Security Setting

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a sidecar in a security group.

The following example creates a security group for the sidecars in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other sidecars in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all sidecars in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authentication: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authentication: REQUIRED
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"

AuthorizationSettings

AuthorizationSettings define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

Field	Description	Validation Rule
mode	tetrateio.api.tsb.security.v2.AuthorizationSettings.Mode A short cut for specifying the set of allowed callers.	–
serviceAccounts	List of string When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them). Must be in the <namespace>/<service-account-name> format. - ./* indicates all service accounts in the namespace where the sidecar resides. - ns1/* indicates all service accounts in the ns1 namespace. - ns1/svc1-sa indicates svc1-sa service account in ns1 namespace.	repeated = {   items: {string:{min_len:1}} }

Mode

A short cut for defining the common authorization patterns

Name	Number	Description
UNSET	0	Inherit from parent if possible. Otherwise treated as DISABLED.
NAMESPACE	1	The workload allows traffic from any other authenticated workload in its own namespace.
GROUP	2	The workload allows traffic from any other authenticated workload in the security group.
WORKSPACE	3	The workload allows traffic from any other authenticated workload in the workspace.
CLUSTER	4	The workload allows traffic from any other authenticated workload in the cluster.
DISABLED	5	Authorization is disabled.
CUSTOM	6	The workload allows traffic from service accounts defined explicitly.

SecuritySetting

A security setting applies configuration to a set of sidecars in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

Field	Description	Validation Rule
authentication	tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode Specifies whether the sidecars should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.	–
authorization	tetrateio.api.tsb.security.v2.AuthorizationSettings The set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.	–

AuthenticationMode

AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

Name	Number	Description
UNSET	0	Inherit from parent, if has one. Otherwise treated as OPTIONAL.
OPTIONAL	1	Accept both plaintext and mTLS authenticated connections.
REQUIRED	2	Accept only mutual TLS authenticated connections.