Skip to main content
Version: 1.5.x

Common Object Types

ConfigMode

The configuration mode used by a traffic, security or a gateway group.

NameNumberDescription

BRIDGED

0

Indicates that the configurations to be added to the group will use macro APIs that automatically generate Istio APIs under the hood.

DIRECT

1

Indicates that the configurations to be added to the group will directly use Istio APIs.

CreateIstioObjectRequest

Request to create an Istio Object

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource where the Istio Object will be created.

string = {
  min_len: 1
}

name

string
REQUIRED
The short name for the Istio Object to be created.

string = {
  min_len: 1
}

object

tetrateio.api.tsb.types.v2.IstioObject
REQUIRED
Details of the Istio Object to be created.

message = {
  required: true
}

DeleteIstioObjectRequest

Request to delete a Istio Object.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the IstIo Object.

string = {
  min_len: 1
}

GetIstioObjectRequest

Request to retrieve a Istio Object.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Istio Object.

string = {
  min_len: 1
}

IstioObject

Wrapper for Istio direct mode objects with all the details needed to add it to the TSB resource hierarchy.

FieldDescriptionValidation Rule

metadata

tetrateio.api.tsb.types.v2.IstioObject.ConfigMeta
Metadata for the Istio object

spec

google.protobuf.Any
The Istio API object

ConfigMeta

FieldDescriptionValidation Rule

apiVersion

string
REQUIRED
networking.istio.io/v1beta1, security.istio.io/v1beta1, etc.

string = {
  min_len: 1
}

kind

string
REQUIRED
VirtualService, Gateway, DestinationRule, Sidecar, etc.

string = {
  min_len: 1
}

name

string
Short name associated with the object. The object name must be unique within the kind and the parent. For example, all workspaces under a tenant should have a unique name. Traffic groups under a workspace should have a unique name, while names are not required to be unique across traffic groups in different workspaces.

namespace

string
Namespace where the Istio object applies.

labels

map<string, string>
User specified labels to attach to the object.

annotations

map<string, string>
Istio artifacts must contain 4 annotations: tsb.tetrate.io/organization, tsb.tetrate.io/tenant, tsb.tetrate.io/workspace, and one of tsb.tetrate.io/trafficGroup, tsb.tetrate.io/securityGroup, tsb.tetrate.io/gatewayGroup or tsb.tetrate.io/istioInternalGroup

IstioObjectSpec

Contains the raw type of an Istio object. This is used to generate the documentation examples when showing the serialized form of Istio direct mode resources.

FieldDescriptionValidation Rule

type

string

ListIstioObjectsRequest

Request to list Istio Object.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource to list Istio Objects from.

string = {
  min_len: 1
}

ListIstioObjectsResponse

List of Istio direct mode objects

FieldDescriptionValidation Rule

objects

List of tetrateio.api.tsb.types.v2.IstioObject

NamespaceSelector

NamespaceSelector selects a set of namespaces across one or more clusters in a tenant. Namespace selectors can be used at Workspace level to carve out a chunk of resources under a tenant into an isolated configuration domain. They can be used in a Traffic, Security, or a Gateway group to further scope the set of namespaces that will belong to a specific configuration group. Names in namespaces selector must be in the form cluster/namespace where:

  • cluster must be a cluster name or an * to mean all clusters
  • namespace must be a namespace name, an * to mean all namespaces or a prefix like ns-* to mean all those namespaces starting by ns-
FieldDescriptionValidation Rule

names

List of string
REQUIRED
Under the tenant/workspace/group:

- */ns1 implies ns1 namespace in any cluster.

- c1/ns1 implies ns1 namespace from c1 cluster.

- c1/* implies all namespaces in c1 cluster.

- */* implies all namespaces in all clusters.

- c1/ns* implies all namespaces prefixed by ns in c1 cluster.

repeated = {
  min_items: 1
  items: {string:{pattern:^(\\*|[^/*]+)/(\\*|[^/*]+\\*?)$}}
}

Object

Format for all API objects in TSB as exposed in the CLI.

FieldDescriptionValidation Rule

apiVersion

string
REQUIRED
api.tsb.tetrate.io/v2, traffic.tsb.tetrate.io/v2, security.tsb.tetrate.io/v2, gateway.tsb.tetrate.io/v2, networking.istio.io/v1beta1, security.istio.io/v1beta1, etc.

string = {
  min_len: 1
}

kind

string
REQUIRED
Workspace, Cluster, Tenant, Team, User, WorkspaceSetting, Group (under traffic.tsb.tetrate.io and security.tsb.tetrate.io), TrafficSetting, SecuritySetting, etc.

string = {
  min_len: 1
}

metadata

tetrateio.api.tsb.types.v2.ObjectMeta
REQUIRED

spec

google.protobuf.Any
The API payload.

status

map<string, string>
Contains errors, tokens (in case of cluster onboarding, and other information).

ObjectMeta

Metadata associated with each API Object.

FieldDescriptionValidation Rule

name

string
Name associated with the object. The object name must be unique within the kind and the parent. For example, all workspaces under a tenant should have a unique name. Traffic groups under a workspace should have a unique name, while names are not required to be unique across traffic groups in different workspaces.

namespace

string
Applicable when using Istio objects.

tenant

string
The tenant to which the object belongs to.

workspace

string
The workspace to which the object belongs to.

group

string
The traffic/security/gateway group to which the object belongs to.

resourceVersion

string
Resource version is used internally to track propagation of resources to the data planes.

labels

map<string, string>
User specified labels to attach to the objects. This is only available for Istio resources when applying configuration in DIRECT mode. Labels applied to TSB resources will be ignored.

annotations

map<string, string>
Istio artifacts must contain 4 annotations: tsb.tetrate.io/organization, tsb.tetrate.io/tenant, tsb.tetrate.io/workspace, and one of tsb.tetrate.io/trafficGroup, tsb.tetrate.io/securityGroup, tsb.tetrate.io/gatewayGroup or tsb.tetrate.io/istioInternalGroup This is only available for Istio resources when applying configuration in DIRECT mode. Labels applied to TSB resources will be ignored.

displayName

string
User friendly name for the resource.

description

string
A description of the resource.

organization

string
The organization to which the object belongs to

application

string
The application to which the resource belongs to

api

string
The API to which the resource belongs to

service

string
The service which the resource belongs to.

telemetrySource

string
The telemetry source the resource belongs to.

fqn

string
The fully-qualified name of a resource.

PropagationStrategy

The PropagationStrategy is the key differentiating factor to decide how a security policy should be propagated and applied at runtime across clusters. The default propagation strategy is REPLACE, in which a lower level SecuritySetting in the configuration hierarchy replaces a higher level SecuritySetting. The STRICTER PropagationStrategy on the other hand makes sure the default SecuritySettings configured at the parent level are always enforced and propagated down the hierarchy unless additional SecuritySettings are defined and restricted further in the configuration hierarchy.

  • REPLACE should be used when resources in the hierarchy are allowed to override the default settings configured at the higher levels.
  • STRICTER should be used when the default settings must prevail, and the settings can only be made more restrictive by child resources at lower levels of the hierarchy.

When a resource or property of it affected by the propagation strategy is propagated down the hierarchy, regardless of the defined strategy (REPLACE or STRICTER), a parent defined resource or a property of the resource will be used (propagated) in absence of a child resource or a property of it.

For example, the following policy configures optional mTLS for traffic within the workspace, but it allows SecuritySettings to modify it. The example shows a workspace that configures service-to-service access so that only services in the same workspace can talk to each other. The REPLACE propagation policy allows individual settings to override it. In the example, the SecuritySettings allows services within that group to be reachable from any service in the cluster, regardless for the workspace they belong to, even though the Workspace restricts service-to-service access to only services in the Workspace.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: mycompany
organization: myorg
spec:
defaultSecuritySetting:
propagationStrategy: REPLACE
authorization:
mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: CLUSTER

STRICTER propagation configures defaults that can be only be restricted down the hierarchy. The following example configures the same WorkspaceSetting but with a STRICTER propagation mode. The defaults SecuritySetting further narrows down that access to the GROUP scope, which is allowed because GROUP is more strict than WORKSPACE. However, the defaults-invalid SecuritySetting configures CLUSTER access, which would widen the scope defined at the Workspace. That settings will not be allowed based on the STRICTER propagation policy.

apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: mycompany
organization: myorg
spec:
defaultSecuritySetting:
propagationStrategy: STRICTER
authorization:
mode: WORKSPACE
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: GROUP
---
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
name: defaults-invalid
group: t2
workspace: w1
tenant: mycompany
organization: myorg
spec:
authorization:
mode: CLUSTER

Further details of how security settings are resolved between in STRICTER mode between a parent and a child resource can be found in the SecuritySettings reference.

NameNumberDescription

REPLACE

0

Is the default configuration propagation strategy. A lower defined configuration in the hierarchy will replace a higher configuration in the hierarchy. Otherwise, if a lower configuration is not defined, the configuration higher up in the hierarchy will prevail. For instance, a defined default propagation strategy for workspace default security settings will replace tenant's defined default security settings.

STRICTER

1

STRICTER propagation strategy propagates the strictest configuration between a defined higher level and a defined lower level configuration in the hierarchy. If a lower level configuration in the hierarchy is not defined, the higher one will prevail. Which configuration is stricter than the other is defined by each concrete configuration that allows specifying a propagation strategy.

RegionalFailover

Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.

FieldDescriptionValidation Rule

from

string
Originating region.

to

string
Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

TypeInfo

TypeInfo provides metadata describing a message type.

FieldDescriptionValidation Rule

generatesConfig

bool
Indicates that the type has a configuration status and that it will go through several stages after creation until it is fully ready.

aggregatesStatus

bool
Indicates that the type has its status aggregated from the status of its child resources.

dependencies

List of string
If not empty, it indicates on what resources it's dependent.

WorkloadSelector

WorkloadSelector selects one or more workloads in a namespace. WorkloadSelector can be used in TrafficSetting, SecuritySetting, and Gateway APIs in BRIDGED mode to scope the configuration to a specific set of workloads.

FieldDescriptionValidation Rule

namespace

string
REQUIRED
The namespace where the workload resides.

string = {
  min_len: 1
}

labels

map<string, string>
REQUIRED
One or more labels that indicate a specific set of pods/VMs in the namespace. If omitted, the TrafficSetting or SecuritySetting configuration will apply to all workloads in the namespace. Labels are required for Gateway API resources.