Skip to main content
logoTetrate Service BridgeVersion: next

tsb.tetrate.io/v2

WorkspaceSetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringtsb.tetrate.io/v2true
kindstringWorkspaceSettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

Default security and traffic settings for all proxy workloads in the workspace.

false
statusobject
false

WorkspaceSetting.spec

↩ Parent

Default security and traffic settings for all proxy workloads in the workspace.

NameTypeDescriptionRequired
defaultEastWestGatewaySettings[]object

Default east west gateway settings specifies workspace-wide east-west gateway configuration.

false
defaultSecuritySettingobject

Security settings for all proxy workloads in this workspace.

false
defaultTrafficSettingobject

Traffic settings for all proxy workloads in this workspace.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
hostsReachabilityobject

Hosts reachability defines the list of hostnames that this workspace can reach.

false
regionalFailover[]object

Locality routing settings for all gateways in the workspace.

false

WorkspaceSetting.spec.defaultEastWestGatewaySettings[index]

↩ Parent

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
exposedServices[]object
false
workloadSelectorobject
false

WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].exposedServices[index]

↩ Parent

NameTypeDescriptionRequired
serviceLabelsmap[string]string
false

WorkspaceSetting.spec.defaultEastWestGatewaySettings[index].workloadSelector

↩ Parent

NameTypeDescriptionRequired
labelsmap[string]string
false
namespacestring

The namespace where the workload resides.

false

WorkspaceSetting.spec.defaultSecuritySetting

↩ Parent

Security settings for all proxy workloads in this workspace.

NameTypeDescriptionRequired
authenticationenum

Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject
false
authorizationobject
false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object
false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings

↩ Parent

NameTypeDescriptionRequired
httpobject
false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http

↩ Parent

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
clientIdstring

The client_id to be used in the authorize calls.

false
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
providerobject

The OIDC Provider configuration.

false
redirectPathMatcherstring
false
redirectUristring
false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
issuerstring

The OIDC Provider's issuer identifier.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
audiences[]string
false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
issuerstring

Identifies the issuer that issued the JWT.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring
false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring
false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

false
prefixstring

The prefix that should be stripped before decoding the token.

false

WorkspaceSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

false
headerstring

The name of the header to be created.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization

↩ Parent

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject
false
serviceAccounts[]string
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
from[]object
false
namestring

A friendly name to identify the binding.

false
to[]object
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules

↩ Parent

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

false
toobject

To specifies the destination of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

WorkspaceSetting.spec.defaultSecuritySetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

WorkspaceSetting.spec.defaultSecuritySetting.extension[index]

↩ Parent

NameTypeDescriptionRequired
configobject

Configuration parameters sent to the WASM plugin execution.

false
fqnstring

Fqn of the extension to be executed.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

WorkspaceSetting.spec.defaultSecuritySetting.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

WorkspaceSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger

Minimum: 0
Maximum: 4.294967295e+09

false

WorkspaceSetting.spec.defaultSecuritySetting.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

false

WorkspaceSetting.spec.defaultTrafficSetting

↩ Parent

Traffic settings for all proxy workloads in this workspace.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject
false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject
false
resilienceobject
false

WorkspaceSetting.spec.defaultTrafficSetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

WorkspaceSetting.spec.defaultTrafficSetting.egress

↩ Parent

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

false
portinteger

Deprecated.


Format: int32

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

false
failClosedboolean
false
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

false
rules[]object

A set of rate limit rules.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject
false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

false
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
headersmap[string]object
false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

false
headerNamestring

The header name to be queried from the request headers.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring
false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
failClosedboolean
false
rules[]object

A list of rules for ratelimiting.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

false
limitobject

The ratelimit value that will be configured for the above rules.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
namestring

Name of the header to match on.

false
valueobject

Value of the header to match on if matching on a specific value.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

false

WorkspaceSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.


Minimum: 0
Maximum: 4.294967295e+09

false
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

false

WorkspaceSetting.spec.defaultTrafficSetting.reachability

↩ Parent

NameTypeDescriptionRequired
hosts[]string
false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience

↩ Parent

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

Timeout for HTTP requests.

false
httpRetriesobject

Retry policy for HTTP requests.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.httpRetries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

false
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

TCP Keep Alive Settings associated with the upstream (backend) connection.

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
intervalinteger

The number of seconds between keep-alive probes.


Minimum: 0
Maximum: 4.294967295e+09

false
probesinteger

Minimum: 0
Maximum: 4.294967295e+09

false

WorkspaceSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

↩ Parent

TCP Keep Alive Settings associated with the upstream (backend) connection.

NameTypeDescriptionRequired
idleTimeinteger

Minimum: 0
Maximum: 4.294967295e+09

false
intervalinteger

The number of seconds between keep-alive probes.


Minimum: 0
Maximum: 4.294967295e+09

false
probesinteger

Minimum: 0
Maximum: 4.294967295e+09

false

WorkspaceSetting.spec.hostsReachability

↩ Parent

Hosts reachability defines the list of hostnames that this workspace can reach.

NameTypeDescriptionRequired
hostnames[]object

The Gateway hostname that can be one of the following.

false

WorkspaceSetting.spec.hostsReachability.hostnames[index]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

WorkspaceSetting.spec.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring
false