Skip to main content

Tetrate Service Bridge API (1.9.x)

Download OpenAPI specification:Download

Tetrate Service Bridge API.

OAuth

OIDC

Callback endpoint for OAuth2 Authorization Code grant flows as part of the OIDC spec.

query Parameters
code
string

OAuth2 Authorization Code. When present this indicates the user authorized the request. TSB will use this code to acquire a token from the OIDC token endpoint and complete the login flow.

error
string

OAuth2 Error Code. When present this indicates that either the authorization request has an error, the OIDC provider encountered an error or the user failed to log in. When set TSB will display information to the user indicating what went wrong.

Standard error codes can be found found here. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1 https://openid.net/specs/openid-connect-core-1_0.html#AuthError

state
required
string

The state parameter sent to the OIDC provider on the authorization request.

errorDescription
string

Optional error description sent by the OIDC provider when an error occurs.

errorUri
string

Optional error URI of a web page that includes additional information about the error.

Responses

Response samples

Content type
application/json
{ }

Login endpoint to start an OIDC Authentication flow.

query Parameters
redirectUri
string

URl where the user will be redirected when the authentication flow completes.

Responses

Response samples

Content type
application/json
{ }

Applications

List all existing applications for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "applications": [
    ]
}

Creates a new Application in TSB.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Application)

An Application represents a set of logical groupings of services that are related to each other and expose a set of APIs that implement a complete set of business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "application": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Get the details of an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Modify an existing application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
gatewayGroup
string

Optional FQN of the Gateway Group to be used by the application. If configured, this gateway group will be used by the application. If no namespaces are configured and no existing gateway group is set, a new gateway group claiming all namespaces in the workspace (*/*) will be created by default. All Ingress Gateway resources created for the APIs attached to the application will be created in the application's gateway group.

object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
services
Array of strings

Optional list of services that are part of the application. This is a list of FQNs of services in the service registry. If omitted, the application is assumed to own all the services in the workspace. Note that a service can only be part of one application. If any of the services in the list is already in use by an existing application, application creation/modification will fail. If the list of services is not explicitly set and any service in the workspace is already in use by another application, application creation/modification will fail.

workspace
required
string

FQN of the workspace this application is part of. The application will configure IngressGateways for the attached APIs in the different namespaces exposed by this workspace.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "gatewayGroup": "string",
  • "namespaceSelector": {
    },
  • "services": [
    ],
  • "workspace": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workspace": "string",
  • "namespaceSelector": {
    },
  • "gatewayGroup": "string",
  • "services": [
    ],
  • "configResources": [
    ]
}

Delete an existing Application. Note that deleting resources in TSB is a recursive operation. Deleting a application will delete all API objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
forceDeleteProtectedGroups
boolean

Force the deletion of internal groups even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

List all APIs attached to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "apis": [
    ]
}

Attach a new API to the given application.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2API)

An API configuring a set of servers and endpoints that expose the Application business logic.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "api": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Get the details of an API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "openapi": "string",
  • "workloadSelector": {
    },
  • "servers": [
    ],
  • "endpoints": [
    ],
  • "configResources": [
    ],
  • "httpServers": [
    ]
}

Delete an existing API.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{ }

WasmExtensions

List the WASM extensions that are defined for the Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

Creates a new WasmExtension object in TSB. This is needed to let the extensions run. Once a WasmExtension has been created, it can be assigned to IngressGateway and SecuritySetting. This method returns the created extension.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WasmExtension)

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "wasmExtension": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Get a WASM extension

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Modify an existing WasmExtension. When modifying the details of an extension in use, such as the image property, enabled flag, phase, or default configuration, a redeploy or reconfiguration of the extension may be triggered, affecting live traffic in all those places that reference the extension. Similarly, changes to the allowed_in property may trigger the removal of the extension from all places where the extension was in use that are not allowed to use it anymore, affecting live traffic on the relevant namespaces as well.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
allowedIn
Array of strings

List of fqns where this extension is allowed to run. If it is empty, the extension can be used across the entire organization. Currently only Tenant resources are considered.

config
object

Configuration parameters sent to the WASM plugin execution The configuration can be overwritten when instantiating the extensions in IngressGateways or Security groups. The config is serialized using proto3 JSON marshaling and passed to proxy_on_configure when the host environment starts the plugin.

description
string (A description of the extension. $hide_from_yaml)
displayName
string (User friendly name for the extension. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
image
string

Deprecated. Use the url field instead. Repository and tag of the OCI image containing the WASM extension.

imagePullPolicy
string (WasmExtensionPullPolicy)
Default: "UNSPECIFIED_POLICY"
Enum: "UNSPECIFIED_POLICY" "IfNotPresent" "Always"

The pull behaviour to be applied when fetching a WASM module, mirroring K8s behaviour.

  • UNSPECIFIED_POLICY: Defaults to IfNotPresent, except for OCI images with tag latest, for which the default will be Always.
  • IfNotPresent: If an existing version of the image has been pulled before, that will be used. If no version of the image is present locally, we will pull the latest version.
  • Always: We will always pull the latest version of an image when changing this plugin. Note that the change includes metadata field as well.
imagePullSecret
string

Credentials to use for OCI image pulling. Name of a K8s Secret that contains a docker pull secret which is to be used to authenticate against the registry when pulling the image. If TSB is configured to use the WASM download proxy, this secret must exist in the istio-system namespace of each cluster that has applications that use the extension. If the downlaod proxy is disabled, the secret must exist in each application namespace that is using the extension.

object (v2GlobalTrafficSelector)

GlobalTrafficSelector provides a mechanism to select a specific traffic flow for which this Wasm Extension will be enabled. This setting applies to all WASM Extension attachments. These selectors can be overridden at attachments. When all the sub conditions in the TrafficSelector are satisfied, the traffic will be selected.

phase
string (Plugin phases following Istio definition: https://istio.io/latest/docs/reference/config/proxy_extensions/wasm-plugin/#PluginPhase)
Default: "UNSPECIFIED_PHASE"
Enum: "UNSPECIFIED_PHASE" "AUTHN" "AUTHZ" "STATS"
  • UNSPECIFIED_PHASE: Control plane decides where to insert the plugin. This will generally be at the end of the filter chain, right before the Router. Do not specify PluginPhase if the plugin is independent of others.
  • AUTHN: Insert plugin before Istio authentication filters.
  • AUTHZ: Insert plugin before Istio authorization filters and after Istio authentication filters.
  • STATS: Insert plugin before Istio stats filters and after Istio authorization filters.
priority
integer <int32>

Determines the ordering of WasmExtensions in the same phase. When multiple WasmExtensions are applied to the same workload in the same phase, they will be applied by priority, in descending order. If no priority is assigned it will use the default 0 value. In case of several extensions having the same priority in the same phase, the fqn will be used to sort them.

source
string (Source to find the code for the WASM extension)
url
required
string

URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

object (v2VmConfig)

Configuration for a Wasm VM. more details can be found here.

Responses

Request samples

Content type
application/json
{
  • "allowedIn": [
    ],
  • "config": { },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "image": "string",
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "match": {
    },
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "source": "string",
  • "url": "string",
  • "vmConfig": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "allowedIn": [
    ],
  • "image": "string",
  • "source": "string",
  • "phase": "UNSPECIFIED_PHASE",
  • "priority": 0,
  • "config": { },
  • "imagePullPolicy": "UNSPECIFIED_POLICY",
  • "imagePullSecret": "string",
  • "vmConfig": {
    },
  • "url": "string",
  • "match": {
    }
}

Delete a WasmExtension. Note that deleting a WasmExtension will delete the extension itself, and also its assignments to IngressGateway and SecuritySetting.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{ }

Gateways

List all gateway groups that exist in the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new gateway group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

update the given gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given gateway group. Note that deleting resources in TSB is a recursive operation. Deleting a gateway group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all Egress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "egressGateways": [
    ]
}

Create an Egress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2EgressGateway)

EgressGateway configures a workload to act as an egress gateway in the mesh.

-->

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "egressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (EgressAuthorization is used to dictate which service accounts can access a set of external hosts)

The description of which service accounts can access which hosts. If the list of authorization rules is empty, this egress gateway will deny all traffic.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this EgressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "authorization": [
    ],
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "authorization": [
    ],
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Egress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Ingress Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "ingressGateways": [
    ]
}

Create an Ingress Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2IngressGateway)

IngressGateway configures a workload to act as an ingress gateway into the mesh.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "ingressGateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Get the details of the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Modify the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this IngressGateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2HttpServer)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, etc.

Array of objects (One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS)
Array of objects (v2TLSPassthroughServer)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)
required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "http": [
    ],
  • "tcp": [
    ],
  • "tlsPassthrough": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tlsPassthrough": [
    ],
  • "tcp": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Ingress Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{ }

List all Tier1 Gateway objects that have been created in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "tier1Gateways": [
    ]
}

Create a Tier1 Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Tier1Gateway)

Tier1Gateway configures a workload to act as a tier1 gateway into the mesh.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "tier1Gateway": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

get the details of the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Gateways_UpdateTier1Gateway

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this Tier1Gateway with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enablement and priority that will condition the execution of the assigned extensions.

Array of objects (v2Tier1ExternalServer)

One or more servers exposed by the gateway externally.

Array of objects (v2Tier1InternalServer)

One or more servers exposed by the gateway internally for cross cluster forwarding.

Array of objects (v2Tier1PassthroughServer)

One or more tls passthrough servers exposed by the gateway externally.

Array of objects (v2Tier1TCPExternalServer)

One or more tcp servers exposed by the gateway externally.

Array of objects (v2Tier1TCPInternalServer)

One or more tcp servers exposed by the gateway for mesh internal traffic.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)
required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "waf": {
    },
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "externalServers": [
    ],
  • "internalServers": [
    ],
  • "passthroughServers": [
    ],
  • "tcpExternalServers": [
    ],
  • "tcpInternalServers": [
    ],
  • "extension": [
    ],
  • "waf": {
    },
  • "configGenerationMetadata": {
    }
}

Delete the given Tier1 Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tier1gateway
required
string

Tier1gateway name.

Responses

Response samples

Content type
application/json
{ }

List all Gateway objects in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "gateways": [
    ]
}

Create a Gateway object in the gateway group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Gateway)

The Gateway configuration combines the functionalities of both the existing Tier1Gateway and IngressGateway, providing a unified approach for configuring a workload as a gateway in the mesh.

Each server within the Gateway is configured to route requests to either destination clusters or services, but configuring one server to route requests to a destination cluster and another server to route requests to a service is not supported.

To ensure consistency and compatibility, the Gateway configuration requires that all servers within the gateway either forward traffic to other clusters, similar to a Tier1Gateway, or route traffic to specific services, similar to an IngressGateway.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "gateway": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
Array of objects (v2EgressAuthorizationSettings)

External services are onboarded into the mesh via service entry, and these services are exposed on the Gateway for egress access. By default, access is denied for these hosts. Users can configure EgressAuthorizationSettings to specify which service accounts are allowed.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2HTTP)

One or more HTTP or HTTPS servers exposed by the gateway. The server exposes configuration for TLS termination, request authentication/authorization, HTTP routing, rate limiting, etc.

Array of objects (v2TCP)

One or more non-HTTP and non-passthrough servers which use TCP based protocols. This server also exposes configuration for terminating TLS.

Array of objects (v2TLS)

One or more TLS servers exposed by the gateway. The server does not terminate TLS and exposes config for SNI based routing.

object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)
Array of objects (v2WasmExtensionAttachment)

WasmPlugins specifies all the WasmExtensionAttachment assigned to this Gateway with the specific configuration for each plugin. This custom configuration will override the one configured globally to the plugin. Each plugin has a global configuration including priority that will condition the execution of the assigned plugins.

required
object (v2WorkloadSelector)

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "egressAuthorization": [
    ],
  • "etag": "string",
  • "http": [
    ],
  • "tcp": [
    ],
  • "tls": [
    ],
  • "waf": {
    },
  • "wasmPlugins": [
    ],
  • "workloadSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "workloadSelector": {
    },
  • "http": [
    ],
  • "tls": [
    ],
  • "tcp": [
    ],
  • "wasmPlugins": [
    ],
  • "waf": {
    },
  • "egressAuthorization": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given Gateway object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

unifiedgateway
required
string

Unifiedgateway name.

Responses

Response samples

Content type
application/json
{ }

IstioInternal

List all Istio internal groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new Istio internal group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify a Istio internal group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given Istio internal group. Note that deleting resources in TSB is a recursive operation. Deleting a Istio internal group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

Metrics

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

List the telemetry metrics that are available for the requested telemetry source.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "metrics": [
    ]
}

Get the details of an existing telemetry metric.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

metric
required
string

Metric name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "observedResource": "string",
  • "measure": {
    },
  • "type": {
    },
  • "origin": "INVALID_METRIC_ORIGIN",
  • "detectionPoint": "INVALID_METRIC_DETECTION_POINT"
}

Sources

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

List the telemetry sources that are available for the requested parent. It will return telemetry sources that belong to the requested parent and from all its child resources.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

query Parameters
scopeTypes
Array of strings
Items Enum: "INVALID" "SERVICE" "INGRESS" "RELATION"

The scope type that a telemetry source needs to match. Telemetry sources that matches any requested scope type will be returned.

  • SERVICE: A telemetry source service based scope.
  • INGRESS: A telemetry source ingress's hostname based scope.
  • RELATION: A telemetry source relation based scope.
belongTos
Array of strings

Which resources the telemetry sources must belong to. Telemetry sources that belongs to any requested resource will be returned.

existed.since
string <date-time>

Moment in time since we retrieve Telemetry Sources.

existed.until
string <date-time>

Moment in time until we retrieve Telemetry Sources.

Responses

Response samples

Content type
application/json
{
  • "sources": [
    ]
}

Get the details of an existing telemetry source.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

source
required
string

Source name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "belongsTo": "string",
  • "metricSourceKey": "string",
  • "type": "INVALID",
  • "scope": {
    }
}

Approvals

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_1

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_2

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_5

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_3

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_4

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_6

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_10

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_9

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_8

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_11

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_12

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_13

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_15

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_14

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_16

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_17

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_18

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_19

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_20

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_21

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_22

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_24

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_23

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

GetPolicy returns the approval policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "etag": "string",
  • "mode": "UNRESTRICTED",
  • "resource": "string",
  • "requested": [
    ],
  • "approved": [
    ],
  • "metadata": {
    }
}

SetPolicy enables authorization policy checks for the given resource and applies any provided request or approval settings. If the resource has existing policies settings, they will be replaced. Once the policy is set, authorization checks will be performed for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
Array of objects (v2Access)

Approved is a list of subjects that are approved to access the resource.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2Metadata)

Metadata includes additional information about an ApprovalPolicy or Access entity and their respective resources that they apply to.

mode
required
string (ApprovalPolicyMode)
Default: "UNRESTRICTED"
Enum: "UNRESTRICTED" "ALLOW_REQUESTED" "REQUIRE_APPROVAL"
  • UNRESTRICTED: Allows all subjects in the same policy class to access the resource.
  • ALLOW_REQUESTED: Allows only the subjects in the request and approved list to access the resource.
  • REQUIRE_APPROVAL: Allows only the subjects in the approved list to access the resource.
Array of objects (v2Access)

Requested is a list of subjects that are requested to access the resource but that have not yet been explicitly approved. The access mode of the policy will determine if the subjects in this list are given immediate access to the resource.

Responses

Request samples

Content type
application/json
{
  • "approved": [
    ],
  • "etag": "string",
  • "metadata": {
    },
  • "mode": "UNRESTRICTED",
  • "requested": [
    ]
}

Response samples

Content type
application/json
{ }

DeletePolicy deletes the approval policy configuration for the given resource. When deleted, authorization checks will no longer be performed, the resource will no longer accept approval requests and all existing approvals will be revoked.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

query Parameters
force
boolean

Force the deletion of internal resources even if they are protected against deletion.

Responses

Response samples

Content type
application/json
{ }

AddApprovedAccess adds a new entry in the approved access list for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteApprovedAccess deletes an entry from the approved list for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Approvals_QueryPolicies_variant_7

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
includeDetails
boolean

IncludeDetails indicates whether to include the details of the resources that are part of the policy. When set to true, the name and description of the resource are included in the response.

includePermissions
boolean

IncludePermissions indicates whether to include the user level permissions on resources that are part of the policy. When set to true, the user level permissions are included in the response.

types
required
Array of strings

Type is the type of the resources to query for policies.

Responses

Request samples

Content type
application/json
{
  • "includeDetails": true,
  • "includePermissions": true,
  • "types": [
    ]
}

Response samples

Content type
application/json
{
  • "policies": [
    ]
}

AddAccessRequest adds a new access request entry in the access request list for the given resource. If the policy approval mode is "ALLOW_REQUESTED", access is allowed immediately. If the policy approval mode is "REQUIRE_APPROVAL" access will be pending until the request is approved.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

ApproveAccessRequest approves an existing access request for the given resource. Once approved, the request will be removed from the requested list and added to the approved list. If any of the permissions are changed, the requested permissions will be discarded and only the approved permissions will be added to the approved list.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
required
object (v2Access)

Access is an access request for a subject with a set of permission.

Example: Access { Subject: "organizations/demo/tenants/demo/applications/caller", Permissions: []string{"GET"} }

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "access": {
    },
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

DeleteAccessRequest removes an existing entry from the access request list for the given resource. If the request is already approved, the request no longer exists and this operation will return NotFound. Deleting an approved request should be done using the DeleteApproved operation.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
subject
required
string

Subject for which the access request is made.

Responses

Request samples

Content type
application/json
{
  • "subject": "string"
}

Response samples

Content type
application/json
{ }

Permissions

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

GetResourcePermission looks up permissions that are allowed for the current principal. on the given resource FQN. This is similar to QueryResourcePermission but limited to a single resource FQN.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "rules": [
    ]
}

QueryResourcePermission looks up permissions that are allowed for the current principal. Multiple records can be queried with a single request. Query limit is 100, multiple requests are required to lookup more than the limit.

Request Body schema: application/json
required

Request to query permissions on multiple records.

Example: QueryResourcePermissionsRequest { Queries: []Query{ Query{ QueryID: "1234", Kind: Query_Fqn{ Fqn: "tetrate/tenants/default/workspaces/example" } } } }

Array of objects (Query format of the resource lookup for the permission check)

One or more resources to query permissions on, limited to 100 per request.

Array
queryId
string

Optional ID that is an open string the caller can use for correlation purposes.

fqn
string

Fully-qualified name of the resource.

Responses

Request samples

Content type
application/json
{
  • "queries": [
    ]
}

Response samples

Content type
application/json
{
  • "results": [
    ]
}

Policy

Get the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the global RBAC access policy. The global RBAC access policy configures who can manage the Role objects in TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description
string (A description of the resource. $hide_from_yaml)
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Content type
application/json
{
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Response samples

Content type
application/json
{ }

Get the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the root access policy. The root access policy configures global permissions for the platform. Subjects assigned to a root policy will be granted the permissions described in the policy to all objects ion TSB.

Request Body schema: application/json
required

A policy defines the set of subjects that can access a resource and under which conditions that access is granted.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
description
string (A description of the resource. $hide_from_yaml)
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

Responses

Request samples

Content type
application/json
{
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

Get the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "etag": "string",
  • "description": "string",
  • "allow": [
    ]
}

Set the access policy for the given resource.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
Array of objects (v2Binding)

The list of allowed bindings configures the different access profiles that are allowed on the resource configured by the policy.

description
string (A description of the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "allow": [
    ],
  • "description": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{ }

RBAC

List all existing roles.

Responses

Response samples

Content type
application/json
{
  • "roles": [
    ]
}

Create a new role.

Request Body schema: application/json
required

Request to create a Role.

name
required
string

The short name for the resource to be created.

required
object (v2Role)

Role is a named collection of permissions that can be assigned to any user or team in the system.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "role": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Get the details of the given role.

path Parameters
rba
required
string

Rba name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Modify a role.

path Parameters
rba
required
string

Rba name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (A rule defines the set of api groups)

A set of rules that define the permissions associated with each API group.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "rules": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "rules": [
    ]
}

Delete a role. NRoles that are in use by policies attached to existing resources cannot be deleted.

path Parameters
rba
required
string

Rba name.

Responses

Response samples

Content type
application/json
{ }

Lookup

Get all the services in the registry that are part of the given selector. This method can be used to resolve the registered services that are part of a workspace or group. This method can be also used to figure out how applying a selector could affect the platform and have an understanding of which of the existing services would be included in the selection.

Request Body schema: application/json
required

Request for all the services in the registry that are part of the given selector.

required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
parent
required
string (The FQN of the parent object where services will be looked up)

Responses

Request samples

Content type
application/json
{
  • "selector": {
    },
  • "parent": "string"
}

Response samples

Content type
application/json
{
  • "services": [
    ]
}

Get all the groups that configure the given service in the registry.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "trafficGroups": [
    ],
  • "securityGroups": [
    ],
  • "gatewayGroups": [
    ],
  • "istioInternalGroups": [
    ]
}

Registration

List the services that have been registered in an organization

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "services": [
    ]
}

Register the given service in the organization. Services in the registry are deduplicated so that the same service running in different clusters are represented as a single entity in the registry. The service returned by this method is the result of deduplicating the service. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
canonicalName
string

optional canonical name that identify this service.

cluster
required
string

Name of the cluster where the service belongs to. This will be used to load the deduplication settings that have been configured for the cluster where the service belongs.

externalAddresses
Array of strings

For kubernetes services of type load balancer, this field contains the list of lb hostnames or IPs assigned to the service.

hostnames
Array of strings

The hostnames by which this service is accessed. Can correspond to the hostname of an internal service or that ones of a virtual host on a gateway.

namespace
required
string

Namespace associated with the service. It will be used in deduplication logic.

Array of objects (v2Port)

The set of ports on which this service is exposed.

serviceType
required
string (v2ServiceType)
Default: "INVALID_TYPE"
Enum: "INVALID_TYPE" "INTERNAL" "LOADBALANCER" "MESH_EXTERNAL"

ServiceType denotes the exposition of a service in the mesh.

  • INTERNAL: A regular service that is not directly exposed to the outside world.
  • LOADBALANCER: A load balancer service running only the proxy as the workload.
  • MESH_EXTERNAL: A mesh external service.
shortName
required
string

Short name for the service, used to uniquely identify it within the organization.

source
required
string

Source of the service: Kubernetes, Istio, Consul, etc.

spiffeIds
Array of strings

List of SPIFFE identities used by the workloads of the service.

state
required
string (v2State)
Default: "INVALID_STATE"
Enum: "INVALID_STATE" "EXTERNAL" "OBSERVED" "CONTROLLED"

State denotes how deep is the knowledge of a service by the mesh. Meaning that if a service can be controlled, observed or none of these.

  • EXTERNAL: An external service is a service that is known, but that cannot be observed (we can't get metrics for it) and cannot be controlled.
  • OBSERVED: An observed service is a known service that we can have metrics for. For example, a service running the Skywalking agents.
  • CONTROLLED: A controlled service is a service that is part of the mesh and has a proxy we can configure.
subsets
Array of strings

Subset denotes a specific version of a service. By default the 'version' label is used to designate subsets of a workload. Known subsets for the service.

Responses

Request samples

Content type
application/json
{
  • "canonicalName": "string",
  • "cluster": "string",
  • "externalAddresses": [
    ],
  • "hostnames": [
    ],
  • "namespace": "string",
  • "ports": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "shortName": "string",
  • "source": "string",
  • "spiffeIds": [
    ],
  • "state": "INVALID_STATE",
  • "subsets": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "shortName": "string",
  • "hostnames": [
    ],
  • "ports": [
    ],
  • "subsets": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "externalAddresses": [
    ],
  • "state": "INVALID_STATE",
  • "metrics": [
    ],
  • "serviceDeployments": [
    ],
  • "subsetDeployments": [
    ],
  • "canonicalName": "string",
  • "spiffeIds": [
    ]
}

Remove the given service from the organization registry. This API is currently only intended for internal use by the discovery agents. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
cluster
required
string

Name of the cluster of the service.

namespace
required
string

Namespace of the service.

shortName
required
string (Name attribute of the service)

Responses

Request samples

Content type
application/json
{
  • "cluster": "string",
  • "namespace": "string",
  • "shortName": "string"
}

Response samples

Content type
application/json
{ }

Get the details of a registered service

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "shortName": "string",
  • "hostnames": [
    ],
  • "ports": [
    ],
  • "subsets": [
    ],
  • "serviceType": "INVALID_TYPE",
  • "externalAddresses": [
    ],
  • "state": "INVALID_STATE",
  • "metrics": [
    ],
  • "serviceDeployments": [
    ],
  • "subsetDeployments": [
    ],
  • "canonicalName": "string",
  • "spiffeIds": [
    ]
}

Security

List all security groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new security group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify a security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Security group, all the children resources will belong to that security domain in the same way a Security setting belongs to a Security group, a Security setting will also belong to the security domain assigned to the Security group. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    },
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given security group. Note that deleting resources in TSB is a recursive operation. Deleting a security group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all service security settings objects that have been attached to the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a service security settings object in the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2ServiceSecuritySetting)

A service security setting applies configuration to a service in a security group. Missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given service security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given service security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
service
required
string

The service on which the configuration is being applied. Must be in namespace/FQDN format.

object (v2SecuritySetting)

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

Array of objects (ServiceSecuritySettingSubset)

Subset specific settings that will replace the service wide settings for the specified service subsets.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "settings": {
    },
  • "subsets": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given service security settings from the group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

servicesetting
required
string

Servicesetting name.

Responses

Response samples

Content type
application/json
{ }

List all security settings objects that have been attached to the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a security settings object in the security group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2SecuritySetting)

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given security settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
authentication
string (SecuritySettingAuthenticationMode)
Default: "UNSET"
Enum: "UNSET" "OPTIONAL" "REQUIRED"

AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

  • UNSET: Inherit from parent, if has one. Otherwise treated as OPTIONAL.
  • OPTIONAL: Accept both plaintext and mTLS authenticated connections.
  • REQUIRED: Accept only mutual TLS authenticated connections.
object (v2AuthenticationSettings)

AuthenticationSettings represents configuration related to authenticating traffic within the mesh and end-user credentials if present. It is HIGHLY RECOMMENDED to enable mutual TLS when end-user credentials are present. Sending credentials like JWT over plaintext is a security risk.

object (v2AuthorizationSettings)

AuthorizationSettings define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2WasmExtensionAttachment)

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension. This custom configuration will override the one configured globally to the extension. Each extension has a global configuration including enabling and priority that will condition the execution of the assigned extensions.

propagationStrategy
string (v2PropagationStrategy)
Default: "REPLACE"
Enum: "REPLACE" "STRICTER"

The PropagationStrategy is the key differentiating factor to decide how a security policy should be propagated and applied at runtime across clusters. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting. The STRICTER PropagationStrategy on the other hand makes sure the default SecuritySettings configured at the parent level are always enforced and propagated down the hierarchy unless additional SecuritySettings are defined and restricted further in the configuration hierarchy.

  • REPLACE should be used when resources in the hierarchy are allowed to override the default settings configured at the higher levels.
  • STRICTER should be used when the default settings must prevail, and the settings can only be made more restrictive by child resources at lower levels of the hierarchy.

When a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless of the defined strategy (REPLACE or STRICTER), a parent defined resource or a property of the resource will be used (propagated) in absence of a child resource or a property of it.

For example, the following policy configures optional mTLS for traffic within the workspace, but it allows SecuritySettings to modify it. The example shows a workspace that configures service-to-service access so that only services in the same workspace can talk to each other. The REPLACE propagation policy allows individual settings to override it. In the example, the SecuritySettings allows services within that group to be reachable from any service in the cluster, regardless for the workspace they belong to, even though the Workspace restricts service-to-service access to only services in the Workspace.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    propagationStrategy: REPLACE
    authorization:
      mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: CLUSTER

STRICTER propagation configures defaults that can be only be restricted down the hierarchy. The following example configures the same WorkspaceSetting but with a STRICTER propagation mode. The defaults SecuritySetting further narrows down that access to the GROUP scope, which is allowed because GROUP is more strict than WORKSPACE. However, the defaults-invalid SecuritySetting configures CLUSTER access, which would widen the scope defined at the Workspace. That settings will not be allowed based on the STRICTER propagation policy.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
  name: w1-settings
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  defaultSecuritySetting:
    propagationStrategy: STRICTER
    authorization:
      mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: GROUP
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults-invalid
  group: t2
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authorization:
    mode: CLUSTER

Further details of how security settings are resolved between in STRICTER mode between a parent and a child resource can be found in the SecuritySettings reference.

  • REPLACE: Is the default configuration propagation strategy. A lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy. Otherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will prevail. For instance, a defined default propagation strategy for workspace default security settings will replace tenant's defined default security settings.
  • STRICTER: STRICTER propagation strategy propagates the strictest configuration between a defined higher level and a defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy is not defined, the higher one will prevail. Which configuration is stricter than the other is defined by each concrete configuration that allows specifying a propagation strategy.
object (WAFSettings configure WAF based on seclang See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#Configuration_Directives)

Responses

Request samples

Content type
application/json
{
  • "authentication": "UNSET",
  • "authenticationSettings": {
    },
  • "authorization": {
    },
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "extension": [
    ],
  • "propagationStrategy": "REPLACE",
  • "waf": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "authentication": "UNSET",
  • "authorization": {
    },
  • "authenticationSettings": {
    },
  • "waf": {
    },
  • "propagationStrategy": "REPLACE",
  • "extension": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given security settings from the group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Traffic

List all traffic groups in the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ]
}

Create a new traffic group in the given workspace.

Groups will by default configure all the namespaces owned by their workspace, unless explicitly configured. If a specific set of namespaces is set for the group, it must be a subset of the namespaces defined by its workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
required
object (v2Group)

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "group": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

configMode
string (v2ConfigMode)
Default: "BRIDGED"
Enum: "BRIDGED" "DIRECT"

The configuration mode used by a traffic, security or a gateway group.

  • BRIDGED: Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.
  • DIRECT: Indicates that the configurations to be added to the group will directly use Istio APIs.
deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "namespaceSelector": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "configMode": "BRIDGED",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete the given traffic group. Note that deleting resources in TSB is a recursive operation. Deleting a traffic group will delete all configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all service routes that have been attached to the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "serviceRoutes": [
    ]
}

Create a new service route in the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2ServiceRoute)

A service route controls routing configurations for traffic to a service in a traffic group.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "serviceRoute": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details of the given service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify a service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
Array of objects (v2HTTPRoute)

HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers and port and destination routes need to be set using subset-weight combinations specified within the route. Note: If a route is specified, then the global subset-weight combinations (specified under subsets) will be ignored for the matched port, as subsets within route will take effect.

Array of objects (In order to support multi-protocol routing, a list of all port/protocol combinations is needed. These port settings are applied to all the subsets)
service
required
string

The service on which the configuration is being applied. Must be in namespace/FQDN format.

object (ServiceRouteStickySession)

If set, all requests from a client will be forward to the same backend.

Array of objects (ServiceRouteSubset)

The set of versions of a service and the percentage of traffic to send to each version.

Array of objects (v2TCPRoute)

TCPRoutes match TCP traffic based on port number. The subset-weight configuration and priority have the same behaviour as HTTPRoutes.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "httpRoutes": [
    ],
  • "portLevelSettings": [
    ],
  • "service": "string",
  • "stickySession": {
    },
  • "subsets": [
    ],
  • "tcpRoutes": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "service": "string",
  • "subsets": [
    ],
  • "stickySession": {
    },
  • "portLevelSettings": [
    ],
  • "httpRoutes": [
    ],
  • "tcpRoutes": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given service route.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{ }

List all the settings objects that have been attached to the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "configGenerationMetadata": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "configGenerationMetadata": {
    }
}

Modify the given settings in the given traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
object (TrafficSettingEgressGateway)

EgressGateway specifies the gateway where traffic external to the mesh will be redirected.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2RateLimiting)

Configuration for ratelimiting HTTP/gRPC requests can be rate limited based on a variety of attributes in the request such as headers (including cookies), URL path/prefixes, client remote address etc.

object (v2ReachabilitySettings)

ReachabilitySettings define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.

object (v2ResilienceSettings)

ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or proxy workload.

Array of objects (v2UpstreamTrafficSettings)

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "description": "string",
  • "displayName": "string",
  • "egress": {
    },
  • "etag": "string",
  • "rateLimiting": {
    },
  • "reachability": {
    },
  • "resilience": {
    },
  • "upstreamTrafficSettings": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "reachability": {
    },
  • "resilience": {
    },
  • "egress": {
    },
  • "rateLimiting": {
    },
  • "upstreamTrafficSettings": [
    ],
  • "configGenerationMetadata": {
    }
}

Delete the given settings object from the traffic group.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Clusters

Get the list of all clusters that have been onboarded into the platform.

path Parameters
organization
required
string

Organization name.

query Parameters
fetchWorkloads
boolean

Flag to fetch the workload information for all the clusters as well. Note that by default workload information is not returned as it may be expensive to retrieve.

Responses

Response samples

Content type
application/json
{
  • "clusters": [
    ]
}

Creates a new cluster object in TSB. This is needed during cluster onboarding to let the management plane know about the existence of a cluster. Once a cluster has been created and fully onboarded, the management plane will manage the mesh for that cluster and keep this cluster entity up to date with the information that is reported by the cluster agents. This method returns the created cluster, that will be continuously updated by the local cluster agents. This entity can be monitored to have an overview of the resources (namespaces, services, etc) that are known to be running in the cluster.

This action will also create a service account with permissions to manage this cluster. This service account (aka cluster service account) can be used in the ControlPlane installation to authenticate it through the ManagementPlane.

As part of the response, a template will be provided (in the field installTemplate) with minimum configuration to be able to install the TSB Operator in the cluster running as ControlPlane. This data is not stored and will be only available in the response of this action.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
required
object (v2Cluster)

A Kubernetes cluster managing both pods and VMs.

name
required
string

The short name for the resource to be created.

Responses

Request samples

Content type
application/json
{
  • "cluster": {
    },
  • "name": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    }
}

Get the last known state for an onboarded cluster. Once a cluster has been onboarded into the platform, the agents will keep it up to date with its runtime status. Getting the cluster object will return the last known snapshot of existing namespaces and services running in it.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

query Parameters
fetchWorkloads
boolean

Flag to fetch the workload information as well. Note that by default workload information is not returned as it may be expensive to retrieve.

includeInstallTemplate
boolean

Flag to return the install template required to install this cluster. This will generate a new API key pair for the cluster service account.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    }
}

Modify an existing cluster. Updates a cluster with the given data. Note that most of the data in the cluster is read-only and automatically populated by the local cluster agents.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (ClusterInstallTemplate)

InstallTemplate provides templates ready to be used in the ControlPlane (cluster onboard) installation.

object (FIXME: this is super clunky to copy each and every metadata field into objects used for multicluster. $hide_from_yaml)
object (v2Locality)

The region the cluster resides. Used for failover based routing when configured in the workspace or global settings.

object (v2NamespaceScoping)

Configure the default scoping of namespaces in this cluster.

network
string

The network (e.g., VPC) where this cluster is present. All clusters within the same network will be assumed to be reachable for the purposes of multi-cluster routing. In addition, networks marked as reachable from one another in SystemSettings will also be used for multi-cluster routing.

object (tsbv2ServiceAccount)

ServiceAccount represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

object (State represents the cluster info learned from the onboarded cluster)
tier1Cluster
boolean

Deprecated: This flag is still honored for backward compatibility but will be ignored in future releases. It is advisable not to set it, as all clusters can now host both Tier1 and IngressGateways.

Indicates whether this cluster is hosting a tier1 gateway or not. Tier1 clusters cannot host other gateways or workloads. Defaults to false if not specified.

tokenTtl
string

Lifetime of the tokens. Defaults to 1hr.

trustDomain
string

Trust domain for this cluster, used for multi-cluster routing. It must be unique for every cluster and should match the one configured in the local control plane. This value is optional, and will be updated by the local control plane agents. However, it is recommended to set it, if known, so that multi-cluster routing works without having to wait for the local control planes to update it.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "installTemplate": {
    },
  • "labels": {
    },
  • "locality": {
    },
  • "namespaceScope": {
    },
  • "network": "string",
  • "serviceAccount": {
    },
  • "state": {
    },
  • "tier1Cluster": true,
  • "tokenTtl": "string",
  • "trustDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "tokenTtl": "string",
  • "network": "string",
  • "tier1Cluster": true,
  • "namespaces": [
    ],
  • "labels": {
    },
  • "locality": {
    },
  • "trustDomain": "string",
  • "namespaceScope": {
    },
  • "state": {
    },
  • "serviceAccount": {
    },
  • "installTemplate": {
    }
}

Unregisters a cluster from the platform. Deleting a cluster will unregister it from the management plane, and the agents will stop receiving configuration updates. Agent tokens for the cluster are revoked as well, so agents that are still running will fail to report back cluster status to the management plane. Note that unregistering the cluster is a management plane only operation. This does not uninstall the agents from the local cluster. Agents will continue running and the services that are deployed in that cluster will be able to continue operating with the last applied configuration. Unregistering a cluster from the management plane should not generate downtime to services that are running on that cluster.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{ }

Generate the tokens for the cluster agents so they can talk to the management plane. Once a cluster object has been registered in the management plane, this method can be used to generate the JWT tokens that need to be configured in the local cluster agents in order to let them talk to the management plane. These tokens contain the necessary permissions to allow the agents to download the configuration for their cluster and to push cluster status updates to the management plane.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "tokens": {
    }
}

Organizations

List all existing organizations. $hide_from_docs

Responses

Response samples

Content type
application/json
{
  • "organizations": [
    ]
}

Creates a new Organization in TSB. Organizations are the top-level construct in TSB and contain all the resources such as tenants, workspaces and clusters. $hide_from_docs

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Organization)

Organization is the root of the Service Bridge object hierarchy.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "organization": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of an organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify an organization. Update operations are protected against concurrent modifications of the resource. They are required to provide the last version of the `etag` field as part of the update request payload. $hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete an organization. Note that deleting resources in TSB is a recursive operation. Deleting an organization will delete all tenants, clusters and all configurations that exist in it. $hide_from_docs

path Parameters
organization
required
string

Organization name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all the settings objects that have been attached to the given Organization.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given organization.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2OrganizationSetting)

Settings that apply globally to the entire organization.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Modify the given settings in the given Organization.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2SecuritySetting)

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2FailoverSettings)

Failover settings for all proxies connecting to a host exposed in this workspace/organization based on the settings definition scope. Note that this is a server side setting.

object (OrganizationSettingNetworkSettings)

Network related settings for clusters.

Array of objects (v2RegionalFailover)

Default locality routing settings for all gateways. Please use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.

Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Content type
application/json
{
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "failoverSettings": {
    },
  • "networkSettings": {
    },
  • "regionalFailover": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "networkSettings": {
    },
  • "regionalFailover": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "failoverSettings": {
    }
}

Delete the given settings object from the Organization.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

SyncOrganization is used by processes that monitor the identity providers to synchronize the users and teams with the ones in TSB.

This method will update the state of users and groups in the organization and will create, modify, and delete groups according to the incoming request. Sync requests are assumed to be a full-sync and to contain all existing users and groups. Existing TSB users and groups that are not contained in a sync request will be deleted from the platform, as it will assume they have been removed from the Identity Provider.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.
Array of objects (SyncOrganizationRequestSyncTeam)
Array of objects (SyncOrganizationRequestSyncUser)

Responses

Request samples

Content type
application/json
{
  • "sourceType": "INVALID",
  • "teams": [
    ],
  • "users": [
    ]
}

Response samples

Content type
application/json
{
  • "failedUsers": {
    },
  • "failedTeams": {
    }
}

Status

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

cluster
required
string

Cluster name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

extension
required
string

Extension name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

service
required
string

Service name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

api
required
string

Api name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

application
required
string

Application name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

egressgateway
required
string

Egressgateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

ingressgateway
required
string

Ingressgateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

gatewaygroup
required
string

Gatewaygroup name.

tie1gateway
required
string

Tie1gateway name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

istiointernalgroup
required
string

Istiointernalgroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

securitygroup
required
string

Securitygroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

serviceroute
required
string

Serviceroute name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

trafficgroup
required
string

Trafficgroup name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Given a resource fully-qualified name of a resource returns its current status.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "status": "UNKNOWN",
  • "resources": [
    ]
}

Teams

List existing Service Accounts.

path Parameters
organization
required
string

Organization name.

query Parameters
keyEncoding
string
Default: "PEM"
Enum: "PEM" "JWK"

The format in which the key pairs for each key will be returned. If not set keys are returned in PEM format.

Responses

Response samples

Content type
application/json
{
  • "serviceAccounts": [
    ]
}

Create Service Account in TSB. Service Accounts are local to TSB and can be used to access the platform using JWT tokens signed with the Service Account's private key for authentication.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
keyEncoding
string (Format in which the keys in this keypair are encoded)
Default: "PEM"
Enum: "PEM" "JWK"
name
required
string

The short name for the resource to be created.

required
object (tsbv2ServiceAccount)

ServiceAccount represents a service account that can be used to access the TSB platform. Service accounts have a set of associated public and private keys that can be used to generate signed JWT tokens that are suitable to authenticate to TSB. A default key-pair is generated on service account creation and the public key is stored in TSB. Private keys are returned when service accounts are created, but TSB will not store them. It is up to the client to store them securely.

Responses

Request samples

Content type
application/json
{
  • "keyEncoding": "PEM",
  • "name": "string",
  • "serviceAccount": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Get the details of an existing Service Account.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

query Parameters
keyEncoding
string
Default: "PEM"
Enum: "PEM" "JWK"

The format in which the key pairs will be returned. If not set keys are returned in PEM format.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Update the details of a service account. Updating the details of the service account does not regenerate its keys.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
description
string

A description of the resource.

displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Delete the given Service account.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{ }

Get all the public keys available in the service account and return them in a JWKS document. See: https://datatracker.ietf.org/doc/html/rfc7517 Requests to this endpoint require read permissions on the service account, or a token signed with one of the service account keys.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

Generate a new key-pair for the service account. Note that TSB does not store the generated private key, so the client must read it and store it securely.

path Parameters
organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Request Body schema: application/json
required
keyEncoding
string (Format in which the keys in this keypair are encoded)
Default: "PEM"
Enum: "PEM" "JWK"

Responses

Request samples

Content type
application/json
{
  • "keyEncoding": "PEM"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

Delete a key-pair associated the service account.

path Parameters
id
required
string

ID of the key-pair to delete.

organization
required
string

Organization name.

serviceaccount
required
string

Serviceaccount name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "keys": [
    ]
}

List all existing teams.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "teams": [
    ]
}

Create a new team.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Team)

Team is a named collection of users under a tenant.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "team": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Get the details of an existing team.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Modify an existing team.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Request Body schema: application/json
required
description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
members
Array of strings

List of members under the team. The elements of this list are the FQNs of the team members. Team members can be users, service accounts or other teams.

sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "members": [
    ],
  • "sourceType": "INVALID"
}

Delete a team. Note that deleting a team only deletes the team itself, but not its members.

path Parameters
organization
required
string

Organization name.

team
required
string

Team name.

Responses

Response samples

Content type
application/json
{ }

List existing users.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "users": [
    ]
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Create a local User in TSB. Local users are like sercice accounts and are mostly used for internal purposes where an authentication token can be issued by the IAM service to be used on behalf of the user.

Note that local users do not exist in the Identity Provider and the normal login process will not allow them to access TSB.

$hide_from_docs

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2User)

User represents a user from the Identity Provider that is allowed to log into the platform.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Get the details of an existing user.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Modify an existin user.

This operation is expected to be used only for LOCAL users. Users are periodically synchronized from the Identity Provider, and the process may automatically set some properties of the User resource. Modifications made using the TSB APIs may be replaced by the data from the Identity Provider on every synchronization.

$hide_from_docs

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Request Body schema: application/json
required
displayName
string (User friendly name for the resource. $hide_from_yaml)
email
string

Email for the user where alerts and other notifications will be sent.

etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
firstName
string

The first name of the user.

lastName
string

The last name of the user, if any.

loginName
required
string

The username used in the login credentials.

sourceType
string (v2SourceType)
Default: "INVALID"
Enum: "INVALID" "LDAP" "LOCAL" "AZURE" "MANUAL"

SourceType describes where teams come from. Teams can be synchronized from the Identity Provider but can also be manually created using the Team API to create convenient groupings of users and other teams in order to configure fine-grained permissions in the Management Plane.

  • LDAP: LDAP is used for users and teams that are automatically synchronized from LDAP.
  • LOCAL: LOCAL is used for local teams that are manually created using the TSB Team API and do not exist in the Identity Provider. Deprecated. This value is deprecated and will be removed in future releases. Use 'MANUAL' instead.
  • AZURE: AZURE is used for users synchronized from an Azure Active Directory.
  • MANUAL: MANUAL is used for users and teams that exist in the Identity Provider that have been manually populated. MANUAL users are deprecated and Service Accounts should be used instead. Support for MANUAL users will be removed in future versions.

Responses

Request samples

Content type
application/json
{
  • "displayName": "string",
  • "email": "string",
  • "etag": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "loginName": "string",
  • "sourceType": "INVALID"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "loginName": "string",
  • "firstName": "string",
  • "lastName": "string",
  • "email": "string",
  • "sourceType": "INVALID"
}

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Delete an existing user. This operation is expected to be used only for LOCAL users. Users are periodically synchronized from the Identity Provider, so deleting a user that is not a local one may be reverted if the change is not done accordingly in the Identity Provider.

$hide_from_docs

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{ }

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Generate the tokens for a local user account so it can authenticate against management plane. This method will return an error if the user account is not of type MANUAL. Credentials for normal platform users must be configured in the corresponding Identity Provider.

path Parameters
organization
required
string

Organization name.

user
required
string

User name.

Responses

Response samples

Content type
application/json
{
  • "accessToken": "string",
  • "refreshToken": "string"
}

Tenants

List all tenants that are available.

path Parameters
organization
required
string

Organization name.

Responses

Response samples

Content type
application/json
{
  • "tenants": [
    ]
}

Create a new tenant in the platform that will be the home for a set of resources.

path Parameters
organization
required
string

Organization name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Tenant)

Tenant is a self-contained entity within an organization in the Service Bridge hierarchy.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "tenant": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of an existing tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify the details of the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Tenant, all the children resources will belong to that security domain in the same way a Workspace belongs to a Tenant, a Workspace will also belong to the security domain assigned to the Tenant. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete a tenant from the platform. Deleting a tenant will recursively delete all resources attached to the tenant, so use with caution. It will delete all workspaces and all settings that have been created in that tenant, so this operation should be done carefully, when it's safe to do so.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all the WASM extensions that have been attached to the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "extensions": [
    ]
}

List all the settings objects that have made available to the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create a settings object for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2TenantSetting)

Default settings that apply to all workspaces under a tenant.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "setting": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Get the details for the given settings object.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Modify the given settings in the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Request Body schema: application/json
required
object (v2SecuritySetting)

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)

Responses

Request samples

Content type
application/json
{
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    }
}

Delete the given settings object from the tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }

Workspaces

List all existing workspaces for the given tenant.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Responses

Response samples

Content type
application/json
{
  • "workspaces": [
    ]
}

Create a new workspace. The workspace will own exclusively the namespaces configured in the namespaces selector for the workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2Workspace)

A Workspace is a collection of related namespaces in one or more clusters.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "workspace": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Get the details of an existing workspace

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Modify an existing workspace

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
object (v2ConfigGenerationMetadata)

ConfigGenerationMetadata allows to setup extra metadata that will be added in the final Istio generated configurations. Like new labels or annotations. Defining the config generation metadata in tenancy resources (like organization, tenant, workspace or groups) works as default values for those configs that belong to it. Defining same config generation metadata in configuration resources (like ingress gateways, service routes, etc.) will replace the ones defined in the tenancy resources.

deletionProtectionEnabled
boolean

When set, prevents the resource from being deleted. In order to delete the resource this property needs to be set to false first.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
isolationBoundary
string

Istio Isolation Boundary name to which this workspace belongs. If not provided explicitly, the workspace looks for an isolation boundary with name set as "global". Therefore, in order to move existing workspaces to isolation boundaries, and be a part of revisioned control plane, it is recommended to configure an isolation boundary with the name "global".

required
object (`NamespaceSelector` selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form `cluster/namespace` where: - cluster must be a cluster name or an `*` to mean all clusters - namespace must be a namespace name, an `*` to mean all namespaces or a prefix like `ns-*` to mean all those namespaces starting by `ns-`)
privileged
boolean

If set to true, allows Gateways in the workspace to route to services in other workspaces. Set this to true for workspaces owning cluster-wide gateways shared by multiple teams.

securityDomain
string

Security domains can be used to group different resources under the same security domain. Although security domain is not resource itself currently, it follows a fqn format organizations/myorg/securitydomains/mysecuritydomain, and a child cannot override any ancestor's security domain. Once a security domain is assigned to a Workspace, all the children resources will belong to that security domain in the same way a Security group belongs to a Workspace, a Security group will also belong to the security domain assigned to the Workspace. Security domains can also be used to define Security settings Authorization rules in which you can allow or deny request from or to a security domain.

Responses

Request samples

Content type
application/json
{
  • "configGenerationMetadata": {
    },
  • "deletionProtectionEnabled": true,
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "isolationBoundary": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "securityDomain": "string"
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "namespaceSelector": {
    },
  • "privileged": true,
  • "isolationBoundary": "string",
  • "securityDomain": "string",
  • "deletionProtectionEnabled": true,
  • "configGenerationMetadata": {
    }
}

Delete an existing workspace. Note that deleting resources in TSB is a recursive operation. Deleting a workspace will delete all groups and configuration objects that exist in it.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

query Parameters
force
boolean

Force the deletion of the object even if deletion protection is enabled. If this is set, then the object and all its children will be deleted even if any of them has the deletion protection enabled.

Responses

Response samples

Content type
application/json
{ }

List all settings available for the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Responses

Response samples

Content type
application/json
{
  • "settings": [
    ]
}

Create default settings for a workspace. Default settings will apply to the services owned by the workspace, unless more specific settings are provided at the group level.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

Request Body schema: application/json
required
name
required
string

The short name for the resource to be created.

required
object (v2WorkspaceSetting)

Default security and traffic settings for all proxy workloads in the workspace.

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "settings": {
    }
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Get the details of a settings object for the given workspace.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Modify the given workspace settings.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Request Body schema: application/json
required
Array of objects (v2EastWestGateway)

Default east west gateway settings specifies workspace-wide east-west gateway configuration. This is used to configure east-west routing (required for fail-over) for the services that are not exposed on the gateways. All the services matching the specified criteria is picked up for exposing on the east-west gateway workload selected by the workload selector. In case, a service matches selectors in multiple items, the one which comes first is picked up.

object (v2SecuritySetting)

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

object (v2TrafficSetting)

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

description
string (A description of the resource. $hide_from_yaml)
displayName
string (User friendly name for the resource. $hide_from_yaml)
etag
string (The etag for the resource. This field is automatically computed and must be sent on every update to the resource to prevent concurrent modifications. $hide_from_yaml)
object (v2FailoverSettings)

Failover settings for all proxies connecting to a host exposed in this workspace/organization based on the settings definition scope. Note that this is a server side setting.

object (v2HostsReachability)

HostsReachability defines the list of gateway hosts that this workspace can reach. In multicluster deployments, hosts are reachable to all namespaces(*) by default. However, this may not always be necessary, as clients may only be present in a few namespaces. By configuring this, a list of namespaces can be limited to the namespaces configured in the workspace. Workspaces with no hosts reachability configuration are considered to have reachable to all hosts.

Array of objects (v2RegionalFailover)

Locality routing settings for all gateways in the workspace. Overrides any global settings. Please use FailoverSettings instead. If FailoverSettings is set, it takes precedence over this field.

Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.

Responses

Request samples

Content type
application/json
{
  • "defaultEastWestGatewaySettings": [
    ],
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "description": "string",
  • "displayName": "string",
  • "etag": "string",
  • "failoverSettings": {
    },
  • "hostsReachability": {
    },
  • "regionalFailover": [
    ]
}

Response samples

Content type
application/json
{
  • "fqn": "string",
  • "displayName": "string",
  • "etag": "string",
  • "description": "string",
  • "defaultSecuritySetting": {
    },
  • "defaultTrafficSetting": {
    },
  • "regionalFailover": [
    ],
  • "defaultEastWestGatewaySettings": [
    ],
  • "hostsReachability": {
    },
  • "failoverSettings": {
    }
}

Delete the given workspace settings.

path Parameters
organization
required
string

Organization name.

tenant
required
string

Tenant name.

workspace
required
string

Workspace name.

setting
required
string

Setting name.

Responses

Response samples

Content type
application/json
{ }