linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

convert ServerAuthorizations to AuthorizationPolicies (#10079) 

The Linkerd extension charts use ServerAuthorization resources.  AuthorizationPolicies are now the recommended resource to use in favor of ServerAuthorizations.  We replace all of the ServerAuthorization resources in the Linkerd extension charts with AuthorizationPolicy resources.

Signed-off-by: Alex Leong <alex@buoyant.io>
This commit is contained in:
Alex Leong 2023-01-11 15:07:15 -08:00 committed by GitHub
parent cb0f9eb7a9
commit 52fb2c6750
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 852 additions and 431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml
View File

@ -18,27 +18,8 @@ spec:
port: jaeger-injector
proxyProtocol: TLS
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-injector
@ -49,11 +30,28 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
client:
# traffic coming from the kubelet and from kube-api
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-injector-webhook
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: NetworkAuthentication
name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: kube-api-server
labels:
linkerd.io/extension: viz
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
# Ideally, this should be restricted to the actual set of IPs the kube-api
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"

171
jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml
View File

@ -122,11 +122,11 @@ spec:
port: 13133
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector
name: collector-otlp
labels:
linkerd.io/extension: jaeger
component: collector
@ -134,16 +134,107 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: collector
client:
# allow connections from any pod (meshed or not) sending trace data
unauthenticated: true
{{ end -}}
{{ if .Values.jaeger.enabled -}}
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -163,8 +254,8 @@ spec:
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-grpc
@ -175,12 +266,14 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc
client:
meshTLS:
serviceAccounts:
- name: collector
requiredAuthenticationRefs:
- kind: ServiceAccount
name: collector
namespace: {{.Release.Namespace}}
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -200,8 +293,8 @@ spec:
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-admin
@ -212,14 +305,15 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin
client:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus
namespace: linkerd-viz
requiredAuthenticationRefs:
# if not using linkerd-viz' prometheus, replace its SA here
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -239,8 +333,8 @@ spec:
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-ui
@ -251,12 +345,13 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui
client:
meshTLS:
serviceAccounts:
# for the optional dashboard integration
- name: web
namespace: linkerd-viz
requiredAuthenticationRefs:
# for the optional dashboard integration
- kind: ServiceAccount
name: web
namespace: linkerd-viz
{{ end -}}

163
jaeger/cmd/testdata/install_collector_disabled.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector
proxyProtocol: TLS
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
client:
# traffic coming from the kubelet and from kube-api
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-injector-webhook
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: NetworkAuthentication
name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
###
### Jaeger Injector RBAC
@ -309,112 +307,3 @@ spec:
type: RuntimeDefault
dnsPolicy: ClusterFirst
serviceAccountName: jaeger
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-grpc
client:
meshTLS:
serviceAccounts:
- name: collector
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-admin
client:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-ui
client:
meshTLS:
serviceAccounts:
# for the optional dashboard integration
- name: web
namespace: linkerd-viz

218
jaeger/cmd/testdata/install_default.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector
proxyProtocol: TLS
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
client:
# traffic coming from the kubelet and from kube-api
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-injector-webhook
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: NetworkAuthentication
name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
###
### collector RBAC
@ -602,25 +600,113 @@ spec:
port: 13133
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector
name: collector-otlp
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: collector
client:
# allow connections from any pod (meshed or not) sending trace data
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -639,8 +725,8 @@ spec:
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
@ -650,12 +736,14 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc
client:
meshTLS:
serviceAccounts:
- name: collector
requiredAuthenticationRefs:
- kind: ServiceAccount
name: collector
namespace: linkerd-jaeger
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -674,8 +762,8 @@ spec:
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
@ -685,14 +773,15 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin
client:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus
namespace: linkerd-viz
requiredAuthenticationRefs:
# if not using linkerd-viz' prometheus, replace its SA here
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
@ -711,8 +800,8 @@ spec:
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
@ -722,11 +811,12 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui
client:
meshTLS:
serviceAccounts:
# for the optional dashboard integration
- name: web
namespace: linkerd-viz
requiredAuthenticationRefs:
# for the optional dashboard integration
- kind: ServiceAccount
name: web
namespace: linkerd-viz

277
jaeger/cmd/testdata/install_jaeger_disabled.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector
proxyProtocol: TLS
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
client:
# traffic coming from the kubelet and from kube-api
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-injector-webhook
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: NetworkAuthentication
name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
###
### collector RBAC
@ -512,22 +510,223 @@ spec:
port: 13133
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector
name: collector-otlp
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
selector:
matchLabels:
linkerd.io/extension: jaeger
component: collector
client:
# allow connections from any pod (meshed or not) sending trace data
unauthenticated: true
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc
requiredAuthenticationRefs:
- kind: ServiceAccount
name: collector
namespace: linkerd-jaeger
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin
requiredAuthenticationRefs:
# if not using linkerd-viz' prometheus, replace its SA here
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui
requiredAuthenticationRefs:
# for the optional dashboard integration
- kind: ServiceAccount
name: web
namespace: linkerd-viz

82
multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml
View File

@ -17,8 +17,8 @@ spec:
app: {{.Values.gateway.name}}
port: linkerd-proxy
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: linkerd-gateway
@ -29,21 +29,56 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
client:
meshTLS:
identities:
- '*'
networks:
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: {{ .Release.Namespace }}
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: {{ .Release.Namespace }}
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: {{.Values.gateway.name}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
identities:
- '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: {{.Values.gateway.name}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
networks:
# Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's
- cidr: 0.0.0.0/0
- cidr: ::/0
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: linkerd-gateway-probe
@ -54,15 +89,18 @@ metadata:
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
server:
name: gateway-proxy-admin
client:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity
meshTLS:
identities:
- '*'
networks:
# cf note for linkerd-gateway ServerAuthorization
- cidr: 0.0.0.0/0
- cidr: ::/0
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: {{ .Release.Namespace }}
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: {{ .Release.Namespace }}
{{end -}}

19
multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml
View File

@ -14,8 +14,8 @@ spec:
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: service-mirror
@ -23,14 +23,15 @@ metadata:
component: linkerd-service-mirror
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror
client:
requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization
# Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created.
meshTLS:
serviceAccounts:
- name: prometheus
namespace: linkerd-viz
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz

99
multicluster/cmd/testdata/install_default.golden generated vendored
View File

@ -102,8 +102,8 @@ spec:
app: linkerd-gateway
port: linkerd-proxy
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway
@ -113,21 +113,54 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
client:
meshTLS:
identities:
- '*'
networks:
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities:
- '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks:
# Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's
- cidr: 0.0.0.0/0
- cidr: ::/0
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway-probe
@ -137,17 +170,20 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
name: gateway-proxy-admin
client:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity
meshTLS:
identities:
- '*'
networks:
# cf note for linkerd-gateway ServerAuthorization
- cidr: 0.0.0.0/0
- cidr: ::/0
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -316,23 +352,24 @@ spec:
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: service-mirror
labels:
component: linkerd-service-mirror
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror
client:
requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization
# Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created.
meshTLS:
serviceAccounts:
- name: prometheus
namespace: linkerd-viz
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---

99
multicluster/cmd/testdata/install_ha.golden generated vendored
View File

@ -139,8 +139,8 @@ spec:
app: linkerd-gateway
port: linkerd-proxy
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway
@ -150,21 +150,54 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
client:
meshTLS:
identities:
- '*'
networks:
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities:
- '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks:
# Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's
- cidr: 0.0.0.0/0
- cidr: ::/0
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway-probe
@ -174,17 +207,20 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
name: gateway-proxy-admin
client:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity
meshTLS:
identities:
- '*'
networks:
# cf note for linkerd-gateway ServerAuthorization
- cidr: 0.0.0.0/0
- cidr: ::/0
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -384,23 +420,24 @@ spec:
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: service-mirror
labels:
component: linkerd-service-mirror
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror
client:
requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization
# Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created.
meshTLS:
serviceAccounts:
- name: prometheus
namespace: linkerd-viz
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---

99
multicluster/cmd/testdata/install_psp.golden generated vendored
View File

@ -102,8 +102,8 @@ spec:
app: linkerd-gateway
port: linkerd-proxy
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway
@ -113,21 +113,54 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
client:
meshTLS:
identities:
- '*'
networks:
requiredAuthenticationRefs:
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities:
- '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks:
# Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's
- cidr: 0.0.0.0/0
- cidr: ::/0
- cidr: "0.0.0.0/0"
- cidr: "::/0"
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: linkerd-gateway-probe
@ -137,17 +170,20 @@ metadata:
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
server:
name: gateway-proxy-admin
client:
targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity
meshTLS:
identities:
- '*'
networks:
# cf note for linkerd-gateway ServerAuthorization
- cidr: 0.0.0.0/0
- cidr: ::/0
- group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@ -347,23 +383,24 @@ spec:
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-multicluster
name: service-mirror
labels:
component: linkerd-service-mirror
spec:
server:
targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror
client:
requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization
# Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created.
meshTLS:
serviceAccounts:
- name: prometheus
namespace: linkerd-viz
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---