Skip to main content
logoTetrate Service BridgeVersion: next

security.tsb.tetrate.io/v2

Resource Types:

Group

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

Group.spec

↩ Parent

NameTypeDescriptionRequired
configGenerationMetadataobject

Default metadata values that will be propagated to the children Istio generated configurations.

false
configModeenum

Enum: BRIDGED, DIRECT

false
deletionProtectionEnabledboolean

When set, prevents the resource from being deleted.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

false
securityDomainstring

Security domains can be used to group different resources under the same security domain.

false

Group.spec.configGenerationMetadata

↩ Parent

Default metadata values that will be propagated to the children Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string
false

ServiceSecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringServiceSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

ServiceSecuritySetting.spec

↩ Parent

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
servicestring

The service on which the configuration is being applied.

false
settingsobject

Security settings to apply to this service.

false
subsets[]object
false

ServiceSecuritySetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.settings

↩ Parent

Security settings to apply to this service.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.settings.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
clientAuthenticationobject

ClientAuthentication is used to configure connection authentication parameters.

false
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.settings.authenticationSettings.clientAuthentication

↩ Parent

ClientAuthentication is used to configure connection authentication parameters.

NameTypeDescriptionRequired
enforceIstioMtlsForMeshClientsboolean
false
excludedHosts[]string

List of non-mesh k8s hosts to exclude from enforcing Istio mutual TLS.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

ServiceSecuritySetting.spec.settings.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

ServiceSecuritySetting.spec.settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.settings.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

ServiceSecuritySetting.spec.settings.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

ServiceSecuritySetting.spec.settings.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger

Minimum: 0
Maximum: 4.294967295e+09

false

ServiceSecuritySetting.spec.settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

ServiceSecuritySetting.spec.subsets[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Name used to refer to the subset.

false
settingsobject

Security settings to apply to this service subset.

false

ServiceSecuritySetting.spec.subsets[index].settings

↩ Parent

Security settings to apply to this service subset.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
clientAuthenticationobject

ClientAuthentication is used to configure connection authentication parameters.

false
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.clientAuthentication

↩ Parent

ClientAuthentication is used to configure connection authentication parameters.

NameTypeDescriptionRequired
enforceIstioMtlsForMeshClientsboolean
false
excludedHosts[]string

List of non-mesh k8s hosts to exclude from enforcing Istio mutual TLS.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger

Minimum: 0
Maximum: 4.294967295e+09

false

ServiceSecuritySetting.spec.subsets[index].settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

SecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject
false
statusobject
false

SecuritySetting.spec

↩ Parent

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

SecuritySetting.spec.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
clientAuthenticationobject

ClientAuthentication is used to configure connection authentication parameters.

false
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

SecuritySetting.spec.authenticationSettings.clientAuthentication

↩ Parent

ClientAuthentication is used to configure connection authentication parameters.

NameTypeDescriptionRequired
enforceIstioMtlsForMeshClientsboolean
false
excludedHosts[]string

List of non-mesh k8s hosts to exclude from enforcing Istio mutual TLS.

false

SecuritySetting.spec.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

SecuritySetting.spec.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

SecuritySetting.spec.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

SecuritySetting.spec.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

SecuritySetting.spec.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

SecuritySetting.spec.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

SecuritySetting.spec.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

SecuritySetting.spec.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

SecuritySetting.spec.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

SecuritySetting.spec.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

SecuritySetting.spec.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

SecuritySetting.spec.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

SecuritySetting.spec.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

SecuritySetting.spec.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

SecuritySetting.spec.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

SecuritySetting.spec.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

SecuritySetting.spec.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

SecuritySetting.spec.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

SecuritySetting.spec.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

SecuritySetting.spec.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

SecuritySetting.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

SecuritySetting.spec.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

SecuritySetting.spec.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger

Minimum: 0
Maximum: 4.294967295e+09

false

SecuritySetting.spec.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false