Skip to main content
logoTetrate Service BridgeVersion: 1.13.x

Service Security Setting

Service specific security settings for proxy workloads in a security group.

ServiceSecuritySetting

ServiceSecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a particular service in a security group. These settings will replace the security group wide settings for this service.

The following example defines a security setting that applies to the service foo in namespace ns1 that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-auth
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    authentication: REQUIRED
    authorization:
      mode: GROUP

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-wasm-plugin
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    extension:
    - fqn: hello-world # fqn of imported extensions in TSB
      config:
        foo: bar
FieldDescriptionValidation Rule

service

string
REQUIRED
The service on which the configuration is being applied. Must be in namespace/FQDN format.

string = {
  pattern: ^[^/]+/[^/]+$
}

settings

tetrateio.api.tsb.security.v2.SecuritySetting
Security settings to apply to this service.

subsets

List of tetrateio.api.tsb.security.v2.ServiceSecuritySetting.Subset
Subset specific settings that will replace the service wide settings for the specified service subsets.

configGenerationMetadata

tetrateio.api.tsb.types.v2.ConfigGenerationMetadata
Metadata values that will be add into the Istio generated configurations. When using YAML APIs like tctl or gitops, put them into the metadata.labels or metadata.annotations instead. This field is only necessary when using gRPC APIs directly.

Subset

Subset allows replacing the settings for a specific version of a service.

FieldDescriptionValidation Rule

name

string
REQUIRED
Name used to refer to the subset. This must match a subset defined in the ServiceRoute for this service, else it will be omitted.

string = {
  min_len: 1
}

settings

tetrateio.api.tsb.security.v2.SecuritySetting
REQUIRED
Security settings to apply to this service subset.

message = {
  required: true
}