From 52fb2c6750e874d0d90084566d7f20125731b99a Mon Sep 17 00:00:00 2001 From: Alex Leong Date: Wed, 11 Jan 2023 15:07:15 -0800 Subject: [PATCH] convert ServerAuthorizations to AuthorizationPolicies (#10079) The Linkerd extension charts use ServerAuthorization resources. AuthorizationPolicies are now the recommended resource to use in favor of ServerAuthorizations. We replace all of the ServerAuthorization resources in the Linkerd extension charts with AuthorizationPolicy resources. Signed-off-by: Alex Leong --- .../templates/jaeger-injector-policy.yaml | 56 ++-- .../templates/tracing-policy.yaml | 171 ++++++++--- .../install_collector_disabled.golden | 163 ++--------- jaeger/cmd/testdata/install_default.golden | 218 ++++++++++---- .../testdata/install_jaeger_disabled.golden | 277 +++++++++++++++--- .../templates/gateway-policy.yaml | 82 ++++-- .../templates/service-mirror-policy.yaml | 19 +- .../cmd/testdata/install_default.golden | 99 +++++-- multicluster/cmd/testdata/install_ha.golden | 99 +++++-- multicluster/cmd/testdata/install_psp.golden | 99 +++++-- 10 files changed, 852 insertions(+), 431 deletions(-) diff --git a/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml b/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml index b7b416e6a..b032506f1 100644 --- a/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml +++ b/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml @@ -18,27 +18,8 @@ spec: port: jaeger-injector proxyProtocol: TLS --- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: {{ .Release.Namespace }} - name: jaeger-injector-admin - labels: - linkerd.io/extension: jaeger - component: jaeger-injector - {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} - annotations: - {{ include "partials.annotations.created-by" . }} -spec: - podSelector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - port: admin-http - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: jaeger-injector @@ -49,11 +30,28 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - client: - # traffic coming from the kubelet and from kube-api - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-injector-webhook + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: NetworkAuthentication + name: kube-api-server +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: {{ .Release.Namespace }} + name: kube-api-server + labels: + linkerd.io/extension: viz + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + # Ideally, this should be restricted to the actual set of IPs the kube-api + # server uses for webhooks in a cluster. This can't easily be discovered. + networks: + - cidr: "0.0.0.0/0" + - cidr: "::/0" diff --git a/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml b/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml index 8df0a1e1f..c9b37c4c4 100644 --- a/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml +++ b/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml @@ -122,11 +122,11 @@ spec: port: 13133 proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} - name: collector + name: collector-otlp labels: linkerd.io/extension: jaeger component: collector @@ -134,16 +134,107 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: collector - client: - # allow connections from any pod (meshed or not) sending trace data - unauthenticated: true -{{ end -}} -{{ if .Values.jaeger.enabled -}} + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: {{ .Release.Namespace }} + name: collector-otlp-http + labels: + linkerd.io/extension: jaeger + component: collector + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp-http + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: {{ .Release.Namespace }} + name: collector-opencensus + labels: + linkerd.io/extension: jaeger + component: collector + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-opencensus + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: {{ .Release.Namespace }} + name: collector-zipkin + labels: + linkerd.io/extension: jaeger + component: collector + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-zipkin + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: {{ .Release.Namespace }} + name: collector-jaeger-thrift + labels: + linkerd.io/extension: jaeger + component: collector + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-thrift + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: {{ .Release.Namespace }} + name: collector-jaeger-grpc + labels: + linkerd.io/extension: jaeger + component: collector + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-grpc + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -163,8 +254,8 @@ spec: port: grpc proxyProtocol: gRPC --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: jaeger-grpc @@ -175,12 +266,14 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-grpc - client: - meshTLS: - serviceAccounts: - - name: collector + requiredAuthenticationRefs: + - kind: ServiceAccount + name: collector + namespace: {{.Release.Namespace}} --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -200,8 +293,8 @@ spec: port: admin proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: jaeger-admin @@ -212,14 +305,15 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-admin - client: - meshTLS: - serviceAccounts: - # if not using linkerd-viz' prometheus, replace its SA here - - name: prometheus - namespace: linkerd-viz + requiredAuthenticationRefs: + # if not using linkerd-viz' prometheus, replace its SA here + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -239,8 +333,8 @@ spec: port: ui proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: jaeger-ui @@ -251,12 +345,13 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-ui - client: - meshTLS: - serviceAccounts: - # for the optional dashboard integration - - name: web - namespace: linkerd-viz + requiredAuthenticationRefs: + # for the optional dashboard integration + - kind: ServiceAccount + name: web + namespace: linkerd-viz {{ end -}} diff --git a/jaeger/cmd/testdata/install_collector_disabled.golden b/jaeger/cmd/testdata/install_collector_disabled.golden index 88025e233..96f784753 100644 --- a/jaeger/cmd/testdata/install_collector_disabled.golden +++ b/jaeger/cmd/testdata/install_collector_disabled.golden @@ -122,26 +122,8 @@ spec: port: jaeger-injector proxyProtocol: TLS --- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-injector-admin - labels: - linkerd.io/extension: jaeger - component: jaeger-injector - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - port: admin-http - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-injector @@ -151,14 +133,30 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - client: - # traffic coming from the kubelet and from kube-api - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-injector-webhook + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: NetworkAuthentication + name: kube-api-server +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-jaeger + name: kube-api-server + labels: + linkerd.io/extension: viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + # Ideally, this should be restricted to the actual set of IPs the kubelet API + # server uses for webhooks in a cluster. This can't easily be discovered. + networks: + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- ### ### Jaeger Injector RBAC @@ -309,112 +307,3 @@ spec: type: RuntimeDefault dnsPolicy: ClusterFirst serviceAccountName: jaeger ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-grpc - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - component: jaeger - port: grpc - proxyProtocol: gRPC ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization -metadata: - namespace: linkerd-jaeger - name: jaeger-grpc - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - server: - name: jaeger-grpc - client: - meshTLS: - serviceAccounts: - - name: collector ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-admin - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - component: jaeger - port: admin - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization -metadata: - namespace: linkerd-jaeger - name: jaeger-admin - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - server: - name: jaeger-admin - client: - meshTLS: - serviceAccounts: - # if not using linkerd-viz' prometheus, replace its SA here - - name: prometheus - namespace: linkerd-viz ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-ui - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - component: jaeger - port: ui - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization -metadata: - namespace: linkerd-jaeger - name: jaeger-ui - labels: - linkerd.io/extension: jaeger - component: jaeger - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - server: - name: jaeger-ui - client: - meshTLS: - serviceAccounts: - # for the optional dashboard integration - - name: web - namespace: linkerd-viz diff --git a/jaeger/cmd/testdata/install_default.golden b/jaeger/cmd/testdata/install_default.golden index e6c375a4a..45cc233cb 100644 --- a/jaeger/cmd/testdata/install_default.golden +++ b/jaeger/cmd/testdata/install_default.golden @@ -122,26 +122,8 @@ spec: port: jaeger-injector proxyProtocol: TLS --- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-injector-admin - labels: - linkerd.io/extension: jaeger - component: jaeger-injector - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - port: admin-http - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-injector @@ -151,14 +133,30 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - client: - # traffic coming from the kubelet and from kube-api - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-injector-webhook + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: NetworkAuthentication + name: kube-api-server +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-jaeger + name: kube-api-server + labels: + linkerd.io/extension: viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + # Ideally, this should be restricted to the actual set of IPs the kubelet API + # server uses for webhooks in a cluster. This can't easily be discovered. + networks: + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- ### ### collector RBAC @@ -602,25 +600,113 @@ spec: port: 13133 proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger - name: collector + name: collector-otlp labels: linkerd.io/extension: jaeger component: collector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: collector - client: - # allow connections from any pod (meshed or not) sending trace data - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-otlp-http + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp-http + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-opencensus + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-opencensus + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-zipkin + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-zipkin + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-jaeger-thrift + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-thrift + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-jaeger-grpc + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-grpc + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -639,8 +725,8 @@ spec: port: grpc proxyProtocol: gRPC --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-grpc @@ -650,12 +736,14 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-grpc - client: - meshTLS: - serviceAccounts: - - name: collector + requiredAuthenticationRefs: + - kind: ServiceAccount + name: collector + namespace: linkerd-jaeger --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -674,8 +762,8 @@ spec: port: admin proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-admin @@ -685,14 +773,15 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-admin - client: - meshTLS: - serviceAccounts: - # if not using linkerd-viz' prometheus, replace its SA here - - name: prometheus - namespace: linkerd-viz + requiredAuthenticationRefs: + # if not using linkerd-viz' prometheus, replace its SA here + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz --- apiVersion: policy.linkerd.io/v1beta1 kind: Server @@ -711,8 +800,8 @@ spec: port: ui proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-ui @@ -722,11 +811,12 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: jaeger-ui - client: - meshTLS: - serviceAccounts: - # for the optional dashboard integration - - name: web - namespace: linkerd-viz + requiredAuthenticationRefs: + # for the optional dashboard integration + - kind: ServiceAccount + name: web + namespace: linkerd-viz diff --git a/jaeger/cmd/testdata/install_jaeger_disabled.golden b/jaeger/cmd/testdata/install_jaeger_disabled.golden index 7edfb531f..7821610cd 100644 --- a/jaeger/cmd/testdata/install_jaeger_disabled.golden +++ b/jaeger/cmd/testdata/install_jaeger_disabled.golden @@ -122,26 +122,8 @@ spec: port: jaeger-injector proxyProtocol: TLS --- -apiVersion: policy.linkerd.io/v1beta1 -kind: Server -metadata: - namespace: linkerd-jaeger - name: jaeger-injector-admin - labels: - linkerd.io/extension: jaeger - component: jaeger-injector - annotations: - linkerd.io/created-by: linkerd/helm dev-undefined -spec: - podSelector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - port: admin-http - proxyProtocol: HTTP/1 ---- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger name: jaeger-injector @@ -151,14 +133,30 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: jaeger-injector - client: - # traffic coming from the kubelet and from kube-api - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-injector-webhook + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: NetworkAuthentication + name: kube-api-server +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-jaeger + name: kube-api-server + labels: + linkerd.io/extension: viz + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + # Ideally, this should be restricted to the actual set of IPs the kubelet API + # server uses for webhooks in a cluster. This can't easily be discovered. + networks: + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- ### ### collector RBAC @@ -512,22 +510,223 @@ spec: port: 13133 proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-jaeger - name: collector + name: collector-otlp labels: linkerd.io/extension: jaeger component: collector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: - server: - selector: - matchLabels: - linkerd.io/extension: jaeger - component: collector - client: - # allow connections from any pod (meshed or not) sending trace data - unauthenticated: true + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-otlp-http + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-otlp-http + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-opencensus + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-opencensus + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-zipkin + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-zipkin + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-jaeger-thrift + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-thrift + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: collector-jaeger-grpc + labels: + linkerd.io/extension: jaeger + component: collector + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: collector-jaeger-grpc + # allow connections from any pod (meshed or not) sending trace data + requiredAuthenticationRefs: [] +--- +apiVersion: policy.linkerd.io/v1beta1 +kind: Server +metadata: + namespace: linkerd-jaeger + name: jaeger-grpc + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + podSelector: + matchLabels: + component: jaeger + port: grpc + proxyProtocol: gRPC +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: jaeger-grpc + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-grpc + requiredAuthenticationRefs: + - kind: ServiceAccount + name: collector + namespace: linkerd-jaeger +--- +apiVersion: policy.linkerd.io/v1beta1 +kind: Server +metadata: + namespace: linkerd-jaeger + name: jaeger-admin + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + podSelector: + matchLabels: + component: jaeger + port: admin + proxyProtocol: HTTP/1 +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: jaeger-admin + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-admin + requiredAuthenticationRefs: + # if not using linkerd-viz' prometheus, replace its SA here + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz +--- +apiVersion: policy.linkerd.io/v1beta1 +kind: Server +metadata: + namespace: linkerd-jaeger + name: jaeger-ui + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + podSelector: + matchLabels: + component: jaeger + port: ui + proxyProtocol: HTTP/1 +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + namespace: linkerd-jaeger + name: jaeger-ui + labels: + linkerd.io/extension: jaeger + component: jaeger + annotations: + linkerd.io/created-by: linkerd/helm dev-undefined +spec: + targetRef: + group: policy.linkerd.io + kind: Server + name: jaeger-ui + requiredAuthenticationRefs: + # for the optional dashboard integration + - kind: ServiceAccount + name: web + namespace: linkerd-viz diff --git a/multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml b/multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml index 45dc8e6c6..d5528d4ff 100644 --- a/multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml +++ b/multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml @@ -17,8 +17,8 @@ spec: app: {{.Values.gateway.name}} port: linkerd-proxy --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: linkerd-gateway @@ -29,21 +29,56 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: linkerd-gateway - client: - meshTLS: - identities: - - '*' - networks: + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: {{ .Release.Namespace }} + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: {{ .Release.Namespace }} +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: MeshTLSAuthentication +metadata: + namespace: {{ .Release.Namespace }} + name: any-meshed + labels: + linkerd.io/extension: multicluster + app: {{.Values.gateway.name}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + identities: + - '*' +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: {{ .Release.Namespace }} + name: source-cluster + labels: + linkerd.io/extension: multicluster + app: {{.Values.gateway.name}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + networks: # Change this to the source cluster cidrs pointing to this gateway. # Note that the source IP in some providers (e.g. GKE) will be the local # node's IP and not the source cluster's - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: linkerd-gateway-probe @@ -54,15 +89,18 @@ metadata: annotations: {{ include "partials.annotations.created-by" . }} spec: - server: - name: gateway-proxy-admin - client: + targetRef: + group: policy.linkerd.io + kind: Server + name: linkerd-gateway + requiredAuthenticationRefs: # allows probes from outside the cluster, as long as they have an identity - meshTLS: - identities: - - '*' - networks: - # cf note for linkerd-gateway ServerAuthorization - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: {{ .Release.Namespace }} + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: {{ .Release.Namespace }} {{end -}} diff --git a/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml b/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml index cf9062b80..12d6429f6 100644 --- a/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml +++ b/multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml @@ -14,8 +14,8 @@ spec: port: admin-http proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: {{ .Release.Namespace }} name: service-mirror @@ -23,14 +23,15 @@ metadata: component: linkerd-service-mirror {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: service-mirror - client: + requiredAuthenticationRefs: # In order to use `linkerd mc gateways` you need viz' Prometheus instance # to be able to reach the service-mirror. In order to also have a separate - # Prometheus scrape the service-mirror an additional ServerAuthorization + # Prometheus scrape the service-mirror an additional AuthorizationPolicy # resource should be created. - meshTLS: - serviceAccounts: - - name: prometheus - namespace: linkerd-viz + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz diff --git a/multicluster/cmd/testdata/install_default.golden b/multicluster/cmd/testdata/install_default.golden index 48563a1e6..db328a2ec 100644 --- a/multicluster/cmd/testdata/install_default.golden +++ b/multicluster/cmd/testdata/install_default.golden @@ -102,8 +102,8 @@ spec: app: linkerd-gateway port: linkerd-proxy --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway @@ -113,21 +113,54 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: linkerd-gateway - client: - meshTLS: - identities: - - '*' - networks: + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: MeshTLSAuthentication +metadata: + namespace: linkerd-multicluster + name: any-meshed + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + identities: + - '*' +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-multicluster + name: source-cluster + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + networks: # Change this to the source cluster cidrs pointing to this gateway. # Note that the source IP in some providers (e.g. GKE) will be the local # node's IP and not the source cluster's - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway-probe @@ -137,17 +170,20 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: - name: gateway-proxy-admin - client: + targetRef: + group: policy.linkerd.io + kind: Server + name: linkerd-gateway + requiredAuthenticationRefs: # allows probes from outside the cluster, as long as they have an identity - meshTLS: - identities: - - '*' - networks: - # cf note for linkerd-gateway ServerAuthorization - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -316,23 +352,24 @@ spec: port: admin-http proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: service-mirror labels: component: linkerd-service-mirror spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: service-mirror - client: + requiredAuthenticationRefs: # In order to use `linkerd mc gateways` you need viz' Prometheus instance # to be able to reach the service-mirror. In order to also have a separate - # Prometheus scrape the service-mirror an additional ServerAuthorization + # Prometheus scrape the service-mirror an additional AuthorizationPolicy # resource should be created. - meshTLS: - serviceAccounts: - - name: prometheus - namespace: linkerd-viz + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz --- diff --git a/multicluster/cmd/testdata/install_ha.golden b/multicluster/cmd/testdata/install_ha.golden index 7c0234b32..cef26cd29 100644 --- a/multicluster/cmd/testdata/install_ha.golden +++ b/multicluster/cmd/testdata/install_ha.golden @@ -139,8 +139,8 @@ spec: app: linkerd-gateway port: linkerd-proxy --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway @@ -150,21 +150,54 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: linkerd-gateway - client: - meshTLS: - identities: - - '*' - networks: + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: MeshTLSAuthentication +metadata: + namespace: linkerd-multicluster + name: any-meshed + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + identities: + - '*' +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-multicluster + name: source-cluster + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + networks: # Change this to the source cluster cidrs pointing to this gateway. # Note that the source IP in some providers (e.g. GKE) will be the local # node's IP and not the source cluster's - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway-probe @@ -174,17 +207,20 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: - name: gateway-proxy-admin - client: + targetRef: + group: policy.linkerd.io + kind: Server + name: linkerd-gateway + requiredAuthenticationRefs: # allows probes from outside the cluster, as long as they have an identity - meshTLS: - identities: - - '*' - networks: - # cf note for linkerd-gateway ServerAuthorization - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -384,23 +420,24 @@ spec: port: admin-http proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: service-mirror labels: component: linkerd-service-mirror spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: service-mirror - client: + requiredAuthenticationRefs: # In order to use `linkerd mc gateways` you need viz' Prometheus instance # to be able to reach the service-mirror. In order to also have a separate - # Prometheus scrape the service-mirror an additional ServerAuthorization + # Prometheus scrape the service-mirror an additional AuthorizationPolicy # resource should be created. - meshTLS: - serviceAccounts: - - name: prometheus - namespace: linkerd-viz + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz --- diff --git a/multicluster/cmd/testdata/install_psp.golden b/multicluster/cmd/testdata/install_psp.golden index dd7f7dee9..75d36480c 100644 --- a/multicluster/cmd/testdata/install_psp.golden +++ b/multicluster/cmd/testdata/install_psp.golden @@ -102,8 +102,8 @@ spec: app: linkerd-gateway port: linkerd-proxy --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway @@ -113,21 +113,54 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: linkerd-gateway - client: - meshTLS: - identities: - - '*' - networks: + requiredAuthenticationRefs: + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: MeshTLSAuthentication +metadata: + namespace: linkerd-multicluster + name: any-meshed + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + identities: + - '*' +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + namespace: linkerd-multicluster + name: source-cluster + labels: + linkerd.io/extension: multicluster + app: linkerd-gateway + annotations: + linkerd.io/created-by: linkerd/helm linkerdVersionValue +spec: + networks: # Change this to the source cluster cidrs pointing to this gateway. # Note that the source IP in some providers (e.g. GKE) will be the local # node's IP and not the source cluster's - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - cidr: "0.0.0.0/0" + - cidr: "::/0" --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: linkerd-gateway-probe @@ -137,17 +170,20 @@ metadata: annotations: linkerd.io/created-by: linkerd/helm linkerdVersionValue spec: - server: - name: gateway-proxy-admin - client: + targetRef: + group: policy.linkerd.io + kind: Server + name: linkerd-gateway + requiredAuthenticationRefs: # allows probes from outside the cluster, as long as they have an identity - meshTLS: - identities: - - '*' - networks: - # cf note for linkerd-gateway ServerAuthorization - - cidr: 0.0.0.0/0 - - cidr: ::/0 + - group: policy.linkerd.io + kind: MeshTLSAuthentication + name: any-meshed + namespace: linkerd-multicluster + - group: policy.linkerd.io + kind: NetworkAuthentication + name: source-cluster + namespace: linkerd-multicluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -347,23 +383,24 @@ spec: port: admin-http proxyProtocol: HTTP/1 --- -apiVersion: policy.linkerd.io/v1beta1 -kind: ServerAuthorization +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy metadata: namespace: linkerd-multicluster name: service-mirror labels: component: linkerd-service-mirror spec: - server: + targetRef: + group: policy.linkerd.io + kind: Server name: service-mirror - client: + requiredAuthenticationRefs: # In order to use `linkerd mc gateways` you need viz' Prometheus instance # to be able to reach the service-mirror. In order to also have a separate - # Prometheus scrape the service-mirror an additional ServerAuthorization + # Prometheus scrape the service-mirror an additional AuthorizationPolicy # resource should be created. - meshTLS: - serviceAccounts: - - name: prometheus - namespace: linkerd-viz + - kind: ServiceAccount + name: prometheus + namespace: linkerd-viz ---