linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

convert ServerAuthorizations to AuthorizationPolicies (#10079) 

The Linkerd extension charts use ServerAuthorization resources.  AuthorizationPolicies are now the recommended resource to use in favor of ServerAuthorizations.  We replace all of the ServerAuthorization resources in the Linkerd extension charts with AuthorizationPolicy resources.

Signed-off-by: Alex Leong <alex@buoyant.io>
This commit is contained in:
Alex Leong 2023-01-11 15:07:15 -08:00 committed by GitHub
parent cb0f9eb7a9
commit 52fb2c6750
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 852 additions and 431 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml
View File

@ -18,27 +18,8 @@ spec:
port: jaeger-injector port: jaeger-injector
proxyProtocol: TLS proxyProtocol: TLS
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: Server kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: jaeger-injector name: jaeger-injector
@ -49,11 +30,28 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
linkerd.io/extension: jaeger name: jaeger-injector-webhook
component: jaeger-injector requiredAuthenticationRefs:
client: - group: policy.linkerd.io
# traffic coming from the kubelet and from kube-api kind: NetworkAuthentication
unauthenticated: true name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: kube-api-server
labels:
linkerd.io/extension: viz
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
# Ideally, this should be restricted to the actual set of IPs the kube-api
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"

157
jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml
View File

@ -122,11 +122,11 @@ spec:
port: 13133 port: 13133
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: collector name: collector-otlp
labels: labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
@ -134,16 +134,107 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
client: {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data # allow connections from any pod (meshed or not) sending trace data
unauthenticated: true requiredAuthenticationRefs: []
{{ end -}} ---
{{ if .Values.jaeger.enabled -}} apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: {{ .Release.Namespace }}
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
kind: Server kind: Server
@ -163,8 +254,8 @@ spec:
port: grpc port: grpc
proxyProtocol: gRPC proxyProtocol: gRPC
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: jaeger-grpc name: jaeger-grpc
@ -175,12 +266,14 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc name: jaeger-grpc
client: requiredAuthenticationRefs:
meshTLS: - kind: ServiceAccount
serviceAccounts: name: collector
- name: collector namespace: {{.Release.Namespace}}
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
kind: Server kind: Server
@ -200,8 +293,8 @@ spec:
port: admin port: admin
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: jaeger-admin name: jaeger-admin
@ -212,13 +305,14 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin name: jaeger-admin
client: requiredAuthenticationRefs:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here # if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus - kind: ServiceAccount
name: prometheus
namespace: linkerd-viz namespace: linkerd-viz
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
@ -239,8 +333,8 @@ spec:
port: ui port: ui
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: jaeger-ui name: jaeger-ui
@ -251,12 +345,13 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui name: jaeger-ui
client: requiredAuthenticationRefs:
meshTLS:
serviceAccounts:
# for the optional dashboard integration # for the optional dashboard integration
- name: web - kind: ServiceAccount
name: web
namespace: linkerd-viz namespace: linkerd-viz
{{ end -}} {{ end -}}

163
jaeger/cmd/testdata/install_collector_disabled.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector port: jaeger-injector
proxyProtocol: TLS proxyProtocol: TLS
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: Server kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-injector name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
linkerd.io/extension: jaeger name: jaeger-injector-webhook
component: jaeger-injector requiredAuthenticationRefs:
client: - group: policy.linkerd.io
# traffic coming from the kubelet and from kube-api kind: NetworkAuthentication
unauthenticated: true name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
--- ---
### ###
### Jaeger Injector RBAC ### Jaeger Injector RBAC
@ -309,112 +307,3 @@ spec:
type: RuntimeDefault type: RuntimeDefault
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst
serviceAccountName: jaeger serviceAccountName: jaeger
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-grpc
client:
meshTLS:
serviceAccounts:
- name: collector
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-admin
client:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
server:
name: jaeger-ui
client:
meshTLS:
serviceAccounts:
# for the optional dashboard integration
- name: web
namespace: linkerd-viz

204
jaeger/cmd/testdata/install_default.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector port: jaeger-injector
proxyProtocol: TLS proxyProtocol: TLS
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: Server kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-injector name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
linkerd.io/extension: jaeger name: jaeger-injector-webhook
component: jaeger-injector requiredAuthenticationRefs:
client: - group: policy.linkerd.io
# traffic coming from the kubelet and from kube-api kind: NetworkAuthentication
unauthenticated: true name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
--- ---
### ###
### collector RBAC ### collector RBAC
@ -602,25 +600,113 @@ spec:
port: 13133 port: 13133
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: collector name: collector-otlp
labels: labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
client: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data # allow connections from any pod (meshed or not) sending trace data
unauthenticated: true requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
kind: Server kind: Server
@ -639,8 +725,8 @@ spec:
port: grpc port: grpc
proxyProtocol: gRPC proxyProtocol: gRPC
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-grpc name: jaeger-grpc
@ -650,12 +736,14 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc name: jaeger-grpc
client: requiredAuthenticationRefs:
meshTLS: - kind: ServiceAccount
serviceAccounts: name: collector
- name: collector namespace: linkerd-jaeger
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
kind: Server kind: Server
@ -674,8 +762,8 @@ spec:
port: admin port: admin
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-admin name: jaeger-admin
@ -685,13 +773,14 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin name: jaeger-admin
client: requiredAuthenticationRefs:
meshTLS:
serviceAccounts:
# if not using linkerd-viz' prometheus, replace its SA here # if not using linkerd-viz' prometheus, replace its SA here
- name: prometheus - kind: ServiceAccount
name: prometheus
namespace: linkerd-viz namespace: linkerd-viz
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta1
@ -711,8 +800,8 @@ spec:
port: ui port: ui
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-ui name: jaeger-ui
@ -722,11 +811,12 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui name: jaeger-ui
client: requiredAuthenticationRefs:
meshTLS:
serviceAccounts:
# for the optional dashboard integration # for the optional dashboard integration
- name: web - kind: ServiceAccount
name: web
namespace: linkerd-viz namespace: linkerd-viz

271
jaeger/cmd/testdata/install_jaeger_disabled.golden generated vendored
View File

@ -122,26 +122,8 @@ spec:
port: jaeger-injector port: jaeger-injector
proxyProtocol: TLS proxyProtocol: TLS
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: Server kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-injector-admin
labels:
linkerd.io/extension: jaeger
component: jaeger-injector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
linkerd.io/extension: jaeger
component: jaeger-injector
port: admin-http
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: jaeger-injector name: jaeger-injector
@ -151,14 +133,30 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
linkerd.io/extension: jaeger name: jaeger-injector-webhook
component: jaeger-injector requiredAuthenticationRefs:
client: - group: policy.linkerd.io
# traffic coming from the kubelet and from kube-api kind: NetworkAuthentication
unauthenticated: true name: kube-api-server
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-jaeger
name: kube-api-server
labels:
linkerd.io/extension: viz
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
networks:
- cidr: "0.0.0.0/0"
- cidr: "::/0"
--- ---
### ###
### collector RBAC ### collector RBAC
@ -512,22 +510,223 @@ spec:
port: 13133 port: 13133
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-jaeger namespace: linkerd-jaeger
name: collector name: collector-otlp
labels: labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
annotations: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/created-by: linkerd/helm dev-undefined
spec: spec:
server: targetRef:
selector: group: policy.linkerd.io
matchLabels: kind: Server
name: collector-otlp
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-otlp-http
labels:
linkerd.io/extension: jaeger linkerd.io/extension: jaeger
component: collector component: collector
client: annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-otlp-http
# allow connections from any pod (meshed or not) sending trace data # allow connections from any pod (meshed or not) sending trace data
unauthenticated: true requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-opencensus
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-opencensus
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-zipkin
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-zipkin
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-thrift
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-thrift
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: collector-jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: collector
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: collector-jaeger-grpc
# allow connections from any pod (meshed or not) sending trace data
requiredAuthenticationRefs: []
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: grpc
proxyProtocol: gRPC
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-grpc
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-grpc
requiredAuthenticationRefs:
- kind: ServiceAccount
name: collector
namespace: linkerd-jaeger
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-admin
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-admin
requiredAuthenticationRefs:
# if not using linkerd-viz' prometheus, replace its SA here
- kind: ServiceAccount
name: prometheus
namespace: linkerd-viz
---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
podSelector:
matchLabels:
component: jaeger
port: ui
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
namespace: linkerd-jaeger
name: jaeger-ui
labels:
linkerd.io/extension: jaeger
component: jaeger
annotations:
linkerd.io/created-by: linkerd/helm dev-undefined
spec:
targetRef:
group: policy.linkerd.io
kind: Server
name: jaeger-ui
requiredAuthenticationRefs:
# for the optional dashboard integration
- kind: ServiceAccount
name: web
namespace: linkerd-viz

76
multicluster/charts/linkerd-multicluster/templates/gateway-policy.yaml
View File

@ -17,8 +17,8 @@ spec:
app: {{.Values.gateway.name}} app: {{.Values.gateway.name}}
port: linkerd-proxy port: linkerd-proxy
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: linkerd-gateway name: linkerd-gateway
@ -29,21 +29,56 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway name: linkerd-gateway
client: requiredAuthenticationRefs:
meshTLS: - group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: {{ .Release.Namespace }}
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: {{ .Release.Namespace }}
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: {{.Values.gateway.name}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
identities: identities:
- '*' - '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: {{ .Release.Namespace }}
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: {{.Values.gateway.name}}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
annotations:
{{ include "partials.annotations.created-by" . }}
spec:
networks: networks:
# Change this to the source cluster cidrs pointing to this gateway. # Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local # Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's # node's IP and not the source cluster's
- cidr: 0.0.0.0/0 - cidr: "0.0.0.0/0"
- cidr: ::/0 - cidr: "::/0"
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: linkerd-gateway-probe name: linkerd-gateway-probe
@ -54,15 +89,18 @@ metadata:
annotations: annotations:
{{ include "partials.annotations.created-by" . }} {{ include "partials.annotations.created-by" . }}
spec: spec:
server: targetRef:
name: gateway-proxy-admin group: policy.linkerd.io
client: kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity # allows probes from outside the cluster, as long as they have an identity
meshTLS: - group: policy.linkerd.io
identities: kind: MeshTLSAuthentication
- '*' name: any-meshed
networks: namespace: {{ .Release.Namespace }}
# cf note for linkerd-gateway ServerAuthorization - group: policy.linkerd.io
- cidr: 0.0.0.0/0 kind: NetworkAuthentication
- cidr: ::/0 name: source-cluster
namespace: {{ .Release.Namespace }}
{{end -}} {{end -}}

17
multicluster/charts/linkerd-multicluster/templates/service-mirror-policy.yaml
View File

@ -14,8 +14,8 @@ spec:
port: admin-http port: admin-http
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
name: service-mirror name: service-mirror
@ -23,14 +23,15 @@ metadata:
component: linkerd-service-mirror component: linkerd-service-mirror
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror name: service-mirror
client: requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance # In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate # to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization # Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created. # resource should be created.
meshTLS: - kind: ServiceAccount
serviceAccounts: name: prometheus
- name: prometheus
namespace: linkerd-viz namespace: linkerd-viz

91
multicluster/cmd/testdata/install_default.golden generated vendored
View File

@ -102,8 +102,8 @@ spec:
app: linkerd-gateway app: linkerd-gateway
port: linkerd-proxy port: linkerd-proxy
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway name: linkerd-gateway
@ -113,21 +113,54 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway name: linkerd-gateway
client: requiredAuthenticationRefs:
meshTLS: - group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities: identities:
- '*' - '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks: networks:
# Change this to the source cluster cidrs pointing to this gateway. # Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local # Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's # node's IP and not the source cluster's
- cidr: 0.0.0.0/0 - cidr: "0.0.0.0/0"
- cidr: ::/0 - cidr: "::/0"
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway-probe name: linkerd-gateway-probe
@ -137,17 +170,20 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
name: gateway-proxy-admin group: policy.linkerd.io
client: kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity # allows probes from outside the cluster, as long as they have an identity
meshTLS: - group: policy.linkerd.io
identities: kind: MeshTLSAuthentication
- '*' name: any-meshed
networks: namespace: linkerd-multicluster
# cf note for linkerd-gateway ServerAuthorization - group: policy.linkerd.io
- cidr: 0.0.0.0/0 kind: NetworkAuthentication
- cidr: ::/0 name: source-cluster
namespace: linkerd-multicluster
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
@ -316,23 +352,24 @@ spec:
port: admin-http port: admin-http
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: service-mirror name: service-mirror
labels: labels:
component: linkerd-service-mirror component: linkerd-service-mirror
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror name: service-mirror
client: requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance # In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate # to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization # Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created. # resource should be created.
meshTLS: - kind: ServiceAccount
serviceAccounts: name: prometheus
- name: prometheus
namespace: linkerd-viz namespace: linkerd-viz
--- ---

91
multicluster/cmd/testdata/install_ha.golden generated vendored
View File

@ -139,8 +139,8 @@ spec:
app: linkerd-gateway app: linkerd-gateway
port: linkerd-proxy port: linkerd-proxy
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway name: linkerd-gateway
@ -150,21 +150,54 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway name: linkerd-gateway
client: requiredAuthenticationRefs:
meshTLS: - group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities: identities:
- '*' - '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks: networks:
# Change this to the source cluster cidrs pointing to this gateway. # Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local # Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's # node's IP and not the source cluster's
- cidr: 0.0.0.0/0 - cidr: "0.0.0.0/0"
- cidr: ::/0 - cidr: "::/0"
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway-probe name: linkerd-gateway-probe
@ -174,17 +207,20 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
name: gateway-proxy-admin group: policy.linkerd.io
client: kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity # allows probes from outside the cluster, as long as they have an identity
meshTLS: - group: policy.linkerd.io
identities: kind: MeshTLSAuthentication
- '*' name: any-meshed
networks: namespace: linkerd-multicluster
# cf note for linkerd-gateway ServerAuthorization - group: policy.linkerd.io
- cidr: 0.0.0.0/0 kind: NetworkAuthentication
- cidr: ::/0 name: source-cluster
namespace: linkerd-multicluster
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
@ -384,23 +420,24 @@ spec:
port: admin-http port: admin-http
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: service-mirror name: service-mirror
labels: labels:
component: linkerd-service-mirror component: linkerd-service-mirror
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror name: service-mirror
client: requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance # In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate # to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization # Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created. # resource should be created.
meshTLS: - kind: ServiceAccount
serviceAccounts: name: prometheus
- name: prometheus
namespace: linkerd-viz namespace: linkerd-viz
--- ---

91
multicluster/cmd/testdata/install_psp.golden generated vendored
View File

@ -102,8 +102,8 @@ spec:
app: linkerd-gateway app: linkerd-gateway
port: linkerd-proxy port: linkerd-proxy
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway name: linkerd-gateway
@ -113,21 +113,54 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: linkerd-gateway name: linkerd-gateway
client: requiredAuthenticationRefs:
meshTLS: - group: policy.linkerd.io
kind: MeshTLSAuthentication
name: any-meshed
namespace: linkerd-multicluster
- group: policy.linkerd.io
kind: NetworkAuthentication
name: source-cluster
namespace: linkerd-multicluster
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
namespace: linkerd-multicluster
name: any-meshed
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
identities: identities:
- '*' - '*'
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
namespace: linkerd-multicluster
name: source-cluster
labels:
linkerd.io/extension: multicluster
app: linkerd-gateway
annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec:
networks: networks:
# Change this to the source cluster cidrs pointing to this gateway. # Change this to the source cluster cidrs pointing to this gateway.
# Note that the source IP in some providers (e.g. GKE) will be the local # Note that the source IP in some providers (e.g. GKE) will be the local
# node's IP and not the source cluster's # node's IP and not the source cluster's
- cidr: 0.0.0.0/0 - cidr: "0.0.0.0/0"
- cidr: ::/0 - cidr: "::/0"
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: linkerd-gateway-probe name: linkerd-gateway-probe
@ -137,17 +170,20 @@ metadata:
annotations: annotations:
linkerd.io/created-by: linkerd/helm linkerdVersionValue linkerd.io/created-by: linkerd/helm linkerdVersionValue
spec: spec:
server: targetRef:
name: gateway-proxy-admin group: policy.linkerd.io
client: kind: Server
name: linkerd-gateway
requiredAuthenticationRefs:
# allows probes from outside the cluster, as long as they have an identity # allows probes from outside the cluster, as long as they have an identity
meshTLS: - group: policy.linkerd.io
identities: kind: MeshTLSAuthentication
- '*' name: any-meshed
networks: namespace: linkerd-multicluster
# cf note for linkerd-gateway ServerAuthorization - group: policy.linkerd.io
- cidr: 0.0.0.0/0 kind: NetworkAuthentication
- cidr: ::/0 name: source-cluster
namespace: linkerd-multicluster
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
@ -347,23 +383,24 @@ spec:
port: admin-http port: admin-http
proxyProtocol: HTTP/1 proxyProtocol: HTTP/1
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1alpha1
kind: ServerAuthorization kind: AuthorizationPolicy
metadata: metadata:
namespace: linkerd-multicluster namespace: linkerd-multicluster
name: service-mirror name: service-mirror
labels: labels:
component: linkerd-service-mirror component: linkerd-service-mirror
spec: spec:
server: targetRef:
group: policy.linkerd.io
kind: Server
name: service-mirror name: service-mirror
client: requiredAuthenticationRefs:
# In order to use `linkerd mc gateways` you need viz' Prometheus instance # In order to use `linkerd mc gateways` you need viz' Prometheus instance
# to be able to reach the service-mirror. In order to also have a separate # to be able to reach the service-mirror. In order to also have a separate
# Prometheus scrape the service-mirror an additional ServerAuthorization # Prometheus scrape the service-mirror an additional AuthorizationPolicy
# resource should be created. # resource should be created.
meshTLS: - kind: ServiceAccount
serviceAccounts: name: prometheus
- name: prometheus
namespace: linkerd-viz namespace: linkerd-viz
--- ---