mirror of https://github.com/linkerd/linkerd2.git
Do not permit cluster networks to be overridden per-pod (#5111)
In #5110 the `global.proxy.destinationGetNetworks` configuration is renamed to `global.clusterNetworks` to better reflect its purpose. The `config.linkerd.io/proxy-destination-get-networks` annotation allows this configuration to be overridden per-workload, but there's no real use case for this. I don't think we want to support this value differing between pods in a cluster. No good can come of it. This change removes support for the `proxy-destination-get-networks` annotation.
This commit is contained in:
Oliver Gould
GitHub
parent
d22dda0917
commit
25e49433fd
|
|
@ -43,7 +43,6 @@ var (
|
||||||
k8s.ProxyAdminPortAnnotation,
|
k8s.ProxyAdminPortAnnotation,
|
||||||
k8s.ProxyControlPortAnnotation,
|
k8s.ProxyControlPortAnnotation,
|
||||||
k8s.ProxyDisableIdentityAnnotation,
|
k8s.ProxyDisableIdentityAnnotation,
|
||||||
k8s.ProxyDestinationGetNetworks,
|
|
||||||
k8s.ProxyDisableTapAnnotation,
|
k8s.ProxyDisableTapAnnotation,
|
||||||
k8s.ProxyEnableDebugAnnotation,
|
k8s.ProxyEnableDebugAnnotation,
|
||||||
k8s.ProxyEnableExternalProfilesAnnotation,
|
k8s.ProxyEnableExternalProfilesAnnotation,
|
||||||
|
|
@ -747,10 +746,6 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) {
|
||||||
values.Global.Proxy.RequireIdentityOnInboundPorts = override
|
values.Global.Proxy.RequireIdentityOnInboundPorts = override
|
||||||
}
|
}
|
||||||
|
|
||||||
if override, ok := annotations[k8s.ProxyDestinationGetNetworks]; ok {
|
|
||||||
values.Global.ClusterNetworks = override
|
|
||||||
}
|
|
||||||
|
|
||||||
if override, ok := annotations[k8s.ProxyOutboundConnectTimeout]; ok {
|
if override, ok := annotations[k8s.ProxyOutboundConnectTimeout]; ok {
|
||||||
duration, err := time.ParseDuration(override)
|
duration, err := time.ParseDuration(override)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,6 @@ func TestGetOverriddenValues(t *testing.T) {
|
||||||
k8s.ProxyTraceCollectorSvcAccountAnnotation: "default",
|
k8s.ProxyTraceCollectorSvcAccountAnnotation: "default",
|
||||||
k8s.ProxyWaitBeforeExitSecondsAnnotation: "123",
|
k8s.ProxyWaitBeforeExitSecondsAnnotation: "123",
|
||||||
k8s.ProxyRequireIdentityOnInboundPortsAnnotation: "8888,9999",
|
k8s.ProxyRequireIdentityOnInboundPortsAnnotation: "8888,9999",
|
||||||
k8s.ProxyDestinationGetNetworks: "10.0.0.0/8",
|
|
||||||
k8s.ProxyOutboundConnectTimeout: "6000ms",
|
k8s.ProxyOutboundConnectTimeout: "6000ms",
|
||||||
k8s.ProxyInboundConnectTimeout: "600ms",
|
k8s.ProxyInboundConnectTimeout: "600ms",
|
||||||
k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306",
|
k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306",
|
||||||
|
|
@ -75,7 +74,6 @@ func TestGetOverriddenValues(t *testing.T) {
|
||||||
values, _ := l5dcharts.NewValues(false)
|
values, _ := l5dcharts.NewValues(false)
|
||||||
|
|
||||||
values.Global.Proxy.DisableIdentity = true
|
values.Global.Proxy.DisableIdentity = true
|
||||||
values.Global.ClusterNetworks = "10.0.0.0/8"
|
|
||||||
values.Global.Proxy.Image.Name = "ghcr.io/linkerd/proxy"
|
values.Global.Proxy.Image.Name = "ghcr.io/linkerd/proxy"
|
||||||
values.Global.Proxy.Image.PullPolicy = pullPolicy
|
values.Global.Proxy.Image.PullPolicy = pullPolicy
|
||||||
values.Global.Proxy.Image.Version = proxyVersionOverride
|
values.Global.Proxy.Image.Version = proxyVersionOverride
|
||||||
|
|
@ -199,22 +197,6 @@ func TestGetOverriddenValues(t *testing.T) {
|
||||||
return values
|
return values
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{id: "use empty string for dst networks",
|
|
||||||
nsAnnotations: map[string]string{
|
|
||||||
k8s.ProxyDestinationGetNetworks: "",
|
|
||||||
},
|
|
||||||
spec: appsv1.DeploymentSpec{
|
|
||||||
Template: corev1.PodTemplateSpec{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{},
|
|
||||||
Spec: corev1.PodSpec{},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expected: func() *l5dcharts.Values {
|
|
||||||
values, _ := l5dcharts.NewValues(false)
|
|
||||||
values.Global.ClusterNetworks = ""
|
|
||||||
return values
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{id: "use invalid duration for TCP connect timeouts",
|
{id: "use invalid duration for TCP connect timeouts",
|
||||||
nsAnnotations: map[string]string{
|
nsAnnotations: map[string]string{
|
||||||
k8s.ProxyOutboundConnectTimeout: "6000",
|
k8s.ProxyOutboundConnectTimeout: "6000",
|
||||||
|
|
|
||||||
|
|
@ -202,10 +202,6 @@ const (
|
||||||
// to always require identity on inbound ports
|
// to always require identity on inbound ports
|
||||||
ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports"
|
ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports"
|
||||||
|
|
||||||
// ProxyDestinationGetNetworks can be used to configure the proxy to do
|
|
||||||
// destination lookups on IP addresses from the specified network ranges
|
|
||||||
ProxyDestinationGetNetworks = ProxyConfigAnnotationsPrefix + "/proxy-destination-get-networks"
|
|
||||||
|
|
||||||
// ProxyOutboundConnectTimeout can be used to configure the outbound TCP connection
|
// ProxyOutboundConnectTimeout can be used to configure the outbound TCP connection
|
||||||
// timeout in the proxy
|
// timeout in the proxy
|
||||||
ProxyOutboundConnectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-connect-timeout"
|
ProxyOutboundConnectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-connect-timeout"
|
||||||
|
|
|
||||||
|
|
@ -113,7 +113,6 @@ func TestInjectAutoParams(t *testing.T) {
|
||||||
AutoInject: true,
|
AutoInject: true,
|
||||||
AdminPort: 8888,
|
AdminPort: 8888,
|
||||||
ControlPort: 8881,
|
ControlPort: 8881,
|
||||||
DestinationGetNetworks: "192.168.0.0/16",
|
|
||||||
DisableTap: true,
|
DisableTap: true,
|
||||||
EnableExternalProfiles: true,
|
EnableExternalProfiles: true,
|
||||||
EnableDebug: true,
|
EnableDebug: true,
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,6 @@ type InjectValidator struct {
|
||||||
AutoInject bool
|
AutoInject bool
|
||||||
AdminPort int
|
AdminPort int
|
||||||
ControlPort int
|
ControlPort int
|
||||||
DestinationGetNetworks string
|
|
||||||
DisableTap bool
|
DisableTap bool
|
||||||
EnableDebug bool
|
EnableDebug bool
|
||||||
EnableExternalProfiles bool
|
EnableExternalProfiles bool
|
||||||
|
|
@ -131,12 +130,6 @@ func (iv *InjectValidator) validateProxyContainer(pod *v1.PodSpec) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if iv.DestinationGetNetworks != "" {
|
|
||||||
if err := iv.validateEnvVar(proxyContainer, "LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS", iv.DestinationGetNetworks); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if iv.DisableTap {
|
if iv.DisableTap {
|
||||||
if err := iv.validateEnvVar(proxyContainer, "LINKERD2_PROXY_TAP_DISABLED", enabled); err != nil {
|
if err := iv.validateEnvVar(proxyContainer, "LINKERD2_PROXY_TAP_DISABLED", enabled); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
@ -435,10 +428,6 @@ func (iv *InjectValidator) GetFlagsAndAnnotations() ([]string, map[string]string
|
||||||
flags = append(flags, "--disable-identity")
|
flags = append(flags, "--disable-identity")
|
||||||
}
|
}
|
||||||
|
|
||||||
if iv.DestinationGetNetworks != "" {
|
|
||||||
annotations[k8s.ProxyDestinationGetNetworks] = iv.DestinationGetNetworks
|
|
||||||
}
|
|
||||||
|
|
||||||
if iv.DisableTap {
|
if iv.DisableTap {
|
||||||
annotations[k8s.ProxyDisableTapAnnotation] = enabled
|
annotations[k8s.ProxyDisableTapAnnotation] = enabled
|
||||||
flags = append(flags, "--disable-tap")
|
flags = append(flags, "--disable-tap")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue