linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

proxy-injector: add `default-inbound-policy` annotation (#6750) 

The proxy injector now adds the `config.linkerd.io/default-inbound-policy` annotation to all injected pods.

Closes #6720.

If the pod has the annotation before injection then that value is used. If the pod does not have the annotation but the namespace does, then it inherits that. If both the pod and the namespace do not have the annotation, then it defaults to `.Values.policyController.defaultAllowPolicy`.

Upon injecting the sidecar container into the pod, this annotation value is used to set the `LINKERD2_PROXY_INBOUND_DEFAULT_POLICY` environment variable. Additionally, `LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS` is also set to the value of `.Values.clusterNetworks`.

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This commit is contained in:
Kevin Leimkuhler 2021-08-26 12:46:40 -06:00 committed by GitHub
parent 0a256858af
commit 152290e58d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 339 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/partials/templates/_proxy.tpl
View File

@ -34,6 +34,10 @@ env:
value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Values.namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}}
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: {{.Values.proxy.defaultInboundPolicy | default .Values.policyController.defaultAllowPolicy}}
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: {{.Values.clusterNetworks | quote}}
{{ end -}}
{{ if .Values.proxy.inboundConnectTimeout -}}
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject-filepath/expected/injected_nginx.yaml vendored
View File

@ -44,6 +44,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
cli/cmd/testdata/inject-filepath/expected/injected_nginx_redis.yaml vendored
View File

@ -44,6 +44,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -234,6 +238,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject-filepath/expected/injected_redis.yaml vendored
View File

@ -44,6 +44,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_contour.golden.yml vendored
View File

@ -52,6 +52,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

16
cli/cmd/testdata/inject_emojivoto_already_injected.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -247,6 +251,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -448,6 +456,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -649,6 +661,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_capabilities.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_config_overrides.golden.yml vendored
View File

@ -56,6 +56,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
cli/cmd/testdata/inject_emojivoto_deployment_controller_name.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -247,6 +251,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_debug.golden.yml vendored
View File

@ -47,6 +47,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_empty_resources.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_hostNetwork_false.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_no_init_container.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_opaque_ports.golden.yml vendored
View File

@ -47,6 +47,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_overridden.golden.yml vendored
View File

@ -47,6 +47,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_proxyignores.golden.yml vendored
View File

@ -48,6 +48,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_deployment_udp.golden.yml vendored
View File

@ -46,6 +46,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
cli/cmd/testdata/inject_emojivoto_list.golden.yml vendored
View File

@ -48,6 +48,10 @@ items:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -248,6 +252,10 @@ items:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
cli/cmd/testdata/inject_emojivoto_list_empty_resources.golden.yml vendored
View File

@ -48,6 +48,10 @@ items:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -248,6 +252,10 @@ items:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_pod.golden.yml vendored
View File

@ -38,6 +38,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_pod_ingress.golden.yml vendored
View File

@ -39,6 +39,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_pod_proxyignores.golden.yml vendored
View File

@ -40,6 +40,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_pod_with_requests.golden.yml vendored
View File

@ -42,6 +42,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_emojivoto_statefulset.golden.yml vendored
View File

@ -47,6 +47,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
cli/cmd/testdata/inject_gettest_deployment.good.golden.yml vendored
View File

@ -42,6 +42,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -245,6 +249,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

4
cli/cmd/testdata/inject_tap_deployment_debug.golden.yml vendored
View File

@ -63,6 +63,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: $(_pod_ns):$(_pod_name)
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: 100ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_controlplane_tracing_output.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1594,6 +1595,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1932,6 +1937,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_custom_domain.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1593,6 +1594,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1930,6 +1935,10 @@ spec:
value: linkerd-policy.l5d.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_custom_registry.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1593,6 +1594,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1930,6 +1935,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_default.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1593,6 +1594,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1930,6 +1935,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_default_override_dst_get_nets.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1593,6 +1594,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1930,6 +1935,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_ha_output.golden generated vendored
View File

@ -1097,6 +1097,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1706,6 +1707,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -2083,6 +2088,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_ha_with_overrides_output.golden generated vendored
View File

@ -1097,6 +1097,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1706,6 +1707,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -2083,6 +2088,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_heartbeat_disabled_output.golden generated vendored
View File

@ -1010,6 +1010,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1524,6 +1525,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1812,6 +1817,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_helm_output.golden generated vendored
View File

@ -1075,6 +1075,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1586,6 +1587,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1927,6 +1932,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_helm_output_ha.golden generated vendored
View File

@ -1093,6 +1093,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1699,6 +1700,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -2080,6 +2085,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_helm_output_ha_labels.golden generated vendored
View File

@ -1097,6 +1097,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1711,6 +1712,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -2100,6 +2105,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden generated vendored
View File

@ -1093,6 +1093,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1699,6 +1700,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -2080,6 +2085,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_no_init_container.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1555,6 +1556,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1854,6 +1859,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_output.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: false
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1595,6 +1596,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: default-allow-policy
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
@ -1940,6 +1945,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: default-allow-policy
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR

9
cli/cmd/testdata/install_proxy_ignores.golden generated vendored
View File

@ -1079,6 +1079,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1593,6 +1594,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1930,6 +1935,10 @@ spec:
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

9
cli/cmd/testdata/install_values_file.golden generated vendored
View File

@ -1065,6 +1065,7 @@ data:
proxy:
await: true
capabilities: null
defaultInboundPolicy: ""
disableIdentity: false
enableExternalProfiles: false
image:
@ -1579,6 +1580,10 @@ spec:
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
@ -1916,6 +1921,10 @@ spec:
value: linkerd-policy.l5d.svc.example.com.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT

8
controller/proxy-injector/fake/data/pod-with-debug.patch.json
View File

@ -156,6 +156,14 @@
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",
"value": "all-unauthenticated"
},
{
"name": "LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS",
"value": "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
},
{
"name": "LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT",
"value": "100ms"

8
controller/proxy-injector/fake/data/pod-with-ns-annotations.patch.json
View File

@ -156,6 +156,14 @@
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",
"value": "all-unauthenticated"
},
{
"name": "LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS",
"value": "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
},
{
"name": "LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT",
"value": "100ms"

8
controller/proxy-injector/fake/data/pod.patch.json
View File

@ -146,6 +146,14 @@
"name": "LINKERD2_PROXY_POLICY_WORKLOAD",
"value": "$(_pod_ns):$(_pod_name)"
},
{
"name": "LINKERD2_PROXY_INBOUND_DEFAULT_POLICY",
"value": "all-unauthenticated"
},
{
"name": "LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS",
"value": "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
},
{
"name": "LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT",
"value": "100ms"

1
pkg/charts/linkerd2/values.go
View File

@ -111,6 +111,7 @@ type (
PodInboundPorts string `json:"podInboundPorts"`
OpaquePorts string `json:"opaquePorts"`
Await bool `json:"await"`
DefaultInboundPolicy string `json:"defaultInboundPolicy"`
}
// ProxyInit contains the fields to set the proxy-init container

9
pkg/inject/inject.go
View File

@ -66,6 +66,7 @@ var (
k8s.ProxyOutboundConnectTimeout,
k8s.ProxyInboundConnectTimeout,
k8s.ProxyAwait,
k8s.ProxyDefaultInboundPolicyAnnotation,
}
// ProxyAlphaConfigAnnotations is the list of all alpha configuration
// (config.alpha prefix) that can be applied to a pod or namespace.
@ -1009,6 +1010,14 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) {
log.Warnf("unrecognized value used for the %s annotation, valid values are: [%s, %s]", k8s.ProxyAwait, k8s.Enabled, k8s.Disabled)
}
}
if override, ok := annotations[k8s.ProxyDefaultInboundPolicyAnnotation]; ok {
if override != k8s.AllUnauthenticated && override != k8s.AllAuthenticated && override != k8s.ClusterUnauthenticated && override != k8s.ClusterAuthenticated && override != k8s.Deny {
log.Warnf("unrecognized value used for the %s annotation, valid values are: [%s, %s, %s, %s, %s]", k8s.ProxyDefaultInboundPolicyAnnotation, k8s.AllUnauthenticated, k8s.AllAuthenticated, k8s.ClusterUnauthenticated, k8s.ClusterAuthenticated, k8s.Deny)
} else {
values.Proxy.DefaultInboundPolicy = override
}
}
}
// GetOverriddenConfiguration returns a map of the overridden proxy annotations

21
pkg/k8s/labels.go
View File

@ -244,6 +244,10 @@ const (
// to be ready.
ProxyAwait = ProxyConfigAnnotationsPrefix + "/proxy-await"
// ProxyDefaultInboundPolicyAnnotation is used to configure the default
// inbound policy of the proxy
ProxyDefaultInboundPolicyAnnotation = ProxyConfigAnnotationsPrefix + "/default-inbound-policy"
// IdentityModeDefault is assigned to IdentityModeAnnotation to
// use the control plane's default identity scheme.
IdentityModeDefault = "default"
@ -252,6 +256,23 @@ const (
// disable the proxy from participating in automatic identity.
IdentityModeDisabled = Disabled
// AllUnauthenticated allows all unathenticated connections.
AllUnauthenticated = "all-unauthenticated"
// AllAuthenticated allows all authenticated connections.
AllAuthenticated = "all-authenticated"
// ClusterUnauthenticated allows all unauthenticated connections from
// within the cluster.
ClusterUnauthenticated = "cluster-unauthenticated"
// ClusterAuthenticated allows all authenticated connections from within
// the cluster.
ClusterAuthenticated = "cluster-authenticated"
// Deny denies all connections.
Deny = "deny"
/*
* Component Names
*/