Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

security.tsb.tetrate.io/v2

Resource Types:

Group

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace.

false
statusobject
false

Group.spec

↩ Parent

A security group manages the security properties of proxy workloads in a group of namespaces owned by the parent workspace.

NameTypeDescriptionRequired
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

true
configGenerationMetadataobject

Default metadata values that will be propagated to the children Istio generated configurations.

false
configModeenum

The Configuration types that will be added to this group.


Enum: BRIDGED, DIRECT

false
deletionProtectionEnabledboolean

When set, prevents the resource from being deleted.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
profiles[]string

List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children.

false
securityDomainstring

Security domains can be used to group different resources under the same security domain.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string

Under the tenant/workspace/group: - */ns1 implies ns1 namespace in any cluster.

true

Group.spec.configGenerationMetadata

↩ Parent

Default metadata values that will be propagated to the children Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

SecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A security setting applies configuration to a set of proxy workloads in a security group or a workspace.

false
statusobject
false

SecuritySetting.spec

↩ Parent

A security setting applies configuration to a set of proxy workloads in a security group or a workspace.

NameTypeDescriptionRequired
authenticationenum

DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.


Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
authorizationobject

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Propagation strategy specifies how a security setting is propagated along the configuration hierarchy.


Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

SecuritySetting.spec.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

SecuritySetting.spec.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

SecuritySetting.spec.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

SecuritySetting.spec.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

SecuritySetting.spec.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

SecuritySetting.spec.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

SecuritySetting.spec.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

SecuritySetting.spec.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

SecuritySetting.spec.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

SecuritySetting.spec.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

SecuritySetting.spec.authorization

↩ Parent

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

false
serviceAccounts[]string

When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

SecuritySetting.spec.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

SecuritySetting.spec.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

SecuritySetting.spec.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

SecuritySetting.spec.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

SecuritySetting.spec.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

SecuritySetting.spec.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

SecuritySetting.spec.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

SecuritySetting.spec.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

SecuritySetting.spec.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

SecuritySetting.spec.authorization.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

SecuritySetting.spec.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

SecuritySetting.spec.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

SecuritySetting.spec.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

SecuritySetting.spec.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

SecuritySetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

SecuritySetting.spec.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

SecuritySetting.spec.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

SecuritySetting.spec.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

SecuritySetting.spec.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

ServiceSecuritySetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringsecurity.tsb.tetrate.io/v2true
kindstringServiceSecuritySettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A service security setting applies configuration to a service in a security group.

false
statusobject
false

ServiceSecuritySetting.spec

↩ Parent

A service security setting applies configuration to a service in a security group.

NameTypeDescriptionRequired
servicestring

The service on which the configuration is being applied.

true
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
settingsobject

Security settings to apply to this service.

false
subsets[]object

Subset specific settings that will replace the service wide settings for the specified service subsets.

false

ServiceSecuritySetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.settings

↩ Parent

Security settings to apply to this service.

NameTypeDescriptionRequired
authenticationenum

DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.


Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
authorizationobject

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Propagation strategy specifies how a security setting is propagated along the configuration hierarchy.


Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.settings.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

ServiceSecuritySetting.spec.settings.authorization

↩ Parent

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

false
serviceAccounts[]string

When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

ServiceSecuritySetting.spec.settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.settings.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.settings.authorization.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.settings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

ServiceSecuritySetting.spec.settings.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

ServiceSecuritySetting.spec.settings.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

ServiceSecuritySetting.spec.settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

ServiceSecuritySetting.spec.subsets[index]

↩ Parent

NameTypeDescriptionRequired
namestring

Name used to refer to the subset.

true
settingsobject

Security settings to apply to this service subset.

true

ServiceSecuritySetting.spec.subsets[index].settings

↩ Parent

Security settings to apply to this service subset.

NameTypeDescriptionRequired
authenticationenum

DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.


Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
authorizationobject

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Propagation strategy specifies how a security setting is propagated along the configuration hierarchy.


Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

ServiceSecuritySetting.spec.subsets[index].settings.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

ServiceSecuritySetting.spec.subsets[index].settings.authorization

↩ Parent

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

false
serviceAccounts[]string

When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

ServiceSecuritySetting.spec.subsets[index].settings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

ServiceSecuritySetting.spec.subsets[index].settings.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

ServiceSecuritySetting.spec.subsets[index].settings.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true