant>
to:
fqn: organizations/<your-organization>/tenants/<your-tenant>/workspaces/ambient-demo-ws/securitygroups/ambient-security-group

For comprehensive security configuration examples and best practices, refer to: