Tetrate Service BridgeVersion: nextsecurity.tsb.tetrate.io/v2
Resource Types:
Group
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | Group | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace. | false |
| status | object | false |
Group.spec
A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| namespaceSelector | object | Set of namespaces owned exclusively by this group. | true |
| configGenerationMetadata | object | Default metadata values that will be propagated to the children Istio generated configurations. | false |
| configMode | enum | The Configuration types that will be added to this group. Enum: BRIDGED, DIRECT | false |
| deletionProtectionEnabled | boolean | When set, prevents the resource from being deleted. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| profiles | []string | List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children. | false |
| securityDomain | string | Security domains can be used to group different resources under the same security domain. | false |
Group.spec.namespaceSelector
Set of namespaces owned exclusively by this group.
| Name | Type | Description | Required |
|---|---|---|---|
| names | []string | Under the tenant/workspace/group: - | true |
Group.spec.configGenerationMetadata
Default metadata values that will be propagated to the children Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
SecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | SecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A security setting applies configuration to a set of proxy workloads in a security group or a workspace. | false |
| status | object | false |
SecuritySetting.spec
A security setting applies configuration to a set of proxy workloads in a security group or a workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
SecuritySetting.spec.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
SecuritySetting.spec.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
SecuritySetting.spec.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
SecuritySetting.spec.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
SecuritySetting.spec.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
SecuritySetting.spec.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
SecuritySetting.spec.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
SecuritySetting.spec.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
SecuritySetting.spec.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
SecuritySetting.spec.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
SecuritySetting.spec.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
SecuritySetting.spec.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
SecuritySetting.spec.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
SecuritySetting.spec.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
SecuritySetting.spec.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
SecuritySetting.spec.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
SecuritySetting.spec.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
SecuritySetting.spec.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
SecuritySetting.spec.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
SecuritySetting.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
SecuritySetting.spec.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
SecuritySetting.spec.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
SecuritySetting.spec.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |
ServiceSecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | ServiceSecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A service security setting applies configuration to a service in a security group. | false |
| status | object | false |
ServiceSecuritySetting.spec
A service security setting applies configuration to a service in a security group.
| Name | Type | Description | Required |
|---|---|---|---|
| service | string | The service on which the configuration is being applied. | true |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| settings | object | Security settings to apply to this service. | false |
| subsets | []object | Subset specific settings that will replace the service wide settings for the specified service subsets. | false |
ServiceSecuritySetting.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.settings
Security settings to apply to this service.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.settings.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
ServiceSecuritySetting.spec.settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.settings.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
ServiceSecuritySetting.spec.settings.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
ServiceSecuritySetting.spec.settings.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
ServiceSecuritySetting.spec.settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |
ServiceSecuritySetting.spec.subsets[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name used to refer to the subset. | true |
| settings | object | Security settings to apply to this service subset. | true |
ServiceSecuritySetting.spec.subsets[index].settings
Security settings to apply to this service subset.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| includeRequestHeaders | []string | false | |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
ServiceSecuritySetting.spec.subsets[index].settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |