Use the 'all-unauthenticated' policy with the identity controller (#7110)

When no default policy is configured, the identity controller uses `cluster-unauthenticated` by default; but this may not permit connections from node IPs. This causes installations to fail in some environments. This change updates the identity controller's default policy to `all-unauthenticated` to match the behavior before policy was introduced. Fixes #7104
2021-10-19 07:36:48 -07:00 · 2021-10-19 07:36:48 -07:00 · 9612bbeeaa
parent c72fe3f618
commit 9612bbeeaa
17 changed files with 17 additions and 17 deletions
--- a/charts/linkerd2/templates/identity.yaml
+++ b/charts/linkerd2/templates/identity.yaml
@ -195,7 +195,7 @@ spec:
        The identity controller cannot discover policies, so we configure it with defaults that
        enforce TLS on the identity service.
      */}}
-      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "cluster-unauthenticated" }}
+      {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
      {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
      - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
      {{ if not .Values.cniEnabled -}}
--- a/cli/cmd/testdata/install_controlplane_tracing_output.golden
+++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden
@ -1586,7 +1586,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_custom_domain.golden
+++ b/cli/cmd/testdata/install_custom_domain.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_custom_registry.golden
+++ b/cli/cmd/testdata/install_custom_registry.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_default.golden
+++ b/cli/cmd/testdata/install_default.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden
+++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_ha_output.golden
+++ b/cli/cmd/testdata/install_ha_output.golden
@ -1654,7 +1654,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_ha_with_overrides_output.golden
+++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden
@ -1654,7 +1654,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden
+++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden
@ -1516,7 +1516,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_helm_output.golden
+++ b/cli/cmd/testdata/install_helm_output.golden
@ -1576,7 +1576,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_helm_output_ha.golden
+++ b/cli/cmd/testdata/install_helm_output_ha.golden
@ -1645,7 +1645,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_helm_output_ha_labels.golden
+++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden
@ -1653,7 +1653,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden
+++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden
@ -1645,7 +1645,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_no_init_container.golden
+++ b/cli/cmd/testdata/install_no_init_container.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_output.golden
+++ b/cli/cmd/testdata/install_output.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "ClusterNetworks"
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
--- a/cli/cmd/testdata/install_proxy_ignores.golden
+++ b/cli/cmd/testdata/install_proxy_ignores.golden
@ -1585,7 +1585,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_values_file.golden
+++ b/cli/cmd/testdata/install_values_file.golden
@ -1571,7 +1571,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: cluster-unauthenticated
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT