Skip to main content

Tetrate Service Bridge API (1.13.x)

Download OpenAPI specification:Download

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters
code
string

OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.

error
string

OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong.

Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError

state
required
string

The state parameter sent to the OIDC provider on the authorization request.

errorDescription
string

Optional error description sent by the OIDC provider when an error occurs.

errorUri
string

Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

Content type
application/json
{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters
redirectUri
string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

Content type
application/json
{ }

SidecarConfigurationService

SidecarInfoService

OnboardingAuthorizationService

OnboardingPlaneDiscoveryService

WorkloadRegistrationService

AgentSessionService

Applications

List all existing applications for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "applications": [
    ]
}

Creates a new Application in TSB.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Application)

Applications are logical groupings of services that are related to each other, typically within a trusted group. A common example are three tier applications composed of a frontend, a backend and a datastore service.

Applications are often consumed through APIs, and a single Application can expose one or more of those APIs. These APIs will define the hostnames that are exposed and the methods exposed in each hostname.

apiVersion: application.tsb.tetrate.io/v2
kind: Application
metadata:
  name: three-tier
  organization: myorg
  tenant: tetrate
spec:
  workspace: organizations/myorg/tenants/tetrate/three-tier
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "application": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Get the details of an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Modify an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup
string

Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (*/*) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services
Array of strings

Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by another application, application creation/modification will fail.

workspace
required
string

FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "gatewayGroup": "string",
  • "namespaceSelector": {
    },
  • "services": [
    ],
  • "workspace": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
forceDeleteProtectedGroups
boolean

Force the deletion of internal groups even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

List all APIs attached to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Attach a new API to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (tsbapplicationv2API)

API objects define a set of servers and endpoints that expose the business logic for an Application. APIs are attached to existing Applications to configure how the features exposed by the different services that are part of the Application can be accessed.

The format used to define APIs is based on the OpenAPI v3 spec. Users can attach OpenAPI documents to the applications, and Service Bridge will generate all the configuration that is needed to make the APIs available. Service Bridge also provides a set of custom extensions to the OpenAPI spec that can be used to further customize the APIs in those cases where the standard OpenAPI properties are not sufficient.

The following example shows how an API can be attached to an existing application:

apiversion: application.tsb.tetrate.io/v2
kind: API
metadata:
  organization: my-org
  tenant: tetrate
  application: example-app
  name: ezample-app-api
spec:
  description: An example OpenAPI based API
  workloadSelector:
    namespace: exampleapp
    labels:
      app: exampleapp-gateway
  openapi: |
    openapi: 3.0.0
    info:
      title: Sample API
      description: An example API defined in an OpenAPI spec
      version: 0.1.9
      x-tsb-service: sample-app.sample-ns   # service exposing this api
    servers:
    - url: http://api.example.com/v1
      description: Optional server description, e.g. Main (production) server
    - url: http://staging-api.example.com
    paths:
      /users:
        get:
          summary: Returns a list of users.
          description: Optional extended description in CommonMark or HTML.
          responses:
            '200':    # status code
              description: A JSON array of user names
              content:
                application/json:
                  schema: 
                    type: array
                    items: 
                      type: string
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Get the details of an API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Delete an existing API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

DashboardService

Return the list of available dashboards, alongside their descriptions. Dashboards are identified by their names, which can be used to download them.

Responses

Response samples

Content type
application/json
{
  • "dashboards": [
    ]
}

Download a Grafana dashboard in JSON format by providing the dashboard's name. The downloaded dashboard is intended to be uploaded to a Grafana instance. Platform operators can use each dashboard to monitor specific components of the TSB platform.

path Parameters
name
required
string

The name of the dashboard to download.

Responses

Response samples

Content type
application/json
{
  • "contentType": "string",
  • "data": "string",
  • "extensions": [
    ]
}

ProxyDiagnosticService

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

Return the cluster stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetClusterStatsRequestClusterStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT"

Format of the cluster stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a config dump from a workload (Istio Proxy)

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (v2GetConfigDumpRequestAll)

Dump all configuration.

bootstrap
object (GetConfigDumpRequestBootstrap)

Dump bootstrap configuration.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

clusters
object (GetConfigDumpRequestClusters)

Dump cluster configuration.

ecds
object (GetConfigDumpRequestEcds)

Dump typed extension configuration.

endpoints
object (v2GetConfigDumpRequestEndpoints)

Dump endpoint configuration.

listeners
object (GetConfigDumpRequestListeners)

Dump listener configuration.

routes
object (GetConfigDumpRequestRoutes)

Dump route configuration.

secrets
object (v2GetConfigDumpRequestSecrets)

Dump secret configuration.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "all": {
    },
  • "bootstrap": { },
  • "cluster": "string",
  • "clusters": { },
  • "ecds": { },
  • "endpoints": { },
  • "listeners": { },
  • "routes": { },
  • "secrets": { },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string"
}

Set the log levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (SetLoggerLevelsRequestAllLoggers)

Desired level for all loggers.

cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (SetLoggerLevelsRequestGivenLoggers)

Desired levels for given loggers. Available log levels are: trace, debug, info, warning/warn, error, critical, off. Examples: {"config": "trace", "grpc": "debug", "http": "debug", "http2": "debug"} See https://www.envoyproxy.io/docs/envoy/latest/operations/admin#post--logging for more details about loggers' naming.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "allLoggers": {
    },
  • "cluster": "string",
  • "givenLoggers": {
    },
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the logger levels of a workload

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "supportedLevels": [
    ],
  • "loggerLevels": {
    }
}

Return the server stats of an Istio Proxy

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

outputFormat
string (GetServerStatsRequestServerStatsFormat)
Default: "JSON"
Enum: "JSON" "TEXT" "PROMETHEUS"

Format of the server stats of an Istio Proxy.

  • JSON: JSON format.
  • TEXT: Text format.
  • PROMETHEUS: Prometheus format.
required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "outputFormat": "JSON",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "output": "string",
  • "outputFormat": "JSON"
}

Return a stream of logs (the output of the `kubectl logs` command) of an Istio Proxy.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster to execute the diagnostic task in.

follow
boolean

Follow the log stream of the pod. Defaults to false.

previous
boolean

Return logs of the previous terminated container instead of the logs of the current container. Defaults to false.

sinceSeconds
string <int64>

A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned.

required
object (tsbdiagnosticv2Workload)

Name and namespace of a workload.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "follow": true,
  • "previous": true,
  • "sinceSeconds": "string",
  • "workload": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Return the workload names under a given FQN resource and cluster.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
cluster
required
string

Fully-qualified name of the cluster the workload belongs to.

object (ListWorkloadsRequestFilter)

Workloads filter.

pageSize
integer <int32>

Optional. The maximum number of Workloads to return. The service may return fewer than this value. Rely on the next_page_token response field to determine if there are more workloads to be retrieved. If unspecified, at most 50 Workloads will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

pageToken
string

Optional. A page token, received from a previous ListWorkloadsRequest call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListWorkloadsRequest must match the call that provided the page token.

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "filter": {
    },
  • "pageSize": 0,
  • "pageToken": "string"
}

Response samples

Content type
application/json
{
  • "workloads": [
    ],
  • "nextPageToken": "string",
  • "totalSize": 0
}

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WasmExtension)

The WASM extension resource allows defining custom WASM extensions that are packaged in OCI images. The resource allows specifying extension metadata that helps understand how extensions work and how they can be used. Once defined, extensions can be referenced in Ingress and Egress Gateways and Security Groups so that traffic is captured and processed by the extension accordingly. By default, extensions are globally available, but they can be assigned to specific Tenants as well to further control and constraint where in the Organization the extensions are allowed to be used.

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
  organization: org
  name: wasm-auth
spec:
  allowedIn:
    - organizations/org/tenants/tenant1
  url: oci://docker.io/example/my-wasm-extension:1.0
  source: https://github.com/example/wasm-extension
  description: |
    Long description for the extension such as an
    entire README file
  phase: AUTHZ
  priority: 1000
  config:
    some_key: some_value

WASM extensions can also reference HTTP endpoints:

apiVersion: extension.tsb.tetrate.io/v2
kind: WasmExtension
metadata:
  organization: org
  name: wasm-http
spec:
  url: http://tetrate.io/my-extension.wasm
  source: https://github.com/example/wasm-extension
  description: |
    Long description for the extension such as an
    entire README file
  phase: AUTHZ
  priority: 1000
  config:
    some_key: some_value

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "wasmExtension": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Get a WASM extension

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Modify an existing WasmExtension. When modifying the details of an extension in use, such as the image property, enabled flag, phase, or default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live traffic in all those places that reference the extension. Similarly, changes to the allowed_in property may trigger the removal of the extension from all places where the extension was in use that are not allowed to use it anymore, affecting live traffic on the relevant namespaces as well.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
allowedIn
Array of strings

List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.

config
object

Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.

description
string (A description of the extension. $hide_from_yaml)
displayName
string (User friendly name for the extension. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
image
string

Deprecated. Use the url field instead. Repository and tag of the OCI image containing the WASM extension.

imagePullPolicy
string (WasmExtensionPullPolicy)
Default: "UNSPECIFIED_POLICY"
Enum: "UNSPECIFIED_POLICY" "IfNotPresent" "Always"

The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.

  • UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.
  • IfNotPresent: If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.
  • Always: We will always pull the latest version of an image when changing this plugin. Note that the change includes metadata field as well.
imagePullSecret
string

Credentials to use for OCI image pulling. Name of a K8s Secret that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image. If TSB is configured to use the WASM download proxy, this secret must exist in the istio-system namespace of each cluster that has applications that use the extension. If the download proxy is disabled, the secret must exist in each application namespace that is using the extension.

object (v2GlobalTrafficSelector)

GlobalTrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. This setting applies to all WASM Extension attachments. These selectors can be overridden at attachments. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.

phase
string (Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase)
Default: "UNSPECIFIED_PHASE"
Enum: "UNSPECIFIED_PHASE" "AUTHN" "AUTHZ" "STATS"
  • UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.
  • AUTHN: Insert plugin before Istio authentication filters.
  • AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters.
  • STATS: Insert plugin before Istio stats filters and after Istio authorization filters.
priority
integer <int32>

Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.

source
string (Source to find the code for the WASM extension)
url
required
string

URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

object (v2VmConfig)

Configuration for a Wasm VM. more details can be found here.

Responses

Request samples

Content type
application/json
{
  • "allowedIn": [
    ],
  • "config": { },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "image": "string",
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "match": {
    },
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "source": "string",
  • "url": "string",
  • "vmConfig": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{ }

Gateways

List all gateway groups that exist in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbgatewayv2Group)

Gateway Groups allow grouping the gateways in a set of namespaces owned by its parent workspace. Gateway related configurations can then be applied on the group to control the behavior of these gateways. The group can be in one of two modes: BRIDGED and DIRECT. BRIDGED mode is a minimalistic mode that allows users to quickly configure the most commonly used features in the service mesh using Tetrate specific APIs, while the DIRECT mode provides more flexibility for power users by allowing them to configure the gateways's traffic and security properties using a restricted subset of Istio Networking and Security APIs.

The following example creates a gateway group for the gateways in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

It is possible to create a gateway group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1" # pick ns1 namespace only from c1 cluster
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

In the DIRECT mode, it is possible to directly attach Istio Networking v1beta1 APIs - VirtualService, and Gateway, and Istio Security v1beta1 APIs - RequestAuthentication, and AuthorizationPolicy to the gateway group. These configurations will be validated for correctness and conflict free operations and then pushed to the appropriate Istio control planes.

The following example declares a Gateway and a VirtualService for a specific workload in the ns1 namespace:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ingress
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  selector:
      app: my-ingress-gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com

and the associated VirtualService

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ingress-rule
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  hosts:
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - ns1/ingress # Has to bind to the same gateway
  http:
  - route:
    - destination:
        port:
          number: 7777
        host: reviews.ns1.svc.cluster.local

The namespace where the Istio APIs are applied will need to be part of the parent gateway group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the gateway group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

update the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
profiles
Array of strings

List of profiles attached to the gateway group to be used to propagate default and mandatory configurations down to the children.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    },
  • "profiles": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all Egress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "egressGateways": [
    ]
}

Create an Egress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (:::warning Deprecation The functionality provided by the `EgressGateway` is now provided in `Gateway` object, and using it is the recommended approach. The `EgressGateway` resource will be removed in future releases. :::)

EgressGateway configures a workload to act as a gateway for traffic exiting the mesh. The egress gateway is meant to be the destination of unknown traffic within the mesh (traffic sent to non-mesh services). The gateway allows authorization control of traffic sent to it to more finely tune which services are allowed to send unknown traffic through the gateway. Only HTTP is supported at this time.

The following example declares an egress gateway running on pods in istio-system with the label app=istio-egressgateway. This gateway is setup to allow traffic from anywhere in the cluster to access www.httpbin.org and from the bookinfo details app specifically, you can access any external host. EgressGateways need to be paired with TrafficSettings in order to be usable. You must set the egress field in the TrafficSettings to point to the egress gateway and send traffic to port 15443. Once this is set up, mesh internal apps will send unknown traffic to the egress gateway over mTLS. The gateway will then decide whether to forward the traffic or not, and use one-way TLS for external calls.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
  name: my-egress
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1 
    labels:
      app: istio-egressgateway
  authorization:
    - from:
        mode: WORKSPACE
      to: ["www.httpbin.org"]
    - from:
        mode: CUSTOM
        serviceAccounts: ["default/bookinfo-details"]
      to: ["*"]
apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  reachability:
   mode: CUSTOM
   hosts:
   - "./*"
   - "istio-system/*"
  egress:
    host: istio-system/istio-egressgateway.istio-system.svc.cluster.local

The following example customizes the Extensions field to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: EgressGateway
metadata:
  name: my-egress
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: istio-egressgateway
  authorization:
    - from:
        mode: WORKSPACE
      to: ["www.httpbin.org"]
    - from:
        mode: CUSTOM
        serviceAccounts: ["default/bookinfo-details"]
      to: ["*"]
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar

-->

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "egressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts)

The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "authorization": [
    ],
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Ingress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "ingressGateways": [
    ]
}

Create an Ingress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (:::warning Deprecation The functionality provided by the `IngressGateway` is now provided in `Gateway` object, and using it is the recommended approach. The `IngressGateway` resource will be removed in future releases. :::)

IngressGateway configures a workload to act as a gateway for traffic entering the mesh. The ingress gateway also provides basic API gateway functionalities such as JWT token validation and request authorization. Gateways in privileged workspaces can route to services outside the workspace while those in unprivileged workspaces can only route to services inside the workspace.

The following example declares an ingress gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes a host bookinfo.com on https port 9443 and http port 9090. The port 9090 is configured to receive plaintext traffic and send a redirect to the https port 9443 (site-wide HTTP -> HTTPS redirection). At port 9443, TLS is terminated using the certificates in the Kubernetes secret bookinfo-certs. Clients are authenticated using JWT tokens, whose keys are obtained from the OIDC provider www.googleapis.com. The request is then authorized by an the user's authorization engine hosted at https://company.com/authz before being forwarded to the productpage service in the backend.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
      - redirect:
          authority: bookinfo.com
          port: 9443
          redirectCode: 301
          scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      rules:
        jwt:
        - issuer: https://accounts.google.com
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
        - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          host: ns1/productpage.ns1.svc.cluster.local
    rateLimiting:
      settings:
        rules:
          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4 
        - dimensions: 
          - remoteAddress:
              value: 1.2.3.4
          limit:
            requestsPerUnit: 10
            unit: HOUR
          # Ratelimit at 50 requests/minute for every unique value in the user-agent header
        - dimensions:
          - header:
              name: user-agent
          limit:
            requestsPerUnit: 50
            unit: MINUTE
          # Ratelimit at 100 requests/second for every unique client remote address
          # with the HTTP requests having a GET method and the path prefix of /productpage
        - dimensions:
          - remoteAddress:
              value: "*"
          - header:
              name: ":path"
              value:
                prefix: /productpage
          - header:
              name: ":method"
              value:
                exact: "GET"
          limit:
            requestsPerUnit: 100
            unit: SECOND

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the productpage service in the backend. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local

If the productpage.ns1 service on Kubernetes has a ServiceRoute with multiple subsets and weights, the traffic will be split across the subsets accordingly.

The following example illustrates defining non-HTTP servers (based on TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP protocol and listens on port 9000. The clients have to connect with TLS with the SNI kafka.myorg.internal. The TLS is terminated at the gateway and the traffic is routed to kafka.infra.svc.cluster.local:8000.

If subsets are defined in the ServiceRoute referencing kafka.infra.svc.cluster.local service, then it is also considered while routing.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tcp:
  - name: kafka-gateway
    hostname: kafka.myorg.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      host: kafka.infra.svc.cluster.local
      port: 8000

The following example customizes the Extensions to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
  namespace: ns1
  labels:
    app: gateway
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
  http:
  - name: bookinfo
    port: 80
    hostname: bookinfo.com
    routing:
      rules:
      - route:
        host: ns1/productpage.ns1.svc.cluster.local

`IngressGateway` also allows you to apply ModSecurity/Coraza compatible Web
Application Firewall rules to traffic passing through the gateway.

```yaml
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
    namespace: ns1
    labels:
      app: waf-gateway
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
  waf:
    rules:
      - Include @recommended-conf
      - SecResponseBodyAccess Off
      - Include @owasp_crs/*.conf
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "ingressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Get the details of the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Modify the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2HttpServer)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, etc.

Array of objects (One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS)
Array of objects (v2TLSPassthroughServer)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "http": [
    ],
  • "tcp": [
    ],
  • "tlsPassthrough": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Install Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "installGateways": [
    ]
}

Create an Install Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (installdataplanev1alpha1GatewaySpec)

GatewaySpec defines the desired installed state of a single gateway for a given namespace in Service Bridge. Specifying a minimal GatewaySpec with a hub will create a default gateway with sensible values.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "gateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Get the details of the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Responses

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Modify the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Request Body schema: application/json
required
concurrency
integer <int32>

Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits.

Set to -1 to use the legacy behavior of all cores on the machine.

connectionDrainDuration
string

The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (kubernetesKubernetesComponentSpec)

KubernetesComponentSpec is a common set of Kubernetes resource configuration for components.

revision
string (Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/)
targetCluster
string

Cluster where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.

targetNamespace
string

Namespace where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.

type
string (v1alpha1GatewaySpecType)
Default: "UNIFIED"
Enum: "UNIFIED" "INGRESS" "EGRESS" "EASTWEST"

Type defines the different type of use cases and functionalities supported by gateway install. Each type configures the gateway workloads specific to a particular use case represented by the type. If not set, UNIFIED is set as default.

  • UNIFIED: UNIFIED represents the gateway type supporting all functionalities: INGRESS, EGRESS, and EASTWEST. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
  • INGRESS: INGRESS represents the gateway type configured for Ingress use cases. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
  • EGRESS: EGRESS represents the gateway type configured for Egress use cases. Gateway workloads are configured with the default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a ClusterIP type service by default.
  • EASTWEST: EASTWEST represents the gateway type configured for East-West use cases. Gateway workloads are configured with the default port 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.

Responses

Request samples

Content type
application/json
{
  • "concurrency": 0,
  • "connectionDrainDuration": "string",
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "kubeSpec": {
    },
  • "revision": "string",
  • "targetCluster": "string",
  • "targetNamespace": "string",
  • "type": "UNIFIED"
}

Response samples

Content type
application/json
{
  • "connectionDrainDuration": "string",
  • "revision": "string",
  • "type": "UNIFIED",
  • "concurrency": 0,
  • "targetNamespace": "string",
  • "targetCluster": "string",
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "kubeSpec": {
    }
}

Delete the given Install Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

installgateway
required
string

Installgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Tier1 Gateway objects that have been created in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "tier1Gateways": [
    ]
}

Create a Tier1 Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Deprecation The functionality provided by the `Tier1Gateway` is now provided in `Gateway` object, and using it is the recommended approach. The `Tier1Gateway` resource will be removed in future releases. :::)

Tier1Gateway configures a workload to act as a gateway that distributes traffic across one or more ingress gateways in other clusters.

NOTE: Tier1 gateways cannot be used to route traffic to the same cluster. A cluster with tier1 gateway cannot have any other gateways or workloads.

The following example declares a tier1 gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes host movieinfo.com on ports 8080, 8443 and kafka.internal on port 9000. Traffic for these hosts at the ports 8443 and 9000 are TLS terminated and forwarded over Istio mutual TLS to the ingress gateways hosting movieinfo.com host on clusters c3 and c4 and the internal kafka.internal service in cluster c3 respectively. The server at port 8080 is configured to receive plaintext HTTP traffic and redirect to port 8443 with "Permanently Moved" (HTTP 301) status code.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    clusters:
    - name: c3 # the target gateway IPs will be automatically determined
      weight: 90
    - name: c4
      weight: 10
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization
  tcpExternalServers:
  - name: kafka
    hostname: kafka.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    clusters:
    - name: c3
      weight: 100

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the c3 or c4. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    clusters:
    - name: c3 # the target gateway IPs will be automatically determined
      weight: 90
    - name: c4
      weight: 10
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization

Tier1 gateways can also be used to forward mesh internal traffic for Gateway hosts from one cluster to another. This form of forwarding will work only if the two clusters cannot reach each other directly (e.g., they are on different VPCs that are not peered). The following example declares a tier1 gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes hosts movieinfo.com, bookinfo.com, and a non-HTTP server called kafka.org-internal within the mesh. Traffic to movieinfo.com is load balanced across all clusters on vpc-02, while traffic to bookinfo.com and kafka.org-internal is load balanced across ingress gateways exposing bookinfo.com on any cluster. Traffic from the source (sidecars) is expected to arrive on the tier1 gateway over Istio mTLS.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  internalServers: # forwarding gateway (HTTP traffic only)
  - name: movieinfo
    hostname: movieinfo.com
    clusters:
    - labels:
        network: vpc-02 # the target gateway IPs will be automatically determined
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.company.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
        - authorization
  - name: bookinfo
    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com
  tcpInternalServers: # forwarding non-HTTP traffic within the mesh
  - name: kafka
    hostname: kafka.org-internal

** NOTE:** If two clusters have direct connectivity, declaring a tier1 internal server will have no effect.

Tier1 gateways can also be configured to expose hostnames in the TLS passthrough mode. Tier1 gateway will forward the pasthrough server traffic to any tier2 pass through servers exposing the same hostname. In other words, To be able to leverage passthrough at tier1, it is a MUST that passthrough is configured at t2 IngressGateway as well.

** NOTE:** A hostname like abc.com can only be exposed either in passthrough mode OR in terminating tls mode(External/Internal servers), not in both the modes.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com

The Tier1Gateway above will require the corresponding, at least one or more, IngressGateway(s), e.g.:

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tlsPassthrough:
    - name: nginx
      port: 443
      hostname: nginx.example.com
      route:
        host: "ns1/my-nginx.default.svc.cluster.local"
        port: 443

The following example customizes the Extensions field to enable the execution of the specified WasmExtensions list and details custom properties for the execution of each extension.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  externalServers:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    redirect:
      authority: movieinfo.com
      uri: "/"
      redirectCode: 301
      port: 8443
      scheme: https
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar

Whenever traffic is to be sent from one cluster to another, one or more of the following would have to be true for it to succeed:

  • Both clusters belong to the same network.
  • Destination cluster network is not named.
  • Organization Setting is set up to send traffic from source cluster to destination cluster.

Tier1Gateway also allows you to apply ModSecurity/Coraza compatible Web Application Firewall rules to traffic passing through the gateway.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/*.conf

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "tier1Gateway": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

get the details of the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Gateways_UpdateTier1Gateway

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2Tier1ExternalServer)

One or more servers exposed by the gateway externally.

Array of objects (v2Tier1InternalServer)

One or more servers exposed by the gateway internally for cross cluster forwarding.

Array of objects (v2Tier1PassthroughServer)

One or more tls passthrough servers exposed by the gateway externally.

Array of objects (v2Tier1TCPExternalServer)

One or more tcp servers exposed by the gateway externally.

Array of objects (v2Tier1TCPInternalServer)

One or more tcp servers exposed by the gateway for mesh internal traffic.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{ }

List all Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "gateways": [
    ]
}

Create a Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (gatewayv2Gateway)

The Gateway configuration combines the functionalities of both the existing Tier1Gateway and IngressGateway, providing a unified approach for configuring a workload as a gateway in the mesh. Each server within the Gateway is configured to route requests either to destination clusters, such as a Tier1Gateway, or to specific services, like an IngressGateway.

The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes a host bookinfo.com on https port 9443 and http port 9090. The port 9090 is configured to receive plaintext traffic and send a redirect to the https port 9443 (site-wide HTTP -> HTTPS redirection). At port 9443, TLS is terminated using the certificates in the Kubernetes secret bookinfo-certs. Clients are authenticated using JWT tokens, whose keys are obtained from the OIDC provider www.googleapis.com. The request is then authorized by an the user's authorization engine hosted at https://company.com/authz before being forwarded to the productpage service in the backend. Here, the gateway is configured in a manner similar to an existing IngressGateway with HTTP server.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      rules:
        jwt:
        - issuer: https://accounts.google.com
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local
    rateLimiting:
      settings:
        rules:
          # Ratelimit at 10 requests/hour for clients with a remote address of 1.2.3.4
        - dimensions:
          - remoteAddress:
              value: 1.2.3.4
          limit:
            requestsPerUnit: 10
            unit: HOUR
          # Ratelimit at 50 requests/minute for every unique value in the user-agent header
        - dimensions:
          - header:
              name: user-agent
          limit:
            requestsPerUnit: 50
            unit: MINUTE
          # Ratelimit at 100 requests/second for every unique client remote address
          # with the HTTP requests having a GET method and the path prefix of /productpage
        - dimensions:
          - remoteAddress:
              value: "*"
          - header:
              name: ":path"
              value:
                prefix: /productpage
          - header:
              name: ":method"
              value:
                exact: "GET"
          limit:
            requestsPerUnit: 100
            unit: SECOND

In the following example, the clients are authenticated using an external OIDC provider using AUTHORIZATION_CODE grant type. Once the client request is authenticated, it gets forwarded to the productpage service in the backend. The access_token generated after client authentication is set as Bearer in request headers. The state of authentication is stored in cookies.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    routing:
      rules:
        - redirect:
            authority: bookinfo.com
            port: 9443
            redirectCode: 301
            scheme: https
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    authentication:
      oidc:
        grantType: AUTHORIZATION_CODE
        clientId: "my-client"
        clientTokenSecret: "my-secret"
        redirectUri: https://httpbin.example.com/bearer
        provider:
          issuer: https://accounts.google.com
          authorizationEndpoint: https://accounts.google.com/v1/authorize
          tokenEndpoint: https://accounts.google.com/v1/token
          jwksUri: https://www.googleapis.com/oauth2/v3/certs
    authorization:
      external:
        uri: https://company.com/authz
        includeRequestHeaders:
          - Authorization # forwards the header to the authorization service.
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local

If the productpage.ns1 service on Kubernetes has a ServiceRoute with multiple subsets and weights, the traffic will be split across the subsets accordingly.

The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes host movieinfo.com on ports 8080, 8443 and kafka.internal on port 9000. Traffic for these hosts at the ports 8443 and 9000 are TLS terminated and forwarded over Istio mutual TLS to the ingress gateways hosting movieinfo.com host on clusters c3 for matching prefix v1 and c4 for matching v2, and the internal kafka.internal service in cluster c3 respectively. The server at port 8080 is configured to receive plaintext HTTP traffic and redirect to port 8443 with "Permanently Moved" (HTTP 301) status code. Here, the gateway is configured in a manner similar to an existing Tier1Gateway with external servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: movieinfo-plain
    hostname: movieinfo.com # Plaintext and HTTPS redirect
    port: 8080
    routing:
      rules:
        - redirect:
            authority: movieinfo.com
            port: 8443
            redirectCode: 301
            scheme: https
            uri: "/"
  - name: movieinfo
    hostname: movieinfo.com # TLS termination and Istio mTLS to upstream
    port: 8443
    tls:
      mode: SIMPLE
      secretName: movieinfo-secrets
    routing:
      rules:
         - match:
             - uri:
                 prefix: "/v1"
           route:
             clusterDestination:
               clusters:
                 - name: c3 # the target gateway IPs will be automatically determined
                   weight: 100
         - match:
             - uri:
                 prefix: "/v2"
           route:
             clusterDestination:
               clusters:
                 - name: c4 # the target gateway IPs will be automatically determined
                   weight: 100
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.mycompany.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      external:
        uri: "https://auth.company.com"
        includeRequestHeaders:
          - authorization
  tcp:
  - name: kafka
    hostname: kafka.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      clusterDestination:
        clusters:
          - name: c3
            weight: 100

This example used to forward mesh internal traffic for Gateway hosts from one cluster to another. This form of forwarding will work only if the two clusters cannot reach each other directly (e.g., they are on different VPCs that are not peered). The following example declares a gateway running on pods with app: gateway labels in the ns1 namespace. The gateway exposes hosts movieinfo.com, bookinfo.com, and a non-HTTP server called kafka.org-internal within the mesh. Traffic to movieinfo.com is load balanced across all clusters on vpc-02, while traffic to bookinfo.com and kafka.org-internal is load balanced across ingress gateways exposing bookinfo.com on any cluster. Traffic from the source (sidecars) is expected to arrive on the tier1 gateway over Istio mTLS. Here, the gateway is configured in a manner similar to an existing Tier1Gateway with internal servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http: # forwarding gateway (HTTP traffic only)
  - name: movieinfo
    transit: true # server marked as internal
    hostname: movieinfo.com
    routing:
      rules:
      - route:
          clusterDestination:
            clusters:
            - labels:
                network: vpc-02 # the target gateway IPs will be automatically determined
    authentication:
      rules:
        jwt:
        - issuer: "auth.mycompany.com"
          jwksUri: https://auth.company.com/oauth2/jwks
        - issuer: "auth.othercompany.com"
          jwksUri: https://auth.othercompany.com/oauth2/jwks
    authorization:
      meshInternalAuthz:
        external:
          uri: "https://auth.company.com"
          includeRequestHeaders:
            - authorization
  - name: bookinfo
    transit: true # server marked as internal
    hostname: bookinfo.com # route to any ingress gateway exposing bookinfo.com
    routing:
      rules:
      - route:
          clusterDestination:
            clusters:
  tcp: # forwarding non-HTTP traffic within the mesh
  - name: kafka
    transit: true # server marked as internal
    hostname: kafka.org-internal
    route:
      clusterDestination:
        clusters:

The following example illustrates defining non-HTTP server (based on TCP) with TLS termination. Here, kafka.myorg.internal uses non-HTTP protocol and listens on port 9000. The clients have to connect with TLS with the SNI kafka.myorg.internal. The TLS is terminated at the gateway and the traffic is routed to kafka.infra.svc.cluster.local:8000.

If subsets are defined in the ServiceRoute referencing kafka.infra.svc.cluster.local service, then it is also considered while routing.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tcp:
  - name: kafka-gateway
    hostname: kafka.myorg.internal
    port: 9000
    tls:
      mode: SIMPLE
      secretName: kafka-cred
    route:
      serviceDestination:
        host: kafka.infra.svc.cluster.local
        port: 8000

This is an example of configuring a gateway for TLS. The gateway will forward the passthrough server traffic to clusters c1 and c2. It is essential to configure TLS on the same hostname at c1 and c2 as well. Here, the gateway is configured similarly to an existing Tier1Gateway with passthrough servers.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: tier1-tls-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  tls:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
    route:
      clusterDestination:
         clusters:
           - name: c1 # the target gateway IPs will be automatically determined
             weight: 90
           - name: c2
             weight: 10

This configuration defines a Gateway named egress-access intended for egress traffic management. It operates within the namespace ns and targets pods labeled with app: egressgateway. The Gateway exposes three external hosts for egress access: example.com, httpbin.org, and apis.google.com.

By default, egress access is denied for all three hosts. Users must explicitly define allow rules for traffic to pass through.

Clients in the cluster-1/client namespace are granted access to the example.com host. Clients in the cluster-2/client namespace can access httpbin.org. However, access to apis.google.com is denied for all clients.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: egress-access
  labels:
    xcp.tetrate.io/workspace: egress-ws
    xcp.tetrate.io/gatewayGroup: egress-gw-group
spec:
  workloadSelector:
    namespace: ns
    labels:
      app: egressgateway
  http:
    - name: example
      hostname: "example.com"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/example.com"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
    - name: httpbin
      hostname: "httpbin.org"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/httpbin.org"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
    - name: apis
      hostname: "apis.google.com"
      routing:
        rules:
          - route:
              serviceDestination:
                host: "ns/apis.google.com"
                tls:
                  mode: SIMPLE
                  files:
                    caCertificates: "/etc/ssl/certs/ca-certificates.crt"
  egressAuthorization:
    - from:
        mode: SERVICE_ACCOUNT
        serviceAccounts:
          - "cluster-1/client/*"
      to:
        - host:
            exact: "example.com"
    - from:
        mode: SERVICE_ACCOUNT
        serviceAccounts:
          - "cluster-2/client/*"
      to:
        - host:
            exact: "httpbin.org"

TSB provides ways to extend the bundled functionality that comes in with envoy using the extensions field.

The following example shows a Gateway configuration in which the kong's response-transformer plugin is being used.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  name: ingress-bookinfo
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo-plaintext
    port: 9090
    hostname: bookinfo.com
    extensions:
      kong:
        plugins:
          - name: response-transformer
            priority: 999
            config:
              inline:
                remove:
                  json:
                  - example-field
          - name: custom-header-adder
            priority: 1000
            config:
              inline:
                request_header_to_add: example-header
            pluginSource:
              configMap: cm-containing-this-plugin-in-gw-install-ns
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "gateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
Array of objects (v2EgressAuthorizationSettings)

External services are onboarded into the mesh via service entry, and these services are exposed on the Gateway for egress access. By default, access is denied for these hosts. Users can configure EgressAuthorizationSettings to specify which service accounts are allowed.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (gatewayv2HTTP)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, rate limiting, etc.

Array of objects (gatewayv2TCP)

One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS.

Array of objects (v2TLS)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com
Array of objects (v2WasmExtensionAttachment)

WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway with the specific configuration for each plugin. This custom configuration will override the one configured globally to the plugin. Each plugin has a global configuration including priority that will condition the execution of the assigned plugins.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "egressAuthorization": [
    ],
  • "etag": "string",
  • "http": [
    ],
  • "tcp": [
    ],
  • "tls": [
    ],
  • "waf": {
    },
  • "wasmPlugins": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{ }

IstioInternal

List all Istio internal groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new Istio internal group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbistiointernalv2Group)

Istio internal groups only allow grouping DIRECT mode mesh resources in a set of namespaces owned by its parent workspace. This group is aimed for grouping resources not directly related to traffic, security, or gateway like EnvoyFilters and ServiceEntry for instance. Istio internal group is meant to group highly coupled and implementation-detailed oriented istio resources that don't provide any BRIDGE mode guarantees or backward/forward compatibilities that other groups like traffic, security of gateway can provide. Especially, and mainly because resources like EnvoyFilters, are highly customizable and can interfere in unpredictable ways, with any other routing, security, listeners, or filter chains among other configurations that TSB may have setup. Therefore, this group is only meant to be used for users/administrators that are confident with those advanced features, knowing that the defined resources under this group will not interfere with the TSB provided mesh governance functionalities.

The following example creates an istio internal group for resources in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany.

apiVersion: istiointernal.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"

It is possible to directly attach Istio APIs such as EnvoyFilter, and ServiceEntry to the istio internal group. These configurations will then pushed to the appropriate Istio control planes.

The following ServiceEntry example declares a few external APIs accessed by internal applications over HTTPS. The sidecar inspects the SNI value in the ClientHello message to route to the appropriate external service.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-https
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/istioInternalGroup: t1
spec:
  hosts:
  - api.dropboxapi.com
  - www.googleapis.com
  - api.facebook.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS

The namespace where the Istio APIs are applied will need to be part of the parent istio internal group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the istio internal group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify a Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given Istio internal group. Note that deleting resources in TSB is a recursive operation. Deleting a Istio internal group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

Metrics

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

Sources

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

Profiles

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

List all Profiles that belong to a resource.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Create a profile object for a given resource. A `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be attached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Beta feature The Configuration Profiles feature is in beta state for release 1.13. Please contact Tetrate if you have any questions or concerns. :::)

A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces, and then can be attached to Organizations, Tenants, Workspaces and Groups. Profiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies (e.g. authorization policies) related to relationships between resources. They contain Default configurations, which can be overridden, and Mandates configurations, which can't be.

The following example creates a Profile named myprofile that enforces mutual TLS authenticated connections across the whole tetrate organization. It also sets the default circuit-breaking sensitivity to MEDIUM, and configures a TCP KeepAlive timeout of 300 seconds for all inbound connections to all the proxies within the tetrate organization.

apiVersion: profile.tsb.tetrate.io/v2
kind: Profile
metadata:
  name: myprofile
  organization: tetrate
spec:
  displayName: "mTLS enforcement and default circuit breaking"
  mandates:
    authenticationSettings:
      trafficMode: "REQUIRED"
  defaults:
    traffic:
      inbound:
        resilience:
          connectionPool:
            tcp:
              keepAlive:
                idleTime: 300
      outbound:
        upstreamTrafficSettings:
        - hosts:
          - '*'
          settings:
            resilience:
              circuitBreakerSensitivity: MEDIUM

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "profile": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Get the details of a Profile in an resource.

path Parameters
organization
required
string

Organization name.

profile
required
string

Profile name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Modify a Profile in a resource.

path Parameters
organization
required
string

Organization name.

profile
required
string

Profile name.

Request Body schema: application/json
required
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

Responses

Request samples

Content type
application/json
{
  • "defaults": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "mandates": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Delete a Profile from a resource.

path Parameters
organization
required
string

Organization name.

profile
required
string

Profile name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled.

Responses

Response samples

Content type
application/json
{ }

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

resource
string

Resource fqn to analyze its attached profiles impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "resource": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (v2ModifyAttachedProfiles)

ModifyAttachedProfiles represents a request to analyze the impact of modifying the attached profiles of a resource.

object (Request to analyze the impact of modifying an existing profile.)

Request to analyze the impact of modifying an existing profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

List all Profiles that belong to a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Create a profile object for a given resource. A `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be attached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Beta feature The Configuration Profiles feature is in beta state for release 1.13. Please contact Tetrate if you have any questions or concerns. :::)

A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces, and then can be attached to Organizations, Tenants, Workspaces and Groups. Profiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies (e.g. authorization policies) related to relationships between resources. They contain Default configurations, which can be overridden, and Mandates configurations, which can't be.

The following example creates a Profile named myprofile that enforces mutual TLS authenticated connections across the whole tetrate organization. It also sets the default circuit-breaking sensitivity to MEDIUM, and configures a TCP KeepAlive timeout of 300 seconds for all inbound connections to all the proxies within the tetrate organization.

apiVersion: profile.tsb.tetrate.io/v2
kind: Profile
metadata:
  name: myprofile
  organization: tetrate
spec:
  displayName: "mTLS enforcement and default circuit breaking"
  mandates:
    authenticationSettings:
      trafficMode: "REQUIRED"
  defaults:
    traffic:
      inbound:
        resilience:
          connectionPool:
            tcp:
              keepAlive:
                idleTime: 300
      outbound:
        upstreamTrafficSettings:
        - hosts:
          - '*'
          settings:
            resilience:
              circuitBreakerSensitivity: MEDIUM

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "profile": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Get the details of a Profile in an resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

profile
required
string

Profile name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Modify a Profile in a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

profile
required
string

Profile name.

Request Body schema: application/json
required
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

Responses

Request samples

Content type
application/json
{
  • "defaults": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "mandates": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Delete a Profile from a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

profile
required
string

Profile name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled.

Responses

Response samples

Content type
application/json
{ }

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

resource
string

Resource fqn to analyze its attached profiles impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "resource": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (v2ModifyAttachedProfiles)

ModifyAttachedProfiles represents a request to analyze the impact of modifying the attached profiles of a resource.

object (Request to analyze the impact of modifying an existing profile.)

Request to analyze the impact of modifying an existing profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

List all Profiles that belong to a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Create a profile object for a given resource. A `Profile` object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be attached at its own level or down the hierarchy at Organization, Tenants, Workspaces and Groups levels.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (:::warning Beta feature The Configuration Profiles feature is in beta state for release 1.13. Please contact Tetrate if you have any questions or concerns. :::)

A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces, and then can be attached to Organizations, Tenants, Workspaces and Groups. Profiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies (e.g. authorization policies) related to relationships between resources. They contain Default configurations, which can be overridden, and Mandates configurations, which can't be.

The following example creates a Profile named myprofile that enforces mutual TLS authenticated connections across the whole tetrate organization. It also sets the default circuit-breaking sensitivity to MEDIUM, and configures a TCP KeepAlive timeout of 300 seconds for all inbound connections to all the proxies within the tetrate organization.

apiVersion: profile.tsb.tetrate.io/v2
kind: Profile
metadata:
  name: myprofile
  organization: tetrate
spec:
  displayName: "mTLS enforcement and default circuit breaking"
  mandates:
    authenticationSettings:
      trafficMode: "REQUIRED"
  defaults:
    traffic:
      inbound:
        resilience:
          connectionPool:
            tcp:
              keepAlive:
                idleTime: 300
      outbound:
        upstreamTrafficSettings:
        - hosts:
          - '*'
          settings:
            resilience:
              circuitBreakerSensitivity: MEDIUM

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "profile": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Get the details of a Profile in an resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

profile
required
string

Profile name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Modify a Profile in a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

profile
required
string

Profile name.

Request Body schema: application/json
required
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2ProfileConfig)

ProfileConfig holds the configuration objects that can be used as defaults or mandates.

Responses

Request samples

Content type
application/json
{
  • "defaults": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "mandates": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "defaults": {
    },
  • "mandates": {
    }
}

Delete a Profile from a resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

profile
required
string

Profile name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled.

Responses

Response samples

Content type
application/json
{ }

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

resource
string

Resource fqn to analyze its attached profiles impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "resource": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

profile
required
string

Profile name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (v2ModifyAttachedProfiles)

ModifyAttachedProfiles represents a request to analyze the impact of modifying the attached profiles of a resource.

object (Request to analyze the impact of modifying an existing profile.)

Request to analyze the impact of modifying an existing profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Lists the profiles that can be attached to the given resource. The returned profiles contain metadata (fqn, display name and description) information. To retrieve the full profile, rely on `GetProfile` or `ListProfiles` methods.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "profiles": [
    ]
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

CurrentImpactAnalysis analyzes the current impact of a profile or a resource attached profiles. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

profile
string

Profile fqn to analyze the impact.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "profile": "string"
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

ImpactAnalysis analyzes the impact of profile or resource attached profiles modifications. The response is streamed, with each message representing the impact analysis for a specific profile or resource and its corresponding impacts.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
fieldPaths
Array of strings

List of field paths to analyze the impact of the profiles on. If this field is set, the request will analyze the impact of the profiles only on the specified field paths.

object (Request to analyze the impact of modifying the attached profiles of a resource.)

Request to analyze the impact of modifying the attached profiles of a resource.

object (v2ModifyProfile)

ModifyProfile represents a request to analyze the impact of modifying a profile.

Responses

Request samples

Content type
application/json
{
  • "fieldPaths": [
    ],
  • "modifyAttachedProfiles": {
    },
  • "modifyProfile": {
    }
}

Response samples

Content type
application/json
{
  • "error": {
    },
  • "result": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Get the profile blame data for a given resource FQN.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "effectiveProfileConfig": {
    },
  • "effectiveProfilePaths": {
    },
  • "effectiveProfileMandatedPaths": [
    ],
  • "effectiveProfileAttachmentPaths": {
    }
}

Approvals

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_1

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_2

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_5

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_3

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_4

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_6

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_10

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_9

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_8

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_11

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_12

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_13

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_15

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_14

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_16

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_17

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_18

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_19

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_20

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_21

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_22

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_24

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_23

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (qv2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (v2ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_7

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Permissions

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

QueryResourcePermission looks up permissions that are allowed for the current principal. Multiple records can be queried with a single request. Query limit is 100, multiple requests are required to lookup more than the limit.

Request Body schema: application/json
required

Request to query permissions on multiple records.

Example: QueryResourcePermissionsRequest { Queries: []Query{ Query{ QueryID: "1234", Kind: Query_Fqn{ Fqn: "tetrate/tenants/default/workspaces/example" } } } }

Array of objects (Query format of the resource lookup for the permission check)

One or more resources to query permissions on, limited to 100 per request.

Array
queryId
string

Optional ID that is an open string the caller can use for correlation purposes.

fqn
string

Fully-qualified name of the resource.

Responses

Request samples

Content type
application/json
{
  • "queries": [
    ]
}

Response samples

Content type
application/json
{
  • "results": [
    ]
}

Policy

Get the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description
string (A description of the resource. $hide_from_yaml)
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Content type
application/json
{
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Response samples

Content type
application/json
{ }

Get the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description
string (A description of the resource. $hide_from_yaml)
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Content type
application/json
{
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
Array of objects (rbacv2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

RBAC

List all existing roles.

Responses

Response samples

Content type
application/json
{
  • "roles": [
    ]
}

Create a new role.

Request Body schema: application/json
required

Request to create a Role.

name
required
string

The short name for the resource to be created.

required
object (v2Role)

Role is a named collection of permissions that can be assigned to any user or team in the system. The set of actions that can be performed by a user, such as the ability to create, delete, or update configuration will depend on the permissions associated with the user's role. Roles are global resources that are defined once. AccessBindings in each configuration group will bind a user to a specific role defined apriori.

TSB comes with the following predefined roles:

Role Permissions Description
rbac/admin * Grants full access to the target resource and its child objects
rbac/editor Read Write Create Grants read/write access to a resource and allows creating child resources
rbac/creator Read Create Useful to delegate access to a resource without giving write access to the object itself. Users with this role will be able to manage sub-resources but not the resource itself
rbac/writer Read Write Grants Read and Write access permissions
rbac/reader Read Grants read-only permissions to a resource

The following example declares a custom workspace-admin role with the ability to create, delete configurations and the ability to set RBAC policies on the groups within the workspace.

apiVersion: rbac.tsb.tetrate.io/v2
kind: Role
metadata:
  name: role1
spec:
  rules:
  - types:
    - apiGroup: api.tsb.tetrate.io/v2
      kinds:
      - WorkspaceSetting
    permissions:
    - CREATE
    - READ
    - DELETE
    - WRITE
    - SET_POLICY

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "role": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Get the details of the given role.

path Parameters
rba
required
string

Rba name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Modify a role.

path Parameters
rba
required
string

Rba name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (A rule defines the set of api groups)

A set of rules that define the permissions associated with each API group.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "rules": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Delete a role. NRoles that are in use by policies attached to existing resources cannot be deleted.

path Parameters
rba
required
string

Rba name.

Responses

Response samples

Content type
application/json
{ }

Get the Kubernetes ClusterRole associated with the given TSB Role. Returns the ClusterRole formatted as a JSON or YAML depending on the Accept header: application/json or application/yaml. If no Accept header is provided, the response will be in YAML format.

path Parameters
rba
required
string

Rba name.

Responses

Response samples

Content type
application/json
{
  • "contentType": "string",
  • "data": "string",
  • "extensions": [
    ]
}

Lookup

Get all the services in the registry that are part of the given selector. This method can be used to resolve the registered services that are part of a workspace or group. This method can be also used to figure out how applying a selector could affect the platform and have an understanding of which of the existing services would be included in the selection.

Request Body schema: application/json
required

Request for all the services in the registry that are part of the given selector.

required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
parent
required
string (The FQN of the parent object where services will be looked up)

Responses

Request samples

Content type
application/json
{
  • "selector": {
    },
  • "parent": "string"
}

Response samples

Content type
application/json
{
  • "services": [
    ]
}

Get all the groups that configure the given service in the registry.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "trafficGroups": [
    ],
  • "securityGroups": [
    ],
  • "gatewayGroups": [
    ],
  • "istioInternalGroups": [
    ]
}

Registration

List the services that have been registered in an organization

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "services": [
    ]
}

Register the given service in the organization. Services in the registry are deduplicated so that the same service running in different clusters are represented as a single entity in the registry. The service returned by this method is the result of deduplicating the service. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
canonicalName
string

optional canonical name that identify this service.

cluster
required
string

Name of the cluster where the service belongs to. This will be used to load the deduplication settings that have been configured for the cluster where the service belongs.

externalAddresses
Array of strings

For kubernetes services of type load balancer, this field contains the list of lb hostnames or IPs assigned to the service.

hostnames
Array of strings

The hostnames by which this service is accessed. It corresponds to the gateway virtual hosts. This field is expected to be empty if the service is not publicly accessible.

internalHostnames
Array of strings (The hostnames by which this service is accessed internally. Can correspond to the FQDN of the service or to the hostnames provided by an external service (E.g. service entry))
namespace
required
string

Namespace associated with the service. It will be used in deduplication logic.

Array of objects (registryv2Port)

The set of ports on which this service is exposed.

serviceType
required
string (v2ServiceType)
Default: "INVALID_TYPE"
Enum: "INVALID_TYPE" "INTERNAL" "LOADBALANCER" "MESH_EXTERNAL"

ServiceType denotes the exposition of a service in the mesh.

  • INTERNAL: A regular service that is not directly exposed to the outside world.
  • LOADBALANCER: A load balancer service running only the proxy as the workload.
  • MESH_EXTERNAL: A mesh external service.
shortName
required
string

Short name for the service, used to uniquely identify it within the organization.

source
required
string

Source of the service: Kubernetes, Istio, Consul, etc.

spiffeIds
Array of strings

List of SPIFFE identities used by the workloads of the service.

state
required
string (registryv2State)
Default: "INVALID_STATE"
Enum: "INVALID_STATE" "EXTERNAL" "OBSERVED" "CONTROLLED"

State denotes how deep is the knowledge of a service by the mesh. Meaning that if a service can be controlled, observed or none of these.

  • EXTERNAL: An external service is a service that is known, but that cannot be observed (we can't get metrics for it) and cannot be controlled.
  • OBSERVED: An observed service is a known service that we can have metrics for. For example, a service running the Skywalking agents.
  • CONTROLLED: A controlled service is a service that is part of the mesh, has a proxy we can configure and can be observed with Skywalking agents.
subsets
Array of strings

Subset denotes a specific version of a service. By default the 'version' label is used to designate subsets of a workload. Known subsets for the service.

Responses

Request samples

Content type
application/json
{
  • "canonicalName": "string",
  • "cluster": "string",
  • "externalAddresses": [
    ],
  • "hostnames": [
    ],
  • "internalHostnames": [
    ],
  • "namespace": "string",
  • "ports": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "shortName": "string",
  • "source": "string",
  • "spiffeIds": [
    ],
  • "state": "INVALID_STATE",
  • "subsets": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "shortName": "string",
  • "hostnames": [
    ],
  • "ports": [
    ],
  • "subsets": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "externalAddresses": [
    ],
  • "state": "INVALID_STATE",
  • "metrics": [
    ],
  • "serviceDeployments": [
    ],
  • "subsetDeployments": [
    ],
  • "canonicalName": "string",
  • "spiffeIds": [
    ],
  • "internalHostnames": [
    ],
  • "hostnameDeployments": [
    ],
  • "internalHostnameDeployments": [
    ]
}

Remove the given service from the organization registry. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
cluster
required
string

Name of the cluster of the service.

namespace
required
string

Namespace of the service.

shortName
required
string (Name attribute of the service)

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "namespace": "string",
  • "shortName": "string"
}

Response samples

Content type
application/json
{ }

Get the details of a registered service

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "shortName": "string",
  • "hostnames": [
    ],
  • "ports": [
    ],
  • "subsets": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "externalAddresses": [
    ],
  • "state": "INVALID_STATE",
  • "metrics": [
    ],
  • "serviceDeployments": [
    ],
  • "subsetDeployments": [
    ],
  • "canonicalName": "string",
  • "spiffeIds": [
    ],
  • "internalHostnames": [
    ],
  • "hostnameDeployments": [
    ],
  • "internalHostnameDeployments": [
    ]
}

Security

List all security groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new security group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbsecurityv2Group)

Security Groups allow grouping the proxy workloads in a set of namespaces owned by its parent workspace. Security related configurations can then be applied on the group to control the behavior of these proxy workloads. The group can be in one of two modes: BRIDGED and DIRECT. BRIDGED mode is a minimalistic mode that allows users to quickly configure the most commonly used features in the service mesh using Tetrate specific APIs, while the DIRECT mode provides more flexibility for power users by allowing them to configure the proxy workload's security properties using a restricted subset of Istio Security APIs.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for the proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authentication: REQUIRED

Under the hood, Service Bridge translates these minimalistic settings into Istio APIs such as PeerAuthentication, AuthorizationPolicy, etc. for the namespaces managed by the security group. These APIs are then pushed to the Istio control planes of clusters where the workspace is applicable.

It is possible to create a security group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1" # pick ns1 namespace only from c1 cluster
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

In the DIRECT mode, it is possible to directly attach Istio Security v1beta1 APIs - PeerAuthentication, and AuthorizationPolicy to the security group. These configurations will be validated for correctness and conflict free operations and then pushed to the appropriate Istio control planes.

The following example declares a PeerAuthentication policy for a specific workload in the ns1 namespace:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: workload-mtls-disable
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/securityGroup: t1
spec:
  selector:
    matchLabels:
      app: reviews
  mtls:
    mode: DISABLE

The namespace where the Istio APIs are applied will need to be part of the parent security group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the security group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify a security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
profiles
Array of strings

List of profiles attached to the security group to be used to propagate default and mandatory configurations down to the children.

securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Security group, all the children resources will belong to that security domain in the same way a Security setting belongs to a Security group, a Security setting will also belong to the security domain assigned to the Security group. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    },
  • "profiles": [
    ],
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given security group. Note that deleting resources in TSB is a recursive operation. Deleting a security group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all service security settings objects that have been attached to the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a service security settings object in the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2ServiceSecuritySetting)

ServiceSecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a particular service in a security group. These settings will replace the security group wide settings for this service.

The following example defines a security setting that applies to the service foo in namespace ns1 that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-auth
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    authentication: REQUIRED
    authorization:
      mode: GROUP

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
  name: foo-wasm-plugin
  group: sg1
  workspace: w1
  tenant: mycompany
  org: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    extension:
    - fqn: hello-world # fqn of imported extensions in TSB
      config:
        foo: bar

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given service security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given service security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
service
required
string

The service on which the configuration is being applied. Must be in namespace/FQDN format.

object (v2SecuritySetting)

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.

Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      rules:
        jwt:
        - issuer: "https://auth.tetrate.io"
          jwksUri: "https://oauth2.auth.tetrate.io/certs"
        - issuer: "https://auth.tetrate.internal"
          jwksUri: "https://oauth2.auth.tetrate.internal/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example rejects all traffic arriving at workloads from namespaces that belong to security group t1.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      denyAll: true

The following example accepts all traffic arriving at workloads from namespaces that belong to security group t1. All authenticated requests are accepted because any workload is targeted to be allowed nor denied.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES

The following example accepts all traffic arriving at workloads in namespaces that belong to security group t1 traffic, except from workloads belonging to workspace w2.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example accepts traffic arriving at workloads in namespaces that belong to security group t1 traffic, from workloads belonging to workspace w2. Hence, only authenticated request to workloads in security group t1 coming from workloads in workspace w2 are accepted. All other request will be rejected.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example uses a combination of allows and denies to show how rules are evaluated. Let's say we have a workspace w3 which contains 3 security groups, sg31, sg32, and sg33. Besides we also have workspace w1 and w2. Security group sg31 contains workloads that handle sensitive data, and we want to only accept requests arriving from the same workspace w3 and explicitly reject requests coming from sg32. Hence, only authenticated request to workloads in security group sg31 coming from workloads in workspace w3 and security group sg31 or sg33 will be accepted. Requests coming from sg32 will be rejected. Moreover, a request coming from any workload that belongs to another workspace (w1, or w2), or security group that belong to another workspace, will also be reject by default because it is not in the list of allowed resource FQNs.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: sg31
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31

The following example customizes the WAFSettings to enforce Web Application Firewall rules on sidecars in namespaces reside in SecurityGroup.

Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - SecRuleEngine ON
      - Include @owasp_crs/*.conf

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
Array of objects (v2ServiceSecuritySettingSubset)

Subset specific settings that will replace the service wide settings for the specified service subsets.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given service security settings from the group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{ }

List all security settings objects that have been attached to the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a security settings object in the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2SecuritySetting)

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.

Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      rules:
        jwt:
        - issuer: "https://auth.tetrate.io"
          jwksUri: "https://oauth2.auth.tetrate.io/certs"
        - issuer: "https://auth.tetrate.internal"
          jwksUri: "https://oauth2.auth.tetrate.internal/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example rejects all traffic arriving at workloads from namespaces that belong to security group t1.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      denyAll: true

The following example accepts all traffic arriving at workloads from namespaces that belong to security group t1. All authenticated requests are accepted because any workload is targeted to be allowed nor denied.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES

The following example accepts all traffic arriving at workloads in namespaces that belong to security group t1 traffic, except from workloads belonging to workspace w2.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example accepts traffic arriving at workloads in namespaces that belong to security group t1 traffic, from workloads belonging to workspace w2. Hence, only authenticated request to workloads in security group t1 coming from workloads in workspace w2 are accepted. All other request will be rejected.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example uses a combination of allows and denies to show how rules are evaluated. Let's say we have a workspace w3 which contains 3 security groups, sg31, sg32, and sg33. Besides we also have workspace w1 and w2. Security group sg31 contains workloads that handle sensitive data, and we want to only accept requests arriving from the same workspace w3 and explicitly reject requests coming from sg32. Hence, only authenticated request to workloads in security group sg31 coming from workloads in workspace w3 and security group sg31 or sg33 will be accepted. Requests coming from sg32 will be rejected. Moreover, a request coming from any workload that belongs to another workspace (w1, or w2), or security group that belong to another workspace, will also be reject by default because it is not in the list of allowed resource FQNs.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: sg31
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31

The following example customizes the WAFSettings to enforce Web Application Firewall rules on sidecars in namespaces reside in SecurityGroup.

Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - SecRuleEngine ON
      - Include @owasp_crs/*.conf

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
authentication
string (v2SecuritySettingAuthenticationMode)
Default: "UNSET"
Enum: "UNSET" "OPTIONAL" "REQUIRED"

AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

  • UNSET: Inherit from parent, if has one. Otherwise treated as OPTIONAL.
  • OPTIONAL: Accept both plaintext and mTLS authenticated connections.
  • REQUIRED: Accept only mutual TLS authenticated connections.
object (tsbsecurityv2AuthenticationSettings)

AuthenticationSettings represents configuration related to authenticating traffic within the mesh and end-user credentials if present. It is HIGHLY RECOMMENDED to enable mutual TLS when end-user credentials are present. Sending credentials like JWT over plaintext is a security risk.

object (tsbsecurityv2AuthorizationSettings)

AuthorizationSettings define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enabling and priority that will condition the execution of the assigned extensions.

propagationStrategy
string (v2PropagationStrategy)
Default: "REPLACE"
Enum: "REPLACE" "STRICTER"

The PropagationStrategy is the key differentiating factor to decide how a security policy should be propagated and applied at runtime across clusters. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting. The STRICTER PropagationStrategy on the other hand makes sure the default SecuritySettings configured at the parent level are always enforced and propagated down the hierarchy unless additional SecuritySettings are defined and restricted further in the configuration hierarchy.

  • REPLACE should be used when resources in the hierarchy are allowed to override the default settings configured at the higher levels.
  • STRICTER should be used when the default settings must prevail, and the settings can only be made more restrictive by child resources at lower levels of the hierarchy.

When a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless of the defined strategy (REPLACE or STRICTER), a parent defined resource or a property of the resource will be used (propagated) in absence of a child resource or a property of it.

For example, the following policy configures optional mTLS for traffic within the workspace, but it allows SecuritySettings to modify it. The example shows a workspace that configures service-to-service access so that only services in the same workspace can talk to each other. The REPLACE propagation policy allows individual settings to override it. In the example, the SecuritySettings allows services within that group to be reachable from any service in the cluster, regardless for the workspace they belong to, even though the Workspace restricts service-to-service access to only services in the Workspace.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    propagationStrategy: REPLACE
    authorization:
      mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: CLUSTER

STRICTER propagation configures defaults that can be only be restricted down the hierarchy. The following example configures the same WorkspaceSetting but with a STRICTER propagation mode. The defaults SecuritySetting further narrows down that access to the GROUP scope, which is allowed because GROUP is more strict than WORKSPACE. However, the defaults-invalid SecuritySetting configures CLUSTER access, which would widen the scope defined at the Workspace. That settings will not be allowed based on the STRICTER propagation policy.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    propagationStrategy: STRICTER
    authorization:
      mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: GROUP
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults-invalid
  group: t2
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: CLUSTER

Further details of how security settings are resolved between in STRICTER mode between a parent and a child resource can be found in the SecuritySettings reference.

  • REPLACE: Is the default configuration propagation strategy. A lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy. Otherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will prevail. For instance, a defined default propagation strategy for workspace default security settings will replace tenant's defined default security settings.
  • STRICTER: STRICTER propagation strategy propagates the strictest configuration between a defined higher level and a defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy is not defined, the higher one will prevail. Which configuration is stricter than the other is defined by each concrete configuration that allows specifying a propagation strategy.
object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany, and a security setting that applies the WAF Settings. And the security group and security settings to which this WAF Settings is applied to.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - Include @recommended-conf

In the following examples, the security rule for blocking XSS requests is enabled on Tier1Gateway and IngressGateway respectively, with an ad-hoc debug configuration, instead of the one defined in the security rule.

apiVersion: gateway.xcp.tetrate.io/v2
kind: Tier1Gateway
metadata:
  name: tier1-waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  passthroughServers:
  - name: nginx
    port: 8443
    hostname: nginx.example.com
  waf:
    rules:
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
apiVersion: gateway.xcp.tetrate.io/v2
kind: IngressGateway
metadata:
  name: waf-gw
  group: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: waf-gateway
  waf:
    rules:
      - SecRuleEngine DETECTION_ONLY
      - SecDebugLogLevel 5
      - Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
  http:
  - name: bookinfo
    port: 9443
    hostname: bookinfo.com

Responses

Request samples

Content type
application/json
{
  • "authentication": "UNSET",
  • "authenticationSettings": {
    },
  • "authorization": {
    },
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "propagationStrategy": "REPLACE",
  • "waf": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given security settings from the group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Troubleshooting

Retrieve allowed access relationships between resources, such as: - the target resources a source resource is allowed to access. - the source resources allowed to access a target resource.

path Parameters
organization
required
string

Organization name.

query Parameters
sourceFqn
string

FQN of the source resource. If set, retrieves the list of target resources the source is allowed to access.

targetFqn
string

FQN of the target resource. If set, retrieves the list of source resources allowed to access the target.

Responses

Response samples

Content type
application/json
{
  • "accesses": {
    }
}

Get the operations that a source resource is allowed on a target resource. For example, if a source has the "connect" operation allowed on a target, it means it's allowed to connect to that target. Otherwise, the request from the source to the target will be refused.

path Parameters
organization
required
string

Organization name.

query Parameters
sourceFqn
required
string

FQN of the source resource from which operations are retrieved.

targetFqn
required
string

FQN of the target resource on which the source resource is permitted to perform operations.

Responses

Response samples

Content type
application/json
{
  • "operations": [
    ]
}

Traffic

List all traffic groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new traffic group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (tsbtrafficv2Group)

A traffic group manages the routing properties of proxy workloads in a group of namespaces owned by the parent workspace.

Traffic Groups allow grouping the proxy workloads in a set of namespaces owned by its parent workspace. Networking and routing related configurations can then be applied on the group to control the behavior of these proxy workloads. The group can be in one of two modes: BRIDGED and DIRECT. BRIDGED mode is a minimalistic mode that allows users to quickly configure the most commonly used features in the service mesh using Tetrate specific APIs, while the DIRECT mode provides more flexibility for power users by allowing them to configure the proxy workload behavior using a restricted subset of Istio Networking APIs.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and sets up a TrafficSetting defining the resilience properties for proxy workloads in these namespaces.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads in the group

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  resilience:
    circuitBreakerSensitivity: MEDIUM

Under the hood, Service Bridge translates these minimalistic settings into Istio APIs such as Sidecar, DestinationRule, etc. for the namespaces managed by the traffic group. These APIs are then pushed to the Istio control planes of clusters where the workspace is applicable.

It is possible to create a traffic group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1" # pick ns1 namespace only from c1 cluster
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

In the DIRECT mode, it is possible to directly attach Istio APIs such as VirtualService, DestinationRule, and Sidecar to the traffic group. These configurations will be validated for correctness and conflict free operations and then pushed to the appropriate Istio control planes.

The following example declares a DestinationRule with two subsets, for the ratings service in the ns1 namespace:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: ratings-subsets
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/trafficGroup: t1
spec:
  host: ratings.ns1.svc.cluster.local
  subsets:
  - name: stableversion
    labels:
      app: ratings
      env: prod
  - name: testversion
    labels:
      app: ratings
      env: uat

The namespace where the Istio APIs are applied will need to be part of the parent traffic group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the traffic group to which it belongs to.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
profiles
Array of strings

List of profiles attached to the traffic group to be used to propagate default and mandatory configurations down to the children.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    },
  • "profiles": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given traffic group. Note that deleting resources in TSB is a recursive operation. Deleting a traffic group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all service routes that have been attached to the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "serviceRoutes": [
    ]
}

Create a new service route in the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2ServiceRoute)

A service route controls routing configurations for traffic to a service in a traffic group.

Service Routes can be used by service owners to configure traffic shifting across different versions of a service in a Traffic Group. The traffic to this service can originate from sidecars in the same or different traffic groups, as well as gateways.

The following example yaml defines a Traffic Group t1 in the namespaces ns1, ns2 and ns3, owned by its parent Workspace w1. Then it defines a Service Route for the reviews service in the ns1 namespace with two subsets: v1 and v2, where 80% of the traffic to the reviews service is sent to v1 while the remaining 20% is sent to v2.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelectors:
  - name: "*/ns1"
  - name: "*/ns2"
  - name: "*/ns3"
  configMode: BRIDGED
---
apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  subsets:
  - name: v1
    labels:
      version: v1
    weight: 80
  - name: v2
    labels:
      version: v2
    weight: 20

Server side load balancing can be set through the combination of portLevelSettings and stickySession. The following ServiceRoute will generate two routes:

  1. An HTTP route matching traffic on port 8080 and routing it 80:20 between v1:v2, targeting port 8080. The server side load balancing will be based on header.
  2. A TCP route matching traffic on port 443, and routing it 80:20 between v1:v2, targeting port 443. The server side load balancing will be based on source IP.
apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
  - port: 8080
    trafficType: HTTP
    stickySession:
      header: x-session-hash
  - port: 443
    trafficType: TCP
    stickySession:
      useSourceIp: true
  subsets:
  - name: v1
    labels:
      version: v1
    weight: 80
  - name: v2
    labels:
      version: v2
    weight: 20

Note: For TCP routes, only source IP (useSourceIp: true) is a valid load balancing hash key. Any other hash keys will be invalid.

You can also apply port settings just to a subset, such as in the following example where for subset v2 the source IP is used for sticky sessions.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
   - port: 8000
     trafficType: TCP
   - port: 443
     trafficType: HTTP
     stickySession:
       header: x-sticky-hash
 subsets:
   - name: v1
     labels:
       version: v1
     weight: 80
   - name: v2
     labels:
       version: v2
     weight: 20
     portLevelSettings:
       - port: 8000
         trafficType: TCP
         stickySession:
           useSourceIp: true

If the service exposes more than one port, then all such ports with protocols need to be specified in top level portLevelSettings. Explicit routes can be specified within httpRoutes or tcpRoutes sections. You can also specify match conditions within each httpRoute to match the incoming traffic and route the traffic accordingly.

Service Routes can also be used to delegate traffic weighting to a Flagger Canary resource. First create the resource with delegation enabled in each cluster, for example:

apiVersion: flagger.app/v1beta1
kind: Canary
metadata:
  name: reviews-canary
  namespace: bookinfo
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: reviews
  service:
    port: 9080
    delegation: true
  analysis:
    threshold: 5
    maxWeight: 50
    stepWeight: 10

Then the following ServiceRoute will delegate all traffic on port 9080 to the above Flagger Canary.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews-sr
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: bookinfo/reviews.bookinfo.svc.cluster.local
  portLevelSettings:
    - port: 9080
      trafficType: HTTP
  httpRoutes:
    - name: reviews-flagger
      match:
        - name: port-9080
          port: 9080
      flagger:
        canary: reviews-canary
        namespace: bookinfo

The ServiceRoute below has two HTTP routes:

  1. The first route matches traffic on reviews.ns1.svc.cluster.local:8080/reviews endpoint and end-user: jason header and routes 80% of traffic to subset "v1" and 20% to subset "v2".
  2. The second route is the default HTTP route, which matches traffic on reviews.ns1.svc.cluster.local:8080/reviews endpoint, and routes 50% of traffic to subset "v1" and remaining 50% to subset "v2".
apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
    - port: 8080
      trafficType: HTTP
  subsets:
    - name: v1
      labels:
        version: v1
      weight: 80
    - name: v2
      labels:
        version: v2
      weight: 20
  httpRoutes:
    - name: http-route-match-reviews-endpoint
      match:
        - name: match-reviews-endpoint
          uri:
            prefix: /reviews
          headers:
            end-user:
              exact: jason
          port: 8080
      destination:
        - subset: v1
          weight: 80
          port: 8080
        - subset: v2
          weight: 20
          port: 8080
    - name: http-route-default
      match:
        - name: match-default
          uri:
            prefix: /reviews
          port: 8080
      destination:
        - subset: v1
          weight: 50
          port: 8080
        - subset: v2
          weight: 50
          port: 8080

Note: Default routes will be generated automatically only if a port is specified in top level portLevelSettings but not used in any match conditions of httpRoutes, tcpRoutes or tlsRoutes (or if no routes are specified). In all other conditions, all routes have to be defined explicitly.

For example, the ServiceRoute below will generate a default-http-route matching on port 8080 and will route traffic in the ratio 80:20 between v1:v2.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
    - port: 8080
      trafficType: HTTP
  subsets:
    - name: v1
      labels:
        version: v1
      weight: 80
    - name: v2
      labels:
        version: v2
      weight: 20

A similar example for TCP traffic where all the traffic for port 6666 will be sent to the v1 subset.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
  name: reviews
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
    - port: 6666
      trafficType: TCP
  subsets:
    - name: v1
      labels:
        version: v1
      weight: 50
    - name: v2
      labels:
        version: v2
      weight: 50
  tcpRoutes:
    - name: tcp-route-match-port-6666-v1-100
      match:
        - name: match-condition-port-6666-v1-100
          port: 6666
      destination:
        - subset: v1
          weight: 100
          port: 6666

For HTTP traffic routes, fault injection allows delaying or aborting requests, and traffic mirroring allows mirroring a percentage of the traffic to multiple different destinations.

In the next example, a Service Route defines a single HTTP route that matches traffic on the reviews service on port 8080, with a 80/20 weight for v1/v2 subsets. For the specific /reviews path and end-user: jason-chaos header, an HTTP Route is defined with a different subset where 100% of requests will go to v1, and have a the following fault injections:

  • 2 out of 100 requests will have a 5 second delay
  • 1 out of 1000 will return a 400 HTTP status code.

On top of that, for all the /reviews requests, 5 out of 1000 will be mirrored to the service debug-reviews.ns1.svc.cluster.local on port 8888.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
   name: reviews
   group: t1
   workspace: w1
   tenant: mycompany
   organization: myorg
spec:
  service: ns1/reviews.ns1.svc.cluster.local
  portLevelSettings:
    - port: 8080
      trafficType: HTTP
  subsets:
    - name: v1
      labels:
        version: v1
      weight: 80
    - name: v2
      labels:
        version: v2
      weight: 20
  httpRoutes:
    - name: http-route-match-reviews-endpoint
      match:
        - name: match-reviews-endpoint
          uri:
            prefix: /reviews
          headers:
            end-user:
              exact: jason-chaos
          port: 8080
      destination:
        - subset: v1
          port: 8080
      fault:
        delay:
          percentage: 2
          fixedDelay: 5s
        abort:
          percentage: 0.1
          httpStatus: 400
      mirrors:
        - host: reviews.ns1.svc.cluster.local
          subset: v2
          port: 8080
          percentage: 0.5

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "serviceRoute": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify a service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2HTTPRoute)

HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers and port and destination routes need to be set using subset-weight combinations specified within the route. Note: If a route is specified, then the global subset-weight combinations (specified under subsets) will be ignored for the matched port, as subsets within route will take effect.

Array of objects (In order to support multi-protocol routing, a list of all port/protocol combinations is needed. These port settings are applied to all the subsets)
service
required
string

The service on which the configuration is being applied. Must be in namespace/FQDN format.

object (ServiceRouteStickySession)

If set, all requests from a client will be forward to the same backend.

Array of objects (v2ServiceRouteSubset)

The set of versions of a service and the percentage of traffic to send to each version.

Array of objects (v2TCPRoute)

TCPRoutes match TCP traffic based on port number. The subset-weight configuration and priority have the same behaviour as HTTPRoutes.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "httpRoutes": [
    ],
  • "portLevelSettings": [
    ],
  • "service": "string",
  • "stickySession": {
    },
  • "subsets": [
    ],
  • "tcpRoutes": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{ }

List all service traffic settings objects that have been attached to the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "serviceSettings": [
    ]
}

Create a service traffic settings object in the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2ServiceTrafficSetting)

A service traffic setting applies configuration to a service in a traffic group. Unset fields will inherit values from the workspace-wide setting if any.

ServiceTrafficSetting allows configuring traffic related properties such as resiliency, reachability, load balancing and egress proxy for a particular service in a traffic group. These settings will merge and overwrite the traffic group wide settings.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a service traffic setting for the workloads selected by service foo.ns1.svc.cluster.local. This setting limits the workloads of foo.ns1.svc.cluster.local to only discover services in in ns1, ns2, ns3 and db namespace. It also configures that outbound traffic to a service or IP which is not a part of the mesh should be forwarded through through egress gateway deployed in istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelectors:
  - name: "*/ns1"
  - name: "*/ns2"
  - name: "*/ns3"
  configMode: BRIDGED

And the associated service traffic settings:

```yaml
apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceTrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    outbound:
      reachability:
        mode: CUSTOM
        hosts:
        - "ns1/*"
        - "ns2/*"
        - "ns3/*"
        - "db/*"
      upstreamTrafficSettings:
      - hosts:
        - "*"
        settings:
          resilience:
            circuitBreakerSensitivity: MEDIUM
      egress:
        host: istio-system/istio-egressgateway

The following service traffic setting confines the reachability of the service foo.ns1.svc.cluster.local sidecar proxies in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceTrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  service: ns1/foo.ns1.svc.cluster.local
  settings:
    outbound:
      reachability:
        mode: GROUP

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "serviceSetting": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "configGenerationMetadata": {
    }
}

Get the details of the given service traffic settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "configGenerationMetadata": {
    }
}

Modify the given service traffic settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

servicesetting
required
string

Servicesetting name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
service
required
string

The service on which the configuration is being applied. Must be in namespace/FQDN format.

Only one service traffic setting can be given per service. Any conflicting configuration created later will be rejected by TSB.

required
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

This is a global object that uniquely configures the traffic group, and there can be only one traffic setting object defined for each traffic group.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: CUSTOM
      hosts:
      - "ns1/*"
      - "ns2/*"
      - "ns3/*"
      - "db/*"
    upstreamTrafficSettings:
    - hosts:
      - '*'
      settings:
        resilience:
          circuitBreakerSensitivity: MEDIUM
    egress:
      host: istio-system/istio-egressgateway

To setup load balancing algorithm as ROUND_ROBIN for all outbound requests to service foo.bar.svc.cluster.local from clients in t1 traffic group:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'foo.bar.svc.cluster.local'
      settings:
        loadBalancer:
          simple: ROUND_ROBIN

upstreamTrafficSettings can be used to configure the outbound traffic with grouping a particular group of upstream hosts to have a certain setting. In the below example all outbound requests to hosts matching wildcard *.ns1.svc.cluster.local will use request timeout of 10s while hosts matching *.ns2.svc.cluster.local and *.ns3.svc.cluster.local will use request timeout of 5s.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s
    - hosts:
      - '*.ns2.svc.cluster.local'
      - '*.ns3.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 5s

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: GROUP

The above fields are now moved to two different sections called inbound and outbound to allow better control over these fields. Please refer the below example to configure a traffic setting for all services in traffic group t1 configuring similar knobs as explained in earlier examples:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  inbound:
    resilience:
      connectionPool:
        tcp:
          keepAlive:
            idleTime: 300
  outbound:
    reachability:
      mode: GROUP
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s

This traffic setting configuration specifies upstream traffic settings for specific hosts within the client namespace. It is associated with the w1 workspace and the t1 traffic group.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: client-upstream-traffic-setting
  namespace: client
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'httpbin.app1.svc.cluster.local'
      - '*.app3.svc.cluster.local'
      - '*.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: REQUIRED
    - hosts:
      - '*.app2.svc.cluster.local'
      - 'tetrate.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: OPTIONAL

This configuration specifies authentication requirements for traffic to the following hosts:

  • httpbin.app1.svc.cluster.local requires mTLS authentication.
  • All non-injected services in app3 namespace require mTLS authentication.
  • All non-injected services in app4 namespace require mTLS authentication, except for tetrate.app4.svc.cluster.local, which is excluded.
  • Authentication enforcement is skipped for all non-injected services in app2 namespace.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "service": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given service traffic settings from the group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{ }

List all the settings objects that have been attached to the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

This is a global object that uniquely configures the traffic group, and there can be only one traffic setting object defined for each traffic group.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: CUSTOM
      hosts:
      - "ns1/*"
      - "ns2/*"
      - "ns3/*"
      - "db/*"
    upstreamTrafficSettings:
    - hosts:
      - '*'
      settings:
        resilience:
          circuitBreakerSensitivity: MEDIUM
    egress:
      host: istio-system/istio-egressgateway

To setup load balancing algorithm as ROUND_ROBIN for all outbound requests to service foo.bar.svc.cluster.local from clients in t1 traffic group:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'foo.bar.svc.cluster.local'
      settings:
        loadBalancer:
          simple: ROUND_ROBIN

upstreamTrafficSettings can be used to configure the outbound traffic with grouping a particular group of upstream hosts to have a certain setting. In the below example all outbound requests to hosts matching wildcard *.ns1.svc.cluster.local will use request timeout of 10s while hosts matching *.ns2.svc.cluster.local and *.ns3.svc.cluster.local will use request timeout of 5s.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s
    - hosts:
      - '*.ns2.svc.cluster.local'
      - '*.ns3.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 5s

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: GROUP

The above fields are now moved to two different sections called inbound and outbound to allow better control over these fields. Please refer the below example to configure a traffic setting for all services in traffic group t1 configuring similar knobs as explained in earlier examples:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  inbound:
    resilience:
      connectionPool:
        tcp:
          keepAlive:
            idleTime: 300
  outbound:
    reachability:
      mode: GROUP
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s

This traffic setting configuration specifies upstream traffic settings for specific hosts within the client namespace. It is associated with the w1 workspace and the t1 traffic group.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: client-upstream-traffic-setting
  namespace: client
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'httpbin.app1.svc.cluster.local'
      - '*.app3.svc.cluster.local'
      - '*.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: REQUIRED
    - hosts:
      - '*.app2.svc.cluster.local'
      - 'tetrate.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: OPTIONAL

This configuration specifies authentication requirements for traffic to the following hosts:

  • httpbin.app1.svc.cluster.local requires mTLS authentication.
  • All non-injected services in app3 namespace require mTLS authentication.
  • All non-injected services in app4 namespace require mTLS authentication, except for tetrate.app4.svc.cluster.local, which is excluded.
  • Authentication enforcement is skipped for all non-injected services in app2 namespace.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "inbound": {
    },
  • "outbound": {
    },
  • "configGenerationMetadata": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "inbound": {
    },
  • "outbound": {
    },
  • "configGenerationMetadata": {
    }
}

Modify the given settings in the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
object (v2TrafficSettingEgressGateway)

EgressGateway specifies the gateway where traffic external to the mesh will be redirected.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (tsbtrafficv2InboundTrafficSetting)

Configuration for inbound traffic.

object (tsbtrafficv2OutboundTrafficSetting)

Configuration for outbound traffic.

object (tsbgatewayv2RateLimiting)

Configuration for ratelimiting HTTP/gRPC requests can be rate limited based on a variety of attributes in the request such as headers (including cookies), URL path/prefixes, client remote address etc.

object (tsbtrafficv2ReachabilitySettings)

ReachabilitySettings define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.

object (v2ResilienceSettings)

ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or proxy workload.

Array of objects (tsbtrafficv2UpstreamTrafficSettings)

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

DEPRECATED. Moved to outbound.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "egress": {
    },
  • "etag": "string",
  • "inbound": {
    },
  • "outbound": {
    },
  • "rateLimiting": {
    },
  • "reachability": {
    },
  • "resilience": {
    },
  • "upstreamTrafficSettings": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "inbound": {
    },
  • "outbound": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given settings object from the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Clusters

Get the list of all clusters that have been onboarded into the platform.

path Parameters
organization
required
string

Organization name.

query Parameters
fetchWorkloads
boolean

Flag to fetch the workload information for all the clusters as well. Note that by default workload information is not returned as it may be expensive to retrieve.

Responses

Response samples

Content type
application/json
{
  • "clusters": [
    ]
}

Creates a new cluster object in TSB. This is needed during cluster onboarding to let the management plane know about the existence of a cluster. Once a cluster has been created and fully onboarded, the management plane will manage the mesh for that cluster and keep this cluster entity up to date with the information that is reported by the cluster agents. This method returns the created cluster, that will be continuously updated by the local cluster agents. This entity can be monitored to have an overview of the resources (namespaces, services, etc) that are known to be running in the cluster.

This action will also create a service account with permissions to manage this cluster. This service account (aka cluster service account) can be used in the ControlPlane installation to authenticate it through the ManagementPlane.

As part of the response, a template will be provided (in the field installTemplate) with minimum configuration to be able to install the TSB Operator in the cluster running as ControlPlane. This data is not stored and will be only available in the response of this action.

This method require CREATE permissions over the Cluster resource and SET_POLICY permissions over the Organization resource, because it will return the keys for the cluster service account that is created which has admin-wide permissions.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (tsbv2Cluster)

A Kubernetes cluster managing both pods and VMs.

Each Kubernetes cluster managed by Service Bridge should be onboarded first before configurations can be applied to the services in the cluster. Onboarding a cluster is a two step process. First, create a cluster object under the appropriate tenant. Once a cluster object is created, its status field should provide the set of join tokens that will be used by the Service Bridge agent on the cluster to talk to Service Bridge management plane. The second step is to deploy the Service Bridge agent on the cluster with the join tokens and deploy Istio on the cluster. The following example creates a cluster named c1 under the tenant mycompany, indicating that the cluster is deployed on a network "vpc-01" corresponding to the AWS VPC where it resides.

apiVersion: api.tsb.tetrate.io/v2
kind: Cluster
metadata:
  name: c1
  organization: myorg
  labels:
    env: uat-demo
spec:
  tokenTtl: "1h"
  network: vpc-01

Note that configuration profiles such as traffic, security and gateway groups will flow to the Bridge agents in the cluster as long their requested cluster exists in the Service Bridge hierarchy.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "cluster": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    },
  • "configGenerationMetadata": {
    }
}

Get the last known state for an onboarded cluster. Once a cluster has been onboarded into the platform, the agents will keep it up to date with its runtime status. Getting the cluster object will return the last known snapshot of existing namespaces and services running in it.

This method also allows to retrieve the install template to onboard the Cluster, by setting the includeInstallTemplate request field to true.

This requires READ permissions over the Cluster resource, to return the last known state of the cluster. The Organization SET_POLICY permission is needed when the install template is requested, since a new API key pair will be generated for the Cluster's Service Account.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
fetchWorkloads
boolean

Flag to fetch the workload information as well. Note that by default workload information is not returned as it may be expensive to retrieve.

includeInstallTemplate
boolean

Flag to return the install template required to install this cluster. This will generate a new API key pair for the cluster service account.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    },
  • "configGenerationMetadata": {
    }
}

Modify an existing cluster. Updates a cluster with the given data. Note that most of the data in the cluster is read-only and automatically populated by the local cluster agents.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (ClusterInstallTemplate)

InstallTemplate provides templates ready to be used in the ControlPlane (cluster onboard) installation.

object (FIXME: this is super clunky to copy each and every metadata field into objects used for multicluster. $hide_from_yaml)
object (tsbv2Locality)

The region the cluster resides. Used for failover based routing when configured in the workspace or global settings.

object (v2NamespaceScoping)

Configure the default scoping of namespaces in this cluster.

network
string

The network (e.g., VPC) where this cluster is present. All clusters within the same network will be assumed to be reachable for the purposes of multi-cluster routing. In addition, networks marked as reachable from one another in SystemSettings will also be used for multi-cluster routing.

object (tsbv2ServiceAccount)

ServiceAccount represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

The following example creates a service account named my-sa under the organization myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: ServiceAccount
metadata:
  name: my-sa
  organization: myorg
spec:
  displayName: My Service Account
  description: Service account used for service integrations
object (State represents the cluster info learned from the onboarded cluster)
tier1Cluster
boolean

Deprecated: This flag is still honored for backward compatibility but will be ignored in future releases. It is advisable not to set it, as all clusters can now host both Tier1 and IngressGateways.

Indicates whether this cluster is hosting a tier1 gateway or not. Tier1 clusters cannot host other gateways or workloads. Defaults to false if not specified.

tokenTtl
string

Lifetime of the tokens. Defaults to 1hr.

trustDomain
string

Trust domain for this cluster, used for multi-cluster routing. It must be unique for every cluster and should match the one configured in the local control plane. This value is optional, and will be updated by the local control plane agents. However, it is recommended to set it, if known, so that multi-cluster routing works without having to wait for the local control planes to update it.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "installTemplate": {
    },
  • "labels": {
    },
  • "locality": {
    },
  • "namespaceScope": {
    },
  • "network": "string",
  • "serviceAccount": {
    },
  • "state": {
    },
  • "tier1Cluster": true,
  • "tokenTtl": "string",
  • "trustDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    },
  • "configGenerationMetadata": {
    }
}

Unregisters a cluster from the platform. Deleting a cluster will unregister it from the management plane, and the agents will stop receiving configuration updates. Agent tokens for the cluster are revoked as well, so agents that are still running will fail to report back cluster status to the management plane. Note that unregistering the cluster is a management plane only operation. This does not uninstall the agents from the local cluster. Agents will continue running and the services that are deployed in that cluster will be able to continue operating with the last applied configuration. Unregistering a cluster from the management plane should not generate downtime to services that are running on that cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{ }

Get the configurations for a cluster.

The API is for control plane cluster to get the configurations that must be set in both management plane and control plane, and that the control plane configurations must be in sync (or adjusted) according to management plane's changes at runtime.

Examples:

  • Telemetry data retention period set(changed) in management plane must be sync'ed to control plane.
  • A feature flag disabled in management plane must be sync'ed to control plane and disabled in all control planes.

$hide_from_docs

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "observability": {
    }
}

List the cluster onboarding configurations for a given cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "configs": [
    ]
}

Create the cluster onboarding configuration for a cluster. Only one onboarding configuration can be created for a cluster. This configuration is used to define the desired state of the namespaces of the cluster. These namespaces with state DESIRED_ONBOARDED will be added to the onboarding tenant and onboarding workspace, so they can be managed by the management plane. The onboarding tenant and workspace are created automatically if they do not exist.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2ClusterOnboardingConfig)

Configuration for onboarding a cluster.

name
required
string

The short name for the cluster onboarding config to be created.

Responses

Request samples

Content type
application/json
{
  • "config": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "namespaces": [
    ]
}

Get the onboarding status for a cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "namespaces": [
    ]
}

Get the cluster onboarding configuration for a cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

onboardin
required
string

Onboardin name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "namespaces": [
    ]
}

Update the cluster onboarding configuration for a cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

onboardin
required
string

Onboardin name.

Request Body schema: application/json
required
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
Array of objects (ClusterOnboardingConfigNamespaceConfig)

Set of namespaces configuration for the cluster.

Responses

Request samples

Content type
application/json
{
  • "etag": "string",
  • "namespaces": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "namespaces": [
    ]
}

Delete the cluster onboarding configuration for a cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

onboardin
required
string

Onboardin name.

Responses

Response samples

Content type
application/json
{ }

Generate the tokens for the cluster agents so they can talk to the management plane. Once a cluster object has been registered in the management plane, this method can be used to generate the JWT tokens that need to be configured in the local cluster agents in order to let them talk to the management plane. These tokens contain the necessary permissions to allow the agents to download the configuration for their cluster and to push cluster status updates to the management plane.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "tokens": {
    }
}

Organizations

List all existing organizations. $hide_from_docs

Responses

Response samples

Content type
application/json
{
  • "organizations": [
    ]
}

Creates a new Organization in TSB. Organizations are the top-level construct in TSB and contain all the resources such as tenants, workspaces and clusters. $hide_from_docs

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Organization)

Organization is a root of the Service Bridge object hierarchy. Each organization is completely independent of the other with its own set of tenants, users, teams, clusters and workspaces.

Organizations in TSB are tied to an Identity Provider (IdP). Users and teams, representing the organizational structure, are periodically synchronized from the IdP into TSB in order to make them available for access policy configuration.

The following example creates an organization named myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: Organization
metadata:
  name: myorg

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "organization": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    },
  • "systemNamespaces": [
    ]
}

Get the details of an organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    },
  • "systemNamespaces": [
    ]
}

Modify an organization. Update operations are protected against concurrent modifications of the resource. They are required to provide the last version of the `etag` field as part of the update request payload. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
profiles
Array of strings

List of profiles attached to the Organization to be used to propagate default and mandatory configurations down to the children.

systemNamespaces
Array of strings

List of namespaces that will be considered as system namespaces for the organization and will not be able to be onboarded into TSB. System namespaces are namespaces that should not have sidecars injected and don't be configured with Istio injection. This is useful for namespaces that are used for infrastructure components like monitoring, logging, cloud provider components, etc. and that should not be managed by TSB in the cluster namespace onboarding workflows.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "profiles": [
    ],
  • "systemNamespaces": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    },
  • "systemNamespaces": [
    ]
}

Delete an organization. Note that deleting resources in TSB is a recursive operation. Deleting an organization will delete all tenants, clusters and all configurations that exist in it. $hide_from_docs

path Parameters
organization
required
string

Organization name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all the settings objects that have been attached to the given Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given organization.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2OrganizationSetting)

Organization Setting allows configuring global settings for the organization. Settings such as network reachability or regional failover that apply globally to the organization are configured in the Organizations Setting object.

This is a global object that uniquely configures the organization, and there can be only one organization setting object defined for each organization.

The following example shows how these settings can be used to describe the organization's network reachability settings and some regional failover configurations.

apiVersion: api.tsb.tetrate.io/v2
kind: OrganizationSetting
metadata:
  name: org-settings
  organization: myorg
spec:
  networkSettings:
    networkReachability:
      vpc01: vpc02,vpc03
  regionalFailover:
    - from: us-east1
      to: us-central1

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Modify the given settings in the given Organization.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2SecuritySetting)

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.

Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      rules:
        jwt:
        - issuer: "https://auth.tetrate.io"
          jwksUri: "https://oauth2.auth.tetrate.io/certs"
        - issuer: "https://auth.tetrate.internal"
          jwksUri: "https://oauth2.auth.tetrate.internal/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example rejects all traffic arriving at workloads from namespaces that belong to security group t1.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      denyAll: true

The following example accepts all traffic arriving at workloads from namespaces that belong to security group t1. All authenticated requests are accepted because any workload is targeted to be allowed nor denied.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES

The following example accepts all traffic arriving at workloads in namespaces that belong to security group t1 traffic, except from workloads belonging to workspace w2.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example accepts traffic arriving at workloads in namespaces that belong to security group t1 traffic, from workloads belonging to workspace w2. Hence, only authenticated request to workloads in security group t1 coming from workloads in workspace w2 are accepted. All other request will be rejected.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example uses a combination of allows and denies to show how rules are evaluated. Let's say we have a workspace w3 which contains 3 security groups, sg31, sg32, and sg33. Besides we also have workspace w1 and w2. Security group sg31 contains workloads that handle sensitive data, and we want to only accept requests arriving from the same workspace w3 and explicitly reject requests coming from sg32. Hence, only authenticated request to workloads in security group sg31 coming from workloads in workspace w3 and security group sg31 or sg33 will be accepted. Requests coming from sg32 will be rejected. Moreover, a request coming from any workload that belongs to another workspace (w1, or w2), or security group that belong to another workspace, will also be reject by default because it is not in the list of allowed resource FQNs.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: sg31
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31

The following example customizes the WAFSettings to enforce Web Application Firewall rules on sidecars in namespaces reside in SecurityGroup.

Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - SecRuleEngine ON
      - Include @owasp_crs/*.conf

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

This is a global object that uniquely configures the traffic group, and there can be only one traffic setting object defined for each traffic group.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: CUSTOM
      hosts:
      - "ns1/*"
      - "ns2/*"
      - "ns3/*"
      - "db/*"
    upstreamTrafficSettings:
    - hosts:
      - '*'
      settings:
        resilience:
          circuitBreakerSensitivity: MEDIUM
    egress:
      host: istio-system/istio-egressgateway

To setup load balancing algorithm as ROUND_ROBIN for all outbound requests to service foo.bar.svc.cluster.local from clients in t1 traffic group:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'foo.bar.svc.cluster.local'
      settings:
        loadBalancer:
          simple: ROUND_ROBIN

upstreamTrafficSettings can be used to configure the outbound traffic with grouping a particular group of upstream hosts to have a certain setting. In the below example all outbound requests to hosts matching wildcard *.ns1.svc.cluster.local will use request timeout of 10s while hosts matching *.ns2.svc.cluster.local and *.ns3.svc.cluster.local will use request timeout of 5s.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s
    - hosts:
      - '*.ns2.svc.cluster.local'
      - '*.ns3.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 5s

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: GROUP

The above fields are now moved to two different sections called inbound and outbound to allow better control over these fields. Please refer the below example to configure a traffic setting for all services in traffic group t1 configuring similar knobs as explained in earlier examples:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  inbound:
    resilience:
      connectionPool:
        tcp:
          keepAlive:
            idleTime: 300
  outbound:
    reachability:
      mode: GROUP
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s

This traffic setting configuration specifies upstream traffic settings for specific hosts within the client namespace. It is associated with the w1 workspace and the t1 traffic group.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: client-upstream-traffic-setting
  namespace: client
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'httpbin.app1.svc.cluster.local'
      - '*.app3.svc.cluster.local'
      - '*.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: REQUIRED
    - hosts:
      - '*.app2.svc.cluster.local'
      - 'tetrate.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: OPTIONAL

This configuration specifies authentication requirements for traffic to the following hosts:

  • httpbin.app1.svc.cluster.local requires mTLS authentication.
  • All non-injected services in app3 namespace require mTLS authentication.
  • All non-injected services in app4 namespace require mTLS authentication, except for tetrate.app4.svc.cluster.local, which is excluded.
  • Authentication enforcement is skipped for all non-injected services in app2 namespace.
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (tsbtypesv2FailoverSettings)

Failover settings for all proxies connecting to a host exposed in this workspace/organization based on the settings definition scope. Note that this is a server side setting.

object (OrganizationSettingNetworkSettings)

Network related settings for clusters.

Array of objects (tsbtypesv2RegionalFailover)

Default locality routing settings for all gateways. Please use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.

Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Content type
application/json
{
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "failoverSettings": {
    },
  • "networkSettings": {
    },
  • "regionalFailover": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Delete the given settings object from the Organization.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

SyncOrganization is used by processes that monitor the identity providers to synchronize the users and teams with the ones in TSB.

This method will update the state of users and groups in the organization and will create, modify, and delete groups according to the incoming request. Sync requests are assumed to be a full-sync and to contain all existing users and groups. Existing TSB users and groups that are not contained in a sync request will be deleted from the platform, as it will assume they have been removed from the Identity Provider.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.
Array of objects (SyncOrganizationRequestSyncTeam)
Array of objects (SyncOrganizationRequestSyncUser)

Responses

Request samples

Content type
application/json
{
  • "sourceType": "INVALID",
  • "teams": [
    ],
  • "users": [
    ]
}

Response samples

Content type
application/json
{
  • "failedUsers": {
    },
  • "failedTeams": {
    }
}

Status

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Search the status of resources related to the specified search criteria. It will descend in the hierarchy starting with the resource identified by the given FQN. This method is available for organizations, tenant or workspace resources. In the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios), it’s recommended to use the tenant FQN instead of the workspace FQN. This ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.

path Parameters
organization
required
string

Organization name.

query Parameters
fqdn
required
string

Fully-qualified domain name to search in the mesh that exposes a service. Example: "test.tetrate.io"

Responses

Response samples

Content type
application/json
{
  • "statuses": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Search the status of resources related to the specified search criteria. It will descend in the hierarchy starting with the resource identified by the given FQN. This method is available for organizations, tenant or workspace resources. In the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios), it’s recommended to use the tenant FQN instead of the workspace FQN. This ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
fqdn
required
string

Fully-qualified domain name to search in the mesh that exposes a service. Example: "test.tetrate.io"

Responses

Response samples

Content type
application/json
{
  • "statuses": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Search the status of resources related to the specified search criteria. It will descend in the hierarchy starting with the resource identified by the given FQN. This method is available for organizations, tenant or workspace resources. In the case of configuration sharing between multiple workspaces (such as common t1 and t2 scenarios), it’s recommended to use the tenant FQN instead of the workspace FQN. This ensures that the search is not limited to a specific workspace and considers configurations from other workspaces.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
fqdn
required
string

Fully-qualified domain name to search in the mesh that exposes a service. Example: "test.tetrate.io"

Responses

Response samples

Content type
application/json
{
  • "statuses": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "status": "INVALID",
  • "message": "string",
  • "configEvents": {
    },
  • "aggregatedStatus": {
    }
}

Teams

List existing Service Accounts.

path Parameters
organization
required
string

Organization name.

query Parameters
keyEncoding
string
Default: "PEM"
Enum: "PEM" "JWK"

The format in which the key pairs for each key will be returned. If not set keys are returned in PEM format.

Responses

Response samples

Content type
application/json
{
  • "serviceAccounts": [
    ]
}

Create Service Account in TSB. Service Accounts are local to TSB and can be used to access the platform using JWT tokens signed with the Service Account's private key for authentication.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
keyEncoding
string (Format in which the keys in this keypair are encoded)
Default: "PEM"
Enum: "PEM" "JWK"
name
required
string

The short name for the resource to be created.

required
object (tsbv2ServiceAccount)

ServiceAccount represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

The following example creates a service account named my-sa under the organization myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: ServiceAccount
metadata:
  name: my-sa
  organization: myorg
spec:
  displayName: My Service Account
  description: Service account used for service integrations

Responses

Request samples

Content type
application/json
{
  • "keyEncoding": "PEM",
  • "name": "string",
  • "serviceAccount": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Get the details of an existing Service Account.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
keyEncoding
string
Default: "PEM"
Enum: "PEM" "JWK"

The format in which the key pairs will be returned. If not set keys are returned in PEM format.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Update the details of a service account. Updating the details of the service account does not regenerate its keys.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
description
string

A description of the resource.

displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Delete the given Service account.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{ }

Get all the public keys available in the service account and return them in a JWKS document. See: https://datatracker.ietf.org/doc/html/rfc7517 Requests to this endpoint require read permissions on the service account, or a token signed with one of the service account keys.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

Generate a new key-pair for the service account. Note that TSB does not store the generated private key, so the client must read it and store it securely.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
keyEncoding
string (Format in which the keys in this keypair are encoded)
Default: "PEM"
Enum: "PEM" "JWK"

Responses

Request samples

Content type
application/json
{
  • "keyEncoding": "PEM"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Delete a key-pair associated the service account.

path Parameters
id
required
string

ID of the key-pair to delete.

organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

List all existing teams.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "teams": [
    ]
}

Create a new team.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Team)

Team is a named collection of users, service accounts, and other teams. Teams can be assigned access permissions on various resources. All members of a team inherit the access permissions assigned to the team.

The following example creates a team named org under the organization myorg with all members of product1 and product2 teams, and users alice and bob.

apiVersion: api.tsb.tetrate.io/v2
kind: Team
metadata:
  name: org
  organization: myorg
spec:
  members:
  - organizations/myorg/users/alice
  - organizations/myorg/users/bob
  - organizations/myorg/teams/product1
  - organizations/myorg/teams/product2

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "team": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Get the details of an existing team.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Modify an existing team.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
members
Array of strings

List of members under the team. The elements of this list are the FQNs of the team members. Team members can be users, service accounts or other teams.

sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Delete a team. Note that deleting a team only deletes the team itself, but not its members.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{ }

List existing users.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "users": [
    ]
}

Create a local User in TSB.

This method should only be used when there is no Identity Provider configured in TSB and all users are managed locally by IAM. When using an external Identity Provider, the SyncOrganization method should be used instead to synchronize the users and teams.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2User)

User represents a user that has been loaded from a configured Identity Provider (IdP) that can log into the platform. Currently, users are automatically synchronized by TSB from a configured LDAP server.

The following example creates a user named john under the organization myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: User
metadata:
  name: john
  organization: myorg
spec:
  loginName: john
  firstName: John
  lastName: Doe
  displayName: John Doe
  email: john.doe@acme.com

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Get the details of an existing user.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Modify an existing local user.

This method should only be used when there is no Identity Provider configured in TSB and all users are managed locally by IAM. When using an external Identity Provider, the SyncOrganization method should be used instead to synchronize the users and teams.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
displayName
string (User friendly name for the resource. $hide_from_yaml)
email
string

Email for the user where alerts and other notifications will be sent.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
firstName
string

The first name of the user.

lastName
string

The last name of the user, if any.

loginName
required
string

The username used in the login credentials.

sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Content type
application/json
{
  • "displayName": "string",
  • "email": "string",
  • "etag": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "loginName": "string",
  • "sourceType": "INVALID"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Delete an existing user.

This method should only be used when there is no Identity Provider configured in TSB and all users are managed locally by IAM. When using an external Identity Provider, the SyncOrganization method should be used instead to synchronize the users and teams.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{ }

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Generate the tokens for a local user account so it can authenticate against management plane. This method will return an error if the user account is not of type MANUAL. Credentials for normal platform users must be configured in the corresponding Identity Provider.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "accessToken": "string",
  • "refreshToken": "string"
}

Tenants

List all tenants that are available.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "tenants": [
    ]
}

Create a new tenant in the platform that will be the home for a set of resources.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Tenant)

Tenant is a self-contained entity within an organization in the Service Bridge object hierarchy. Tenants can be business units, organization units, or any logical grouping that matches a corporate structure.

The following example creates a tenant named mycompany in an organization named myorg.

apiVersion: api.tsb.tetrate.io/v2
kind: Tenant
metadata:
  organization: myorg
  name: mycompany

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "tenant": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of an existing tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the details of the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
profiles
Array of strings

List of profiles attached to the tenant to be used to propagate default and mandatory configurations down to the children.

securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Tenant, all the children resources will belong to that security domain in the same way a Workspace belongs to a Tenant, a Workspace will also belong to the security domain assigned to the Tenant. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "profiles": [
    ],
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete a tenant from the platform. Deleting a tenant will recursively delete all resources attached to the tenant, so use with caution. It will delete all workspaces and all settings that have been created in that tenant, so this operation should be done carefully, when it's safe to do so.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all the WASM extensions that have been attached to the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

List all the settings objects that have made available to the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2TenantSetting)

Tenant Setting allows configuring default settings for the tenant.

This is a global object that uniquely configures the tenant, and there can be only one tenant setting object defined for each tenant.

Traffic and security settings can be defined as default for a tenant, meaning that they will be applied to all the workspaces of the tenant. These defaults settings can be overridden by creating proper WorkspaceSetting, TrafficSetting or SecuritySetting into the desired workspace or group.

apiVersion: api.tsb.tetrate.io/v2
kind: TenantSetting
metadata:
  name: tenant-settings
  organization: myorg
  tenant: mytenant
spec:
  defaultTrafficSetting:
    outbound:
      reachability:
        mode: WORKSPACE
      egress:
        host: bookinfo-perimeter/tsb-egress
  defaultSecuritySetting:
    authenticationSettings:
      trafficMode: REQUIRED
    authorization:
      mode: GROUP

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "setting": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Modify the given settings in the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2SecuritySetting)

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.

Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      rules:
        jwt:
        - issuer: "https://auth.tetrate.io"
          jwksUri: "https://oauth2.auth.tetrate.io/certs"
        - issuer: "https://auth.tetrate.internal"
          jwksUri: "https://oauth2.auth.tetrate.internal/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example rejects all traffic arriving at workloads from namespaces that belong to security group t1.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      denyAll: true

The following example accepts all traffic arriving at workloads from namespaces that belong to security group t1. All authenticated requests are accepted because any workload is targeted to be allowed nor denied.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES

The following example accepts all traffic arriving at workloads in namespaces that belong to security group t1 traffic, except from workloads belonging to workspace w2.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example accepts traffic arriving at workloads in namespaces that belong to security group t1 traffic, from workloads belonging to workspace w2. Hence, only authenticated request to workloads in security group t1 coming from workloads in workspace w2 are accepted. All other request will be rejected.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example uses a combination of allows and denies to show how rules are evaluated. Let's say we have a workspace w3 which contains 3 security groups, sg31, sg32, and sg33. Besides we also have workspace w1 and w2. Security group sg31 contains workloads that handle sensitive data, and we want to only accept requests arriving from the same workspace w3 and explicitly reject requests coming from sg32. Hence, only authenticated request to workloads in security group sg31 coming from workloads in workspace w3 and security group sg31 or sg33 will be accepted. Requests coming from sg32 will be rejected. Moreover, a request coming from any workload that belongs to another workspace (w1, or w2), or security group that belong to another workspace, will also be reject by default because it is not in the list of allowed resource FQNs.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: sg31
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31

The following example customizes the WAFSettings to enforce Web Application Firewall rules on sidecars in namespaces reside in SecurityGroup.

Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - SecRuleEngine ON
      - Include @owasp_crs/*.conf

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

This is a global object that uniquely configures the traffic group, and there can be only one traffic setting object defined for each traffic group.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: CUSTOM
      hosts:
      - "ns1/*"
      - "ns2/*"
      - "ns3/*"
      - "db/*"
    upstreamTrafficSettings:
    - hosts:
      - '*'
      settings:
        resilience:
          circuitBreakerSensitivity: MEDIUM
    egress:
      host: istio-system/istio-egressgateway

To setup load balancing algorithm as ROUND_ROBIN for all outbound requests to service foo.bar.svc.cluster.local from clients in t1 traffic group:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'foo.bar.svc.cluster.local'
      settings:
        loadBalancer:
          simple: ROUND_ROBIN

upstreamTrafficSettings can be used to configure the outbound traffic with grouping a particular group of upstream hosts to have a certain setting. In the below example all outbound requests to hosts matching wildcard *.ns1.svc.cluster.local will use request timeout of 10s while hosts matching *.ns2.svc.cluster.local and *.ns3.svc.cluster.local will use request timeout of 5s.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s
    - hosts:
      - '*.ns2.svc.cluster.local'
      - '*.ns3.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 5s

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: GROUP

The above fields are now moved to two different sections called inbound and outbound to allow better control over these fields. Please refer the below example to configure a traffic setting for all services in traffic group t1 configuring similar knobs as explained in earlier examples:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  inbound:
    resilience:
      connectionPool:
        tcp:
          keepAlive:
            idleTime: 300
  outbound:
    reachability:
      mode: GROUP
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s

This traffic setting configuration specifies upstream traffic settings for specific hosts within the client namespace. It is associated with the w1 workspace and the t1 traffic group.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: client-upstream-traffic-setting
  namespace: client
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'httpbin.app1.svc.cluster.local'
      - '*.app3.svc.cluster.local'
      - '*.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: REQUIRED
    - hosts:
      - '*.app2.svc.cluster.local'
      - 'tetrate.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: OPTIONAL

This configuration specifies authentication requirements for traffic to the following hosts:

  • httpbin.app1.svc.cluster.local requires mTLS authentication.
  • All non-injected services in app3 namespace require mTLS authentication.
  • All non-injected services in app4 namespace require mTLS authentication, except for tetrate.app4.svc.cluster.local, which is excluded.
  • Authentication enforcement is skipped for all non-injected services in app2 namespace.
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Delete the given settings object from the tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Workspaces

List all existing workspaces for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "workspaces": [
    ]
}

Create a new workspace. The workspace will own exclusively the namespaces configured in the namespaces selector for the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Workspace)

A Workspace carves a chunk of the cluster resources owned by a tenant into an isolated configuration domain.

The following example claims ns1 and ns2 namespaces across all clusters owned by the tenant mycompany.

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"

The following example claims ns1 namespace only from the c1 cluster and claims all namespaces from the c2 cluster.

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1"
    - "c2/*"

Custom labels and annotations can be propagated to the final Istio translation that will be applied at the clusters. This could help with third-party integrations or to set custom identifier. The following example configures the annotation my.org.environment to be applied to all final Istio translations generated under this Workspace, for example Gateways or Virtual Services.

apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: w1
  tenant: mycompany
  organization: myorg
  annotations:
    my.org.environment: dev
spec:
  namespaceSelector:
    names:
    - "*/ns1"

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "workspace": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of an existing workspace

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify an existing workspace

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
isolationBoundary
string

Istio Isolation Boundary name to which this workspace belongs. If not provided explicitly, the workspace looks for an isolation boundary with name set as "global". Therefore, in order to move existing workspaces to isolation boundaries, and be a part of revisioned control plane, it is recommended to configure an isolation boundary with the name "global".

required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
privileged
boolean

If set to true, allows Gateways in the workspace to route to services in other workspaces. Set this to true for workspaces owning cluster-wide gateways shared by multiple teams.

profiles
Array of strings

List of profiles attached to the workspace to be used to propagate default and mandatory configurations down to the children.

securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Workspace, all the children resources will belong to that security domain in the same way a Security group belongs to a Workspace, a Security group will also belong to the security domain assigned to the Workspace. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "isolationBoundary": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "profiles": [
    ],
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "profiles": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete an existing workspace. Note that deleting resources in TSB is a recursive operation. Deleting a workspace will delete all groups and configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all API objects in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Create an API object in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (apitsbv2API)

An API resource defines an OpenAPI specification that can be used by gateways to validate incoming requests.

The following API resource example validates incoming requests for certain hostnames and optional paths.

apiVersion: api.tsb.tetrate.io/v2
kind: API
metadata:
  organization: myorg
  tenant: mycompany
  workspace: myapp
  name: example-api
spec:
  openapi: |
    TODO: add an example with request body definition

The following gateway definition references the previous API to perform its validations for incoming requests.

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  organization: myorg
  tenant: mycompany
  workspace: myapp
  name: example-gateway
spec:
  workloadSelector:
    namespace: ns1
    labels:
      app: gateway
  http:
  - name: bookinfo
    port: 443
    hostname: bookinfo.com
    tls:
      mode: SIMPLE
      secretName: bookinfo-certs
    routing:
      rules:
      - route:
          serviceDestination:
            host: ns1/productpage.ns1.svc.cluster.local
    openapi:
      api: organizations/myorg/tenants/mycompany/workspaces/myapp/apis/example-api
      validation:
        enabled: true
name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string"
}

Get the details of the given API object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string"
}

Modify the given API object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

api
required
string

Api name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
openapi
required
string

The raw OpenAPI spec for this API.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "openapi": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string"
}

Delete the given API object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

List all settings available for the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create default settings for a workspace. Default settings will apply to the services owned by the workspace, unless more specific settings are provided at the group level.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WorkspaceSetting)

Workspace setting allows configuring the default traffic, security and east-west gateway settings for all the workloads in the namespaces owned by the workspace. Any namespace in the workspace that is not part of a traffic or security group with specific settings will use these default settings.

This is a global object that uniquely configures the workspace, and there can be only one workspace setting object defined for each workspace.

The following example sets the default security policy to accept either mutual TLS or plaintext traffic, and only accept connections at a proxy workload from services within the same namespace. The default traffic policy allows unknown traffic from a proxy workload to be forwarded via an egress gateway tsb-egress in the perimeter namespace in the same cluster.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    authenticationSettings:
      trafficMode: REQUIRED
  defaultTrafficSetting:
    outbound:
      egress:
        host: bookinfo-perimeter/tsb-egress

In order to set all the proxies in a workspace to use a specific load balancer algorithm such as LEAST_REQUEST for all outbound requests, the defaultTrafficSetting resource can be defined as following.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultTrafficSetting:
    outbound:
      upstreamTrafficSettings:
      - hosts:
        - '*' // asterisk '*' selects all upstream hosts
        settings:
          loadBalancer:
            simple: LEAST_REQUEST

The above traffic settings are for outbound requests from proxies in the workspace. The inbound traffic can also be configured for proxies at a workspace level. For example the following configures the tcp keep alive for all downstream connections to workloads in this workspace with 300 seconds idle time.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultTrafficSetting:
    inbound:
      resilience:
        connectionPool:
          tcp:
            keepAlive:
              idleTime: 300

Similarly other traffic setting properties can be set at a workspace level. Refer to TrafficSettings documentation for more information. Note that a workspace level traffic configuration can be overwritten by more granular configuration such as TrafficSettings or ServiceTrafficSettings.

The next example sets the defaults for east-west traffic configuring gateways for two different app groups. The first setting configures the gateway from the namespace platinum to manage the traffic for all those workloads with the labels tier: platinum and critical: true. The second one configures the gateway from the namespace internal to manage the traffic for all those workloads with the labels app: eshop or internal-critical: true. Setting up multiple east-west gateways allows isolating also the cross-cluster traffic.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultEastWestGatewaySettings:
  - workloadSelector:
      namespace: platinum
      labels:
        app: eastwest-gw
    exposedServices:
    - serviceLabels:
        tier: platinum
        critical: "true"
  - workloadSelector:
      namespace: internal
      labels:
        app: eastwest-gw
    exposedServices:
    - serviceLabels:
        app: eshop
    - serviceLabels:
        internal-critical: "true"

The next example configures workspace settings for different workspaces with a list of gateway hosts that they can reach.

The first one configures the hostname echo-1.tetrate.io which is reachable from workspace w1.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  hostsReachability:
    hostnames:
     - exact: echo-1.tetrate.io

The second one configures the hostnames echo-1.tetrate.io and echo-2.tetrate.io which are reachable from workspace w2.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w2-settings
  workspace: w2
  tenant: mycompany
  organization: myorg
spec:
  hostsReachability:
    hostnames:
     - exact: echo-1.tetrate.io
     - exact: echo-2.tetrate.io

The third configures nothing.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w3-settings
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:

The last one configures an empty hostname list.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w4-settings
  workspace: w4
  tenant: mycompany
  organization: myorg
spec:
  hostsReachability:
    hostnames: []

In summary, the previous example makes:

  • The host echo-1.tetrate.io to be reachable from namespaces configured in workspaces w1, w2 and w3.
  • The host echo-2.tetrate.io to be reachable from namespaces configured in workspaces w2 and `w3``.
  • All hosts to be reachable from namespaces configured in workspace w3.
  • Workspace w4 cannot reach any hosts.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Get the details of a settings object for the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Modify the given workspace settings.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2EastWestGateway)

Default east west gateway settings specifies workspace-wide east-west gateway configuration. This is used to configure east-west routing (required for fail-over) for the services that are not exposed on the gateways. All the services matching the specified criteria is picked up for exposing on the east-west gateway workload selected by the workload selector. In case, a service matches selectors in multiple items, the one which comes first is picked up.

object (v2SecuritySetting)

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

This is a global object that uniquely configures the security group, and there can be only one security setting object defined for each security group.

Security settings can be propagated along any defined security settings in the configuration hierarchy. How security settings are propagated can be configured by specifying a PropagationStrategy.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      rules:
        jwt:
        - issuer: "https://auth.tetrate.io"
          jwksUri: "https://oauth2.auth.tetrate.io/certs"
        - issuer: "https://auth.tetrate.internal"
          jwksUri: "https://oauth2.auth.tetrate.internal/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example rejects all traffic arriving at workloads from namespaces that belong to security group t1.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      denyAll: true

The following example accepts all traffic arriving at workloads from namespaces that belong to security group t1. All authenticated requests are accepted because any workload is targeted to be allowed nor denied.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES

The following example accepts all traffic arriving at workloads in namespaces that belong to security group t1 traffic, except from workloads belonging to workspace w2.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example accepts traffic arriving at workloads in namespaces that belong to security group t1 traffic, from workloads belonging to workspace w2. Hence, only authenticated request to workloads in security group t1 coming from workloads in workspace w2 are accepted. All other request will be rejected.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w2
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w1/securitygroups/t1

The following example uses a combination of allows and denies to show how rules are evaluated. Let's say we have a workspace w3 which contains 3 security groups, sg31, sg32, and sg33. Besides we also have workspace w1 and w2. Security group sg31 contains workloads that handle sensitive data, and we want to only accept requests arriving from the same workspace w3 and explicitly reject requests coming from sg32. Hence, only authenticated request to workloads in security group sg31 coming from workloads in workspace w3 and security group sg31 or sg33 will be accepted. Requests coming from sg32 will be rejected. Moreover, a request coming from any workload that belongs to another workspace (w1, or w2), or security group that belong to another workspace, will also be reject by default because it is not in the list of allowed resource FQNs.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: sg31
  workspace: w3
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: RULES
    rules:
      allow:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31
      deny:
       - from:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg32
         to:
           fqn: organizations/myorg/tenants/mycompany/workspaces/w3/securitygroups/sg31

The following example customizes the WAFSettings to enforce Web Application Firewall rules on sidecars in namespaces reside in SecurityGroup.

Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  waf:
    rules:
      - SecRuleEngine ON
      - Include @owasp_crs/*.conf

The following example customizes the Extensions to enable the execution of the WasmExtensions list specified, detailing custom properties for the execution of each extension.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  extension:
  - fqn: hello-world # fqn of imported extensions in TSB
    config:
      foo: bar
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

This is a global object that uniquely configures the traffic group, and there can be only one traffic setting object defined for each traffic group.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: CUSTOM
      hosts:
      - "ns1/*"
      - "ns2/*"
      - "ns3/*"
      - "db/*"
    upstreamTrafficSettings:
    - hosts:
      - '*'
      settings:
        resilience:
          circuitBreakerSensitivity: MEDIUM
    egress:
      host: istio-system/istio-egressgateway

To setup load balancing algorithm as ROUND_ROBIN for all outbound requests to service foo.bar.svc.cluster.local from clients in t1 traffic group:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'foo.bar.svc.cluster.local'
      settings:
        loadBalancer:
          simple: ROUND_ROBIN

upstreamTrafficSettings can be used to configure the outbound traffic with grouping a particular group of upstream hosts to have a certain setting. In the below example all outbound requests to hosts matching wildcard *.ns1.svc.cluster.local will use request timeout of 10s while hosts matching *.ns2.svc.cluster.local and *.ns3.svc.cluster.local will use request timeout of 5s.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s
    - hosts:
      - '*.ns2.svc.cluster.local'
      - '*.ns3.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 5s

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    reachability:
      mode: GROUP

The above fields are now moved to two different sections called inbound and outbound to allow better control over these fields. Please refer the below example to configure a traffic setting for all services in traffic group t1 configuring similar knobs as explained in earlier examples:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  inbound:
    resilience:
      connectionPool:
        tcp:
          keepAlive:
            idleTime: 300
  outbound:
    reachability:
      mode: GROUP
    upstreamTrafficSettings:
    - hosts:
      - '*.ns1.svc.cluster.local'
      settings:
        resilience:
          connectionPool:
            http:
              requestTimeout: 10s

This traffic setting configuration specifies upstream traffic settings for specific hosts within the client namespace. It is associated with the w1 workspace and the t1 traffic group.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  name: client-upstream-traffic-setting
  namespace: client
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  outbound:
    upstreamTrafficSettings:
    - hosts:
      - 'httpbin.app1.svc.cluster.local'
      - '*.app3.svc.cluster.local'
      - '*.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: REQUIRED
    - hosts:
      - '*.app2.svc.cluster.local'
      - 'tetrate.app4.svc.cluster.local'
      settings:
        authentication:
          trafficMode: OPTIONAL

This configuration specifies authentication requirements for traffic to the following hosts:

  • httpbin.app1.svc.cluster.local requires mTLS authentication.
  • All non-injected services in app3 namespace require mTLS authentication.
  • All non-injected services in app4 namespace require mTLS authentication, except for tetrate.app4.svc.cluster.local, which is excluded.
  • Authentication enforcement is skipped for all non-injected services in app2 namespace.
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (tsbtypesv2FailoverSettings)

Failover settings for all proxies connecting to a host exposed in this workspace/organization based on the settings definition scope. Note that this is a server side setting.

object (v2HostsReachability)

HostsReachability defines the list of gateway hosts that this workspace can reach. In multicluster deployments, hosts are reachable to all namespaces(*) by default. However, this may not always be necessary, as clients may only be present in a few namespaces. By configuring this, a list of namespaces can be limited to the namespaces configured in the workspace. Workspaces with no hosts reachability configuration are considered to have reachable to all hosts.

Array of objects (tsbtypesv2RegionalFailover)

Locality routing settings for all gateways in the workspace. Overrides any global settings. Please use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.

Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Content type
application/json
{
  • "defaultEastWestGatewaySettings": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "failoverSettings": {
    },
  • "hostsReachability": {
    },
  • "regionalFailover": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Delete the given workspace settings.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }