Security Setting

SecuritySetting allows configuring security related properties such as TLS authentication and access control for traffic arriving at a proxy workload in a security group.

The following example creates a security group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany and defines a security setting that only allows mutual TLS authenticated traffic from other proxy workloads in the same group.

apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

And the associated security settings for all proxy workloads in the group

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
  authorization:
    mode: GROUP

The following example customizes the allowedSources to allow traffic from the namespaces within the group as well as the catalog-sa service account from ns4 namespace.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: custom
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  authenticationSettings:
    trafficMode: REQUIRED
    http:
      jwt:
        issuer: "https://auth.tetrate.io"
        jwksUri: "https://oauth2.auth.tetrate.io/certs"
  authorization:
    mode: CUSTOM
    serviceAccounts:
    - "ns1/*"
    - "ns2/*"
    - "ns3/*"
    - "ns4/catalog-sa"
    http:
      external:
        uri: "https://policy.auth.tetrate.io"
        includeRequestHeaders:
        - authorization

The following example customizes the WafSettings to enforce embedded web application firewall rules on sidecars in namespaces reside in SecurityGroup. NOTICE: WafSettings is an experimental feature on alpha stage it ONLY support embedded core rule set (embedded_crs) in the ruleSets field. Please DO NOT use it in production.

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: defaults
  group: t1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  wafSettings:
    ruleSets:
    - embedded_crs
    ruleEngineMode: ON

AuthenticationSettings

AuthenticationSettings represents configuration related to authenticating traffic within the mesh and end-user credentials if present. It is HIGHLY RECOMMENDED to enable mutual TLS when end-user credentials are present. Sending credentials like JWT over plaintext is a security risk.

Field	Description	Validation Rule
trafficMode	tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode Traffic authentication mode is used to specify if mTLS or plaintext traffic is accepted	–
http	tetrateio.api.tsb.auth.v2.Authentication HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT). It is highly recommended to set traffic authentication mode to REQUIRED so that it is transported only over mutual TLS	–

AuthorizationSettings

AuthorizationSettings define the set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.

Field	Description	Validation Rule
mode	tetrateio.api.tsb.security.v2.AuthorizationSettings.Mode A short cut for specifying the set of allowed callers.	–
serviceAccounts	List of string When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them). Must be in the <namespace>/<service-account-name> format. - ./* indicates all service accounts in the namespace where the sidecar resides. - ns1/* indicates all service accounts in the ns1 namespace. - ns1/svc1-sa indicates svc1-sa service account in ns1 namespace.	repeated = {   items: {string:{min_len:1}} }
http	tetrateio.api.tsb.auth.v2.Authorization This is for configuring HTTP request authorization. Currently, we only support authorizing through an external backend/policy engine like OPA. Inline authorization rules for JWT are not yet supported for sidecars.	–

Mode

A short cut for defining the common authorization patterns

Name	Number	Description
UNSET	0	Inherit from parent if possible. Otherwise treated as DISABLED.
NAMESPACE	1	The workload allows traffic from any other authenticated workload in its own namespace.
GROUP	2	The workload allows traffic from any other authenticated workload in the security group.
WORKSPACE	3	The workload allows traffic from any other authenticated workload in the workspace.
CLUSTER	4	The workload allows traffic from any other authenticated workload in the cluster.
DISABLED	5	Authorization is disabled.
CUSTOM	6	The workload allows traffic from service accounts defined explicitly.

SecuritySetting

A security setting applies configuration to a set of proxy workloads in a security group or a workspace. When applied to a security group, missing fields will inherit values from the workspace-wide setting if any.

Field	Description	Validation Rule
authentication	tetrateio.api.tsb.security.v2.SecuritySetting.AuthenticationMode DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. This field is deprecated in favor of authentication_settings and will be removed in the future release	–
authorization	tetrateio.api.tsb.security.v2.AuthorizationSettings The set of service accounts in one or more namespaces allowed to access a workload (and hence its sidecar) in the mesh.	–
authenticationSettings	tetrateio.api.tsb.security.v2.AuthenticationSettings Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.	–
wafSettings	tetrateio.api.tsb.security.v2.WafSettings NOTICE: this feature is in alpha stage and under active development. it would encounter breaking changes in further release and should not be adopted in production WAF settings is used to set firewall rules.	–

AuthenticationMode

AuthenticationMode indicates whether to accept only Istio mutual TLS authenticated traffic or allow legacy plaintext traffic as well.

Name	Number	Description
UNSET	0	Inherit from parent, if has one. Otherwise treated as OPTIONAL.
OPTIONAL	1	Accept both plaintext and mTLS authenticated connections.
REQUIRED	2	Accept only mutual TLS authenticated connections.

WafSettings

WafSettings configure WAF with ModSecurity engine (alpha stage)

Field	Description	Validation Rule
ruleSets	List of string Rulesets to enable. Currently, supported rule set is only embedded_crs (embedded core rule set). Other name will return error	repeated = {   items: {string:{in:[embedded_crs]}} }
ruleEngineMode	tetrateio.api.tsb.security.v2.WafSettings.SecRuleEngine Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode setting inserts SecRuleEngine directive at the beginning of the applied ruleSets. Note that this settings may be overridden by the ruleSets if the ruleSets contain SecRuleEngine directive.	–

SecRuleEngine

Name	Number	Description
OFF	0	ModSecurity is disabled
ON	1	ModSecurity is enabeld
DETECTION_ONLY	2	ModSecurity processes rules, writes logs, but does no disruptive actions. (block, redirect)