Do not permit cluster networks to be overridden per-pod (#5111)

In #5110 the `global.proxy.destinationGetNetworks` configuration is renamed to `global.clusterNetworks` to better reflect its purpose. The `config.linkerd.io/proxy-destination-get-networks` annotation allows this configuration to be overridden per-workload, but there's no real use case for this. I don't think we want to support this value differing between pods in a cluster. No good can come of it. This change removes support for the `proxy-destination-get-networks` annotation.
2020-10-21 09:34:13 -07:00 · 2020-10-21 09:34:13 -07:00 · 25e49433fd
parent d22dda0917
commit 25e49433fd
5 changed files with 0 additions and 39 deletions
--- a/pkg/inject/inject.go
+++ b/pkg/inject/inject.go
@ -43,7 +43,6 @@ var (
 		k8s.ProxyAdminPortAnnotation,
 		k8s.ProxyControlPortAnnotation,
 		k8s.ProxyDisableIdentityAnnotation,
-		k8s.ProxyDestinationGetNetworks,
 		k8s.ProxyDisableTapAnnotation,
 		k8s.ProxyEnableDebugAnnotation,
 		k8s.ProxyEnableExternalProfilesAnnotation,
@ -747,10 +746,6 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) {
 		values.Global.Proxy.RequireIdentityOnInboundPorts = override
 	}

-	if override, ok := annotations[k8s.ProxyDestinationGetNetworks]; ok {
-		values.Global.ClusterNetworks = override
-	}
-
 	if override, ok := annotations[k8s.ProxyOutboundConnectTimeout]; ok {
 		duration, err := time.ParseDuration(override)
 		if err != nil {
--- a/pkg/inject/inject_test.go
+++ b/pkg/inject/inject_test.go
@ -62,7 +62,6 @@ func TestGetOverriddenValues(t *testing.T) {
 							k8s.ProxyTraceCollectorSvcAccountAnnotation:      "default",
 							k8s.ProxyWaitBeforeExitSecondsAnnotation:         "123",
 							k8s.ProxyRequireIdentityOnInboundPortsAnnotation: "8888,9999",
-							k8s.ProxyDestinationGetNetworks:                  "10.0.0.0/8",
 							k8s.ProxyOutboundConnectTimeout:                  "6000ms",
 							k8s.ProxyInboundConnectTimeout:                   "600ms",
 							k8s.ProxyOpaquePortsAnnotation:                   "4320-4325,3306",
@ -75,7 +74,6 @@ func TestGetOverriddenValues(t *testing.T) {
 				values, _ := l5dcharts.NewValues(false)

 				values.Global.Proxy.DisableIdentity = true
-				values.Global.ClusterNetworks = "10.0.0.0/8"
 				values.Global.Proxy.Image.Name = "ghcr.io/linkerd/proxy"
 				values.Global.Proxy.Image.PullPolicy = pullPolicy
 				values.Global.Proxy.Image.Version = proxyVersionOverride
@ -199,22 +197,6 @@ func TestGetOverriddenValues(t *testing.T) {
 				return values
 			},
 		},
-		{id: "use empty string for dst networks",
-			nsAnnotations: map[string]string{
-				k8s.ProxyDestinationGetNetworks: "",
-			},
-			spec: appsv1.DeploymentSpec{
-				Template: corev1.PodTemplateSpec{
-					ObjectMeta: metav1.ObjectMeta{},
-					Spec:       corev1.PodSpec{},
-				},
-			},
-			expected: func() *l5dcharts.Values {
-				values, _ := l5dcharts.NewValues(false)
-				values.Global.ClusterNetworks = ""
-				return values
-			},
-		},
 		{id: "use invalid duration for TCP connect timeouts",
 			nsAnnotations: map[string]string{
 				k8s.ProxyOutboundConnectTimeout: "6000",
--- a/pkg/k8s/labels.go
+++ b/pkg/k8s/labels.go
@ -202,10 +202,6 @@ const (
 	// to always require identity on inbound ports
 	ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports"

-	// ProxyDestinationGetNetworks can be used to configure the proxy to do
-	// destination lookups on IP addresses from the specified network ranges
-	ProxyDestinationGetNetworks = ProxyConfigAnnotationsPrefix + "/proxy-destination-get-networks"
-
 	// ProxyOutboundConnectTimeout can be used to configure the outbound TCP connection
 	// timeout in the proxy
 	ProxyOutboundConnectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-connect-timeout"
--- a/test/integration/inject/inject_test.go
+++ b/test/integration/inject/inject_test.go
@ -113,7 +113,6 @@ func TestInjectAutoParams(t *testing.T) {
 			AutoInject:               true,
 			AdminPort:                8888,
 			ControlPort:              8881,
-			DestinationGetNetworks:   "192.168.0.0/16",
 			DisableTap:               true,
 			EnableExternalProfiles:   true,
 			EnableDebug:              true,
--- a/testutil/inject_validator.go
+++ b/testutil/inject_validator.go
@ -25,7 +25,6 @@ type InjectValidator struct {
 	AutoInject               bool
 	AdminPort                int
 	ControlPort              int
-	DestinationGetNetworks   string
 	DisableTap               bool
 	EnableDebug              bool
 	EnableExternalProfiles   bool
@ -131,12 +130,6 @@ func (iv *InjectValidator) validateProxyContainer(pod *v1.PodSpec) error {
 		}
 	}

-	if iv.DestinationGetNetworks != "" {
-		if err := iv.validateEnvVar(proxyContainer, "LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS", iv.DestinationGetNetworks); err != nil {
-			return err
-		}
-	}
-
 	if iv.DisableTap {
 		if err := iv.validateEnvVar(proxyContainer, "LINKERD2_PROXY_TAP_DISABLED", enabled); err != nil {
 			return err
@ -435,10 +428,6 @@ func (iv *InjectValidator) GetFlagsAndAnnotations() ([]string, map[string]string
 		flags = append(flags, "--disable-identity")
 	}

-	if iv.DestinationGetNetworks != "" {
-		annotations[k8s.ProxyDestinationGetNetworks] = iv.DestinationGetNetworks
-	}
-
 	if iv.DisableTap {
 		annotations[k8s.ProxyDisableTapAnnotation] = enabled
 		flags = append(flags, "--disable-tap")