mirror of https://github.com/linkerd/linkerd2.git
Remove admin policy resources from extensions (#10073)
Fixes #9364 Since probes are automatically authorized, Linkerd extensions no longer need admin Server resources in order for probes to be authorized. We therefore remove them. Signed-off-by: Alex Leong <alex@buoyant.io>
This commit is contained in:
Alex Leong
GitHub
parent
88cd360637
commit
6cba9afcd1
|
|
@ -1,35 +0,0 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
|
|
@ -25,7 +25,6 @@ var (
|
|||
// this doesn't include the namespace-metadata.* templates, which are Helm-only
|
||||
templatesJaeger = []string{
|
||||
"templates/namespace.yaml",
|
||||
"templates/proxy-admin-policy.yaml",
|
||||
"templates/jaeger-injector.yaml",
|
||||
"templates/jaeger-injector-policy.yaml",
|
||||
"templates/rbac.yaml",
|
||||
|
|
|
|||
|
|
@ -7,39 +7,6 @@ metadata:
|
|||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
|
|||
|
|
@ -7,39 +7,6 @@ metadata:
|
|||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
|
|||
|
|
@ -7,39 +7,6 @@ metadata:
|
|||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
|
|||
|
|
@ -1,64 +0,0 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: gateway-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: {{.Values.gateway.name}}
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: gateway-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: linkerd-service-mirror
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
spec:
|
||||
server:
|
||||
name: service-mirror-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
|
@ -134,7 +134,6 @@ func render(w io.Writer, values *multicluster.Values, valuesOverrides map[string
|
|||
{Name: chartutil.ValuesfileName},
|
||||
{Name: "templates/namespace.yaml"},
|
||||
{Name: "templates/gateway.yaml"},
|
||||
{Name: "templates/proxy-admin-policy.yaml"},
|
||||
{Name: "templates/gateway-policy.yaml"},
|
||||
{Name: "templates/psp.yaml"},
|
||||
{Name: "templates/remote-access-service-mirror-rbac.yaml"},
|
||||
|
|
|
|||
|
|
@ -88,66 +88,6 @@ metadata:
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: gateway-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: linkerd-gateway
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
server:
|
||||
name: gateway-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: linkerd-service-mirror
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
server:
|
||||
name: service-mirror-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: linkerd-gateway
|
||||
|
|
|
|||
|
|
@ -125,66 +125,6 @@ metadata:
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: gateway-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: linkerd-gateway
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
server:
|
||||
name: gateway-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: linkerd-service-mirror
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
server:
|
||||
name: service-mirror-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: linkerd-gateway
|
||||
|
|
|
|||
|
|
@ -88,66 +88,6 @@ metadata:
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: gateway-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: linkerd-gateway
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerdVersionValue
|
||||
spec:
|
||||
server:
|
||||
name: gateway-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: linkerd-service-mirror
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: service-mirror-proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
spec:
|
||||
server:
|
||||
name: service-mirror-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-multicluster
|
||||
name: linkerd-gateway
|
||||
|
|
|
|||
|
|
@ -1,54 +0,0 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
|
|
@ -3,7 +3,7 @@ apiVersion: policy.linkerd.io/v1beta1
|
|||
kind: Server
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: proxy-admin
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
|
|
@ -13,14 +13,16 @@ spec:
|
|||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
component: prometheus
|
||||
namespace: {{.Release.Namespace}}
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: proxy-admin
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
|
|
@ -30,8 +32,8 @@ spec:
|
|||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: {{.Release.Namespace}}
|
||||
|
|
@ -28,11 +28,10 @@ var (
|
|||
"templates/tap-rbac.yaml",
|
||||
"templates/web-rbac.yaml",
|
||||
"templates/psp.yaml",
|
||||
"templates/admin-policy.yaml",
|
||||
"templates/proxy-admin-policy.yaml",
|
||||
"templates/metrics-api.yaml",
|
||||
"templates/metrics-api-policy.yaml",
|
||||
"templates/prometheus.yaml",
|
||||
"templates/prometheus-policy.yaml",
|
||||
"templates/tap.yaml",
|
||||
"templates/tap-policy.yaml",
|
||||
"templates/tap-injector-rbac.yaml",
|
||||
|
|
|
|||
|
|
@ -359,92 +359,6 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -844,6 +758,43 @@ spec:
|
|||
name: prometheus-config
|
||||
name: prometheus-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: prometheus
|
||||
namespace: linkerd-viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
|
|||
|
|
@ -359,92 +359,6 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -844,6 +758,43 @@ spec:
|
|||
name: prometheus-config
|
||||
name: prometheus-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: prometheus
|
||||
namespace: linkerd-viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
|
|||
|
|
@ -319,92 +319,6 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -556,6 +470,43 @@ spec:
|
|||
- kind: ServiceAccount
|
||||
name: web
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: prometheus
|
||||
namespace: linkerd-viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
|
|||
|
|
@ -359,92 +359,6 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -844,6 +758,43 @@ spec:
|
|||
name: prometheus-config
|
||||
name: prometheus-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: prometheus
|
||||
namespace: linkerd-viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
|
|||
|
|
@ -359,92 +359,6 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: NetworkAuthentication
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: kubelet
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
# Ideally, this should be restricted to the actual set of IPs kubelet uses in
|
||||
# a cluster. This can't easily be discovered.
|
||||
networks:
|
||||
- cidr: "0.0.0.0/0"
|
||||
- cidr: "::/0"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: proxy-admin
|
||||
requiredAuthenticationRefs:
|
||||
- group: policy.linkerd.io
|
||||
kind: NetworkAuthentication
|
||||
name: kubelet
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -848,6 +762,43 @@ spec:
|
|||
name: prometheus-config
|
||||
name: prometheus-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: prometheus
|
||||
namespace: linkerd-viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: prometheus-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
targetRef:
|
||||
group: policy.linkerd.io
|
||||
kind: Server
|
||||
name: prometheus-admin
|
||||
requiredAuthenticationRefs:
|
||||
- kind: ServiceAccount
|
||||
name: metrics-api
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in New Issue