Tetrate Service BridgeVersion: 1.12.xsecurity.tsb.tetrate.io/v2
Resource Types:
Group
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | Group | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace. | false |
| status | object | false |
Group.spec
A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| namespaceSelector | object | Set of namespaces owned exclusively by this group. | true |
| configGenerationMetadata | object | Default metadata values that will be propagated to the children Istio generated configurations. | false |
| configMode | enum | The Configuration types that will be added to this group. Enum: BRIDGED, DIRECT | false |
| deletionProtectionEnabled | boolean | When set, prevents the resource from being deleted. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| profiles | []string | List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children. | false |
| securityDomain | string | Security domains can be used to group different resources under the same security domain. | false |
Group.spec.namespaceSelector
Set of namespaces owned exclusively by this group.
| Name | Type | Description | Required |
|---|---|---|---|
| names | []string | Under the tenant/workspace/group: - | true |
Group.spec.configGenerationMetadata
Default metadata values that will be propagated to the children Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
SecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | SecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A security setting applies configuration to a set of proxy workloads in a security group or a workspace. | false |
| status | object | false |
SecuritySetting.spec
A security setting applies configuration to a set of proxy workloads in a security group or a workspace.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
SecuritySetting.spec.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
SecuritySetting.spec.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
SecuritySetting.spec.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
SecuritySetting.spec.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
SecuritySetting.spec.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
SecuritySetting.spec.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
SecuritySetting.spec.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
SecuritySetting.spec.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
SecuritySetting.spec.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
SecuritySetting.spec.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
SecuritySetting.spec.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
SecuritySetting.spec.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
SecuritySetting.spec.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
SecuritySetting.spec.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
SecuritySetting.spec.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
SecuritySetting.spec.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
SecuritySetting.spec.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
SecuritySetting.spec.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
SecuritySetting.spec.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
SecuritySetting.spec.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
SecuritySetting.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
SecuritySetting.spec.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
SecuritySetting.spec.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
SecuritySetting.spec.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
SecuritySetting.spec.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |
ServiceSecuritySetting
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | security.tsb.tetrate.io/v2 | true |
| kind | string | ServiceSecuritySetting | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | A service security setting applies configuration to a service in a security group. | false |
| status | object | false |
ServiceSecuritySetting.spec
A service security setting applies configuration to a service in a security group.
| Name | Type | Description | Required |
|---|---|---|---|
| service | string | The service on which the configuration is being applied. | true |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| settings | object | Security settings to apply to this service. | false |
| subsets | []object | Subset specific settings that will replace the service wide settings for the specified service subsets. | false |
ServiceSecuritySetting.spec.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.settings
Security settings to apply to this service.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.settings.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
ServiceSecuritySetting.spec.settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.settings.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.settings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
ServiceSecuritySetting.spec.settings.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
ServiceSecuritySetting.spec.settings.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
ServiceSecuritySetting.spec.settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |
ServiceSecuritySetting.spec.subsets[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name used to refer to the subset. | true |
| settings | object | Security settings to apply to this service subset. | true |
ServiceSecuritySetting.spec.subsets[index].settings
Security settings to apply to this service subset.
| Name | Type | Description | Required |
|---|---|---|---|
| authentication | enum | DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED | false |
| authenticationSettings | object | Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration. | false |
| authorization | object | The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh. | false |
| configGenerationMetadata | object | Metadata values that will be add into the Istio generated configurations. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| extension | []object | Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. | false |
| fqn | string | Fully-qualified name of the resource. | false |
| propagationStrategy | enum | Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER | false |
| waf | object | NOTICE: this feature is in alpha stage and under active development. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings
Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). | false |
| trafficMode | enum | Enum: UNSET, OPTIONAL, REQUIRED | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http
HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | Authenticate an HTTP request from a JWT Token attached to it. | false |
| oidc | object | false | |
| rules | object | List of rules how to authenticate an HTTP request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt
Authenticate an HTTP request from a JWT Token attached to it.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client_id to be used in the authorize calls. | true |
| clientTokenSecret | string | The name of the Kubernetes secret containing the client secret. | true |
| provider | object | The OIDC Provider configuration. | true |
| redirectUri | string | The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters. | true |
| authScopes | []string | Optional list of OAuth scopes to be claimed in the authorization request. | false |
| authType | enum | Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH | false |
| grantType | enum | Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE | false |
| redirectPathMatcher | string | Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. | false |
| signoutPath | string | The path to sign a user out, clearing their credential cookies. | false |
| useRefreshToken | boolean | Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider
The OIDC Provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The OIDC Provider's issuer identifier. | true |
| authorizationEndpoint | string | The OIDC Provider's authorization endpoint. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
| tls | object | The TLS settings used by the clients to connect with the OIDC provider. | false |
| tokenEndpoint | string | The OIDC Provider's token endpoint. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls
The TLS settings used by the clients to connect with the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules
List of rules how to authenticate an HTTP request.
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | []object | List of rules how to authenticate an HTTP request from a JWT Token attached to it. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index]
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | Identifies the issuer that issued the JWT. | true |
| audiences | []string | The list of JWT audiences. | false |
| fromCookies | []string | List of cookie names from which JWT is expected. | false |
| fromHeaders | []object | This field specifies the locations to extract JWT token. | false |
| jwks | string | JSON Web Key Set of public keys to validate signature of the JWT. | false |
| jwksUri | string | URL of the provider's public key set to validate signature of the JWT. | false |
| outputClaimToHeaders | []object | This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. | false |
| outputPayloadToHeader | string | This field specifies the header name to output a successfully verified JWT payload to the backend. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | The HTTP header name. | true |
| prefix | string | The prefix that should be stripped before decoding the token. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | The name of the claim to be copied from. | true |
| header | string | The name of the header to be created. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization
The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.
| Name | Type | Description | Required |
|---|---|---|---|
| http | object | This is for configuring HTTP request authorization. | false |
| identityMatch | enum | identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY | false |
| mode | enum | A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES | false |
| rules | object | When the mode is | false |
| serviceAccounts | []string | When the mode is | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http
This is for configuring HTTP request authorization.
| Name | Type | Description | Required |
|---|---|---|---|
| external | object | false | |
| local | object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external
| Name | Type | Description | Required |
|---|---|---|---|
| allowedUpstreamHeaders | []string | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). | false |
| includeRequestHeaders | []string | false | |
| pathPrefix | string | Sets a prefix to the value of authorization request header Path. | false |
| tls | object | false | |
| uri | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls
| Name | Type | Description | Required |
|---|---|---|---|
| files | object | TLS key source from files. | false |
| mode | enum | Enum: DISABLED, SIMPLE, MUTUAL | false |
| secretName | string | TLS key source from a Kubernetes Secret. | false |
| subjectAltNames | []string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files
TLS key source from files.
| Name | Type | Description | Required |
|---|---|---|---|
| caCertificates | string | File containing CA certificates to verify the certificates presented by the server. | false |
| clientCertificate | string | Certificate file to authenticate the client. | false |
| privateKey | string | Private key file associated with the client certificate. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []object | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | A friendly name to identify the binding. | true |
| from | []object | Subjects configure the actors (end users, other services) that are allowed to access the target resource. | false |
| to | []object | A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]
| Name | Type | Description | Required |
|---|---|---|---|
| jwt | object | JWT configuration to identity the subject. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt
JWT configuration to identity the subject.
| Name | Type | Description | Required |
|---|---|---|---|
| iss | string | false | |
| other | map[string]string | A set of arbitrary claims that are required to qualify the subject. | false |
| sub | string | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]
| Name | Type | Description | Required |
|---|---|---|---|
| methods | []string | The HTTP methods that are allowed by this rule. | false |
| paths | []string | The request path where the request is made against. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules
When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []object | Allow specifies a list of rules. | false |
| deny | []object | Deny specifies a list of rules. | false |
| denyAll | boolean | Deny all specifies whether all requests should be rejected. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| from | object | From specifies the source of a request. | true |
| to | object | To specifies the destination of a request. | true |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from
From specifies the source of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the source of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to
To specifies the destination of a request.
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | The target resource identified by FQN which will be the destination of a request. | false |
ServiceSecuritySetting.spec.subsets[index].settings.configGenerationMetadata
Metadata values that will be add into the Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index]
| Name | Type | Description | Required |
|---|---|---|---|
| fqn | string | Fqn of the extension to be executed. | true |
| config | object | Configuration parameters sent to the WASM plugin execution. | false |
| match | []object | Specifies the criteria to determine which traffic is passed to WasmExtension. | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index]
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum | Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER | false |
| ports | []object | Criteria for selecting traffic by their destination port. | false |
ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index].ports[index]
| Name | Type | Description | Required |
|---|---|---|---|
| number | integer | true |
ServiceSecuritySetting.spec.subsets[index].settings.waf
NOTICE: this feature is in alpha stage and under active development.
| Name | Type | Description | Required |
|---|---|---|---|
| rules | []string | Rules to be leveraged by WAF. | true |