Tetrate Service BridgeVersion: next

Segmentation Troubleshooting Service

APIs to troubleshoot Segmentation.

Troubleshooting

The Troubleshooting service provides methods to debug segmentation policies and rules.

Operations

ResourceAccess

PolicyClasses

Describe

AccessGrant

Describes a rule or policy that grants access between zones.

Field	Description	Validation Rule
from	string Source zone in "policy/zone" format (e.g. "ring/yellow").	–
to	string Target zone in "policy/zone" format (e.g. "ring/amber").	–
grantedBy	string FQN of the segmentation resource that grants this access. For inter-zonal traffic: FQN of the SegmentationRules resource containing the rule. For intra-zonal traffic: FQN of the SegmentationPolicy with `intraZonalTraffic` enabled.	–

AnnotationSource

Describes an annotation-based zone assignment.

Field	Description	Validation Rule
key	string The annotation key (e.g. "segmentation.tsb.tetrate.io/zone").	–
value	string The annotation value (e.g. "ring/red").	–

DescribeRequest

Request message for describing an access decision and the policies responsible for it.

Field	Description	Validation Rule
orgFqn	string REQUIRED FQN of the organization the user belongs to. Used for authorization.	string = { min_len: `1` }
sourceFqn	string REQUIRED FQN of the source resource.	string = { min_len: `1` }
targetFqn	string REQUIRED FQN of the target resource.	string = { min_len: `1` }
includeResources	bool When true, the response includes the full resource definitions for each segmentation resource involved in the decision. Resources the user lacks read permission on will have their spec redacted.	–

DescribeResponse

The response describes an access decision between a source and target resource, showing the segmentation zones each belongs to, the rules that grant or deny access, and optionally the full resource definitions.

Example default output for an ALLOWED decision:

Source: organizations/tetrate/tenants/dev/workspaces/eshop
  Zone: ring/yellow
    Assigned by: organizations/tetrate/segmentation/memberships/ring-membership
    Selector:    organizations/tetrate/tenants/dev/workspaces/eshop

Target: organizations/tetrate/tenants/dev/workspaces/payments
  Zone: ring/amber
    Assigned by: organizations/tetrate/segmentation/memberships/ring-membership
    Selector:    organizations/tetrate/tenants/dev/workspaces/payments

Result: ALLOWED [connect]

Access granted by:
  - organizations/tetrate/segmentation/rules/ring-policies
    Rule: ring/yellow -\> ring/amber

Field	Description	Validation Rule
sourceFqn	string FQN of the source resource.	–
targetFqn	string FQN of the target resource.	–
decision	tetrateio.api.tsb.segmentation.v1.AccessDecision The access decision result.	–
operations	List of string The operations allowed from source to target.	–
sourceZones	List of tetrateio.api.tsb.segmentation.v1.ZoneAssignment The zones the source resource belongs to that are relevant to this decision.	–
targetZones	List of tetrateio.api.tsb.segmentation.v1.ZoneAssignment The zones the target resource belongs to that are relevant to this decision.	–
accessGrants	List of tetrateio.api.tsb.segmentation.v1.AccessGrant The rules or policies that grant access between the source and target zones. For inter-zonal traffic, these reference SegmentationRules resources. For intra-zonal traffic, these reference the SegmentationPolicy with `intraZonalTraffic` enabled.	–
resources	List of tetrateio.api.tsb.segmentation.v1.SegmentationResource When `include_resources` is true in the request, contains the full definitions of the segmentation resources (policies, memberships, and rules) involved in the decision. Resources the user lacks read permission on will have their spec redacted, showing only the FQN and kind so the user can identify the owner for escalation.	–

OperationsRequest

Request message for retrieving allowed operations between resources.

Field	Description	Validation Rule
orgFqn	string REQUIRED FQN of the organization the user belongs to. Used for authorization.	string = { min_len: `1` }
sourceFqn	string REQUIRED FQN of the source resource from which operations are retrieved.	string = { min_len: `1` }
targetFqn	string REQUIRED FQN of the target resource on which the source resource is permitted to perform operations.	string = { min_len: `1` }

OperationsResponse

The response contains the operations that are allowed from a source resource to a given target.

Field	Description	Validation Rule
operations	List of string The actual operations list. Example: `- connect`	–

PolicyClassOperations

Operations associated with a single policy class.

Field	Description	Validation Rule
policyClass	string FQN of the policy class.	–
operations	List of string Operations for this policy class.	–

PolicyClassesRequest

Request message for retrieving per-policy-class operations breakdown.

Field	Description	Validation Rule
orgFqn	string REQUIRED FQN of the organization the user belongs to. Used for authorization.	string = { min_len: `1` }
sourceFqn	string REQUIRED FQN of the source resource.	string = { min_len: `1` }
targetFqn	string REQUIRED FQN of the target resource.	string = { min_len: `1` }

PolicyClassesResponse

The response contains the overall allowed operations and a per-policy-class breakdown.

Field	Description	Validation Rule
allowedOperations	List of string The overall allowed operations from source to target (intersection of all policy classes).	–
policyClasses	List of tetrateio.api.tsb.segmentation.v1.PolicyClassOperations Per-policy-class breakdown of operations that contribute to the allowed set. Derived from the n2ac PDP introspection intersection field.	–
deniedPolicyClasses	List of tetrateio.api.tsb.segmentation.v1.PolicyClassOperations Per-policy-class breakdown of operations NOT in the allowed set. Derived from the n2ac PDP introspection symmetric_difference field. These represent operations a policy class does not contribute, helping identify which policy class is blocking a given operation.	–

ResourceAccessRequest

Request message for retrieving allowed access relationships between resources. Either source_fqn or target_fqn must be set, but not both.

If source_fqn is set, returns the target resources the source is allowed to access.
If target_fqn is set, returns the source resources allowed to access the target.

Field	Description	Validation Rule
orgFqn	string REQUIRED FQN of the organization the user belongs to. Used for authorization.	string = { min_len: `1` }
sourceFqn	string ^{oneof _resource_fqn} FQN of the source resource. If set, retrieves the list of target resources the source is allowed to access.	–
targetFqn	string ^{oneof _resource_fqn} FQN of the target resource. If set, retrieves the list of source resources allowed to access the target.	–

ResourceAccessResponse

Response message for an ResourceAccessRequest.

Field Description Validation Rule

Field	Description	Validation Rule
accesses	map<string, google.protobuf.ListValue> Accesses is a map where each key is an operation (e.g., "connect") and its value is a list of FQNs the source or target is allowed to perform the operation to. Example: For a source `organizations/tetrate/tenants/dev/workspaces/eshop`, the accesses are: `connect: - organizations/tetrate/tenants/dev/workspaces/eshop - organizations/tetrate/tenants/dev/workspaces/apps - organizations/tetrate/clusters/app-cluster-2/namespaces/dev-payments - organizations/tetrate/clusters/app-cluster-1/namespaces/app1` That means that the source is allowed to connect to these 4 resources and their descendants.	–

accesses

map<string, google.protobuf.ListValue>
Accesses is a map where each key is an operation (e.g., "connect") and its value is a list of FQNs the source or target is allowed to perform the operation to. Example: For a source organizations/tetrate/tenants/dev/workspaces/eshop, the accesses are:

connect:
- organizations/tetrate/tenants/dev/workspaces/eshop
- organizations/tetrate/tenants/dev/workspaces/apps
- organizations/tetrate/clusters/app-cluster-2/namespaces/dev-payments
- organizations/tetrate/clusters/app-cluster-1/namespaces/app1

That means that the source is allowed to connect to these 4 resources and their descendants.

–

SegmentationResource

A segmentation resource involved in an access decision.

Field	Description	Validation Rule
fqn	string FQN of the segmentation resource.	–
kind	string Kind of the resource: SegmentationPolicy, SegmentationMembership, or SegmentationRules.	–
resource	google.protobuf.Struct Full resource definition. Only populated when the user has read permission.	–
redacted	bool True if the resource spec was redacted due to insufficient read permissions. When redacted, only `fqn` and `kind` are populated.	–

ZoneAssignment

Describes how a resource is assigned to a segmentation zone.

Field	Description	Validation Rule
zone	string Zone reference in "policy/zone" format (e.g. "ring/red").	–
membershipFqn	string ^{oneof _assigned_by} FQN of the SegmentationMembership resource that assigned this resource to the zone.	–
annotation	tetrateio.api.tsb.segmentation.v1.AnnotationSource ^{oneof _assigned_by} Annotation on the resource that assigned it to the zone.	–
selector	string The specific selector value that matched the resource (e.g. a FQN pattern from `fqn_selector` or a cluster/namespace pattern from `ns_selector`).	–

AccessDecision

The result of an access decision evaluation.

Field	Number	Description
ACCESS_DECISION_UNSPECIFIED	0	Unspecified.
ALLOWED	1	The source is allowed to perform the operations on the target.
DENIED	2	The source is denied access to the target.

Troubleshooting​

Operations​

ResourceAccess​

PolicyClasses​

Describe​

AccessGrant​

AnnotationSource​

DescribeRequest​

DescribeResponse​

OperationsRequest​

OperationsResponse​

PolicyClassOperations​

PolicyClassesRequest​

PolicyClassesResponse​

ResourceAccessRequest​

ResourceAccessResponse​

SegmentationResource​

ZoneAssignment​

AccessDecision​