Service Security Setting
ServiceSecuritySetting
allows configuring security related properties
such as TLS authentication and access control for traffic arriving
at a particular service in a security group. These settings will replace
the security group wide settings for this service.
The following example defines a security setting that applies to the service
foo
in namespace ns1
that only allows mutual TLS authenticated traffic
from other proxy workloads in the same group.
apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
name: foo-auth
group: sg1
workspace: w1
tenant: mycompany
org: myorg
spec:
service: ns1/foo.ns1.svc.cluster.local
settings:
authentication: REQUIRED
authorization:
mode: GROUP
The following example customizes the Extensions
to enable
the execution of the WasmExtensions list specified, detailing
custom properties for the execution of each extension.
apiVersion: security.tsb.tetrate.io/v2
kind: ServiceSecuritySetting
metadata:
name: foo-wasm-plugin
group: sg1
workspace: w1
tenant: mycompany
org: myorg
spec:
service: ns1/foo.ns1.svc.cluster.local
settings:
extension:
- fqn: hello-world # fqn of imported extensions in TSB
config:
foo: bar
ServiceSecuritySetting
A service security setting applies configuration to a service in a security group. Missing fields will inherit values from the workspace-wide setting if any.
Field | Description | Validation Rule |
service | string | string = { |
settings | tetrateio.api.tsb.security.v2.SecuritySetting | – |
subsets | List of tetrateio.api.tsb.security.v2.ServiceSecuritySetting.Subset | – |
Subset
Subset allows replacing the settings for a specific version of a service.
Field | Description | Validation Rule |
name | string | string = { |
settings | tetrateio.api.tsb.security.v2.SecuritySetting | message = { |