Skip to main content
Version: 0.9.x

Workspace Setting

Workspace Setting allows configuring the default traffic and security settings for all the workloads in the namespaces owned by the workspace. Any namespace in the workspace that is not part of a traffic or security group will use these default settings.

The following example sets the default security policy to accept either mutual TLS or plaintext traffic, and only accept connections at a sidecar from services within the same namespace. The default traffic policy allows unknown traffic from a sidecar to be forwarded via an egress gateway tsb-egress in the perimeter namespace in the same cluster.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: mycompany
organization: myorg
spec:
defaultSecuritySetting:
authentication: OPTIONAL
defaultTrafficSetting:
egressGateway: bookinfo-perimeter/tsb-egress

WorkspaceSetting

Default security and traffic settings for all sidecars in the workspace.

FieldDescriptionValidation Rule

defaultSecuritySetting

tetrateio.api.tsb.security.v2.SecuritySetting
Security settings for all sidecars in this workspace. Sidecars without a specific security group will inherit these settings. If omitted, the following semantics apply:

1. Sidecars will accept connections from clients using Istio Mutual TLS as well as legacy clients using plaintext (i.e. any traffic not using Istio Mutual TLS authentication), i.e. authentication mode defaults to OPTIONAL.

2. No authorization will be performed, i.e., authorization mode defaults to DISABLED.

defaultTrafficSetting

tetrateio.api.tsb.traffic.v2.TrafficSetting
Traffic settings for all sidecars in this workspace. Sidecars without a specific traffic group will inherit these settings. If omitted, the following semantics apply:

1. Sidecars will be able to reach any service in the cluster, i.e. reachability mode defaults to CLUSTER.

2. Traffic to unknown destinations will be directly routed from the sidecar to the destination.