Creating Security Domains
What are Security Domains?
Security Domains allow you to create configuration groupings across the TSB hierarchy from anywhere in the configuration hierarchy - Tenant, Workspace or Security Group. Think of a securityDomain
as a name that can be attached to any of these TSB resources, and which can then be used in TSB rules.
Once a resource is identified with a securityDomain
, the security domain can be used as a source or target when creating rules. This allows the Operator to establish a set of requirements continuously across the Tetrate Service Bridge (TSB) hierarchy as new objects are created.
When should I use Security Domains?
As you grow your service mesh so will the number of policies that you need to enforce. In some cases, these security controls will not nicely overlay with your current TSB hierarchy choices: you have a subset of services, workspaces and tenants that share a common set of security controls.
Security Domains provides you the ability to create a single authorization rule that addresses multiple Tenants, WorkSpaces and Security Groups using their shared securityDomain
name. You can then create broad and inclusive rules that reflect the high-level access control intent using simple from and to clauses.
Using Security Domains
Note: the below example assumes you already know how to Create a Tenant.
We begin with a simple, single-cluster TSB deployment with two tenants dev_US_East
, stg_US_East
, representing development and staging environments. As our usage of TSB grows, we want to add a US West cluster for redundancy, which will require us to create two new tenants: dev_US_West
, stg_US_West
.
We are going to use Security Domains to create a simple, broad authorization rule that allows traffic from all stg
staging tenants to all dev
development tenants.
Step 1 Add the dev
and stg
security domains to your new created tenants by editing your tenant.yaml
kind: Tenant
metadata:
organziation: tetrate
tenant: dev_US_West
spec:
displayName: Dev US West
securityDomain: organizations/tetrate/securitydomains/dev
---
kind: Tenant
metadata:
organization: tetrate
tenant: stg_US_East
spec:
displayName: Stg US West
securityDomain: organizations/tetrate/securitydomains/stg
Step 2 Add the rules desired between our dev
and stg
Security Domains using tctl edit organizationsettings
In this example TSB environment, we want to ensure traffic can come from Staging and reach Development, but traffic cannot come from Development and reach Staging. Without a securityDomain
, we would need to create individual rules between each tenant, and the complexity of creating, managing and verifying these rules would grow with the number of tenants. Using a securityDomain
, I just need to associate each tenant with the appropriate securityDomain
. My authorization rule then references the securityDomain
as the target in the from
and to
clauses:
kind: OrganizationSetting
metadata:
displayName: tetrate-settings
name: tetrate-settings
organization: tetrate
resourceVersion: '"XI8Jtnl6JaE="'
spec:
defaultSecuritySetting:
authorization:
mode: RULES
rules:
allow:
- from:
fqn: organizations/tetrate/securitydomains/stg
to:
fqn: organizations/tetrate/securitydomains/dev
displayName: tetrate-settings
etag: '"XI8Jtnl6JaE="'
fqn: organizations/tetrate/settings/tetrate-settings
The final step is optional, but recommended for completeness, or if you have traffic you care about existing between your existing tenants
Step 3 Test the behaviour between your new tenants and update your existing tenants by editing your tenant.yaml
Update your tenant.yaml
to add your existing Tenants to your newly created security domains.
kind: Tenant
metadata:
organziation: tetrate
tenant: dev_US_West
spec:
displayName: Dev US West
securityDomain: organizations/tetrate/securitydomains/dev
---
kind: Tenant
metadata:
organziation: tetrate
tenant: stg_US_East
spec:
displayName: Stg US West
securityDomain: organizations/tetrate/securitydomains/stg
What did we achieve?
We successfully configured our new US West tenants and added them to their respective security domains dev
and stg
. As we add more pairs of dev
and stg
tenants, we can associate them with the appropriate securityDomain
. TSB will automatically extend the authorization rules to apply access control across all of our tenants.
What is the future of Security Domains?
Early Feature Implementation
Security Domains is a new capability in Tetrate Service Bridge 1.6. Implementation will likely be extended in later releases as we unlock additional use cases and visualizations.
The example above only scrapes the surface of what can be achieved with Security Domains. Although they are a major step forward in simplifying the task of creating authorization rules in large environments, even Security Domain relationships can eventually become involved and complex. Tetrate are considering UI visualizations and other extensions to make security domains more scalable and easier to configure accurately, enabling rich use cases:
If you are using Security Domains, Tetrate would love to hear from you. Please reach out via your Tetrate account team.