mirror of https://github.com/linkerd/linkerd2.git
inject: fix --default-inbound-policy not setting annotation (#9197)
Depends on #9195 Currently, `linkerd inject --default-inbound-policy` does not set the `config.linkerd.io/default-inbound-policy` annotation on the injected resource(s). The `inject` command does _try_ to set that annotation if it's set in the `Values` generated by `proxyFlagSet`:14d1dbb3b7/cli/cmd/inject.go (L485-L487)...but, the flag in the proxy `FlagSet` doesn't set `Values.Proxy.DefaultInboundPolicy`, it sets `Values.PolicyController.DefaultAllowPolicy`:7c5e3aaf40/cli/cmd/options.go (L375-L379)This is because the flag set is shared across `linkerd inject` and `linkerd install` subcommands, and in `linkerd install`, we want to set the default policy for the whole cluster by configuring the policy controller. In `linkerd inject`, though, we want to add the annotation to the injected pods only. This branch fixes this issue by changing the flag so that it sets the `Values.Proxy.DefaultInboundPolicy` instead of the `Values.PolicyController.DefaultAllowPolicy` value. In `linkerd install`, we then set `Values.PolicyController.DefaultAllowPolicy` based on the value of `Values.Proxy.DefaultInboundPolicy`, while in `inject`, we will now actually add the annotation. This branch is based on PR #9195, which adds validation to reject invalid values for `--default-inbound-policy`, rather than on `main`. This is because the validation code added in that PR had to be moved around a bit, since it now needs to validate the `Values.Proxy.DefaultInboundPolicy` value rather than the `Values.PolicyController.DefaultAllowPolicy` value. I thought using #9195 as a base branch was better than basing this on `main` and then having to resolve merge conflicts later. When that PR merges, this can be rebased onto `main`. Fixes #9168
This commit is contained in:
Eliza Weisman
GitHub
parent
8c3fcc4d62
commit
f6c6ff965c
|
|
@ -374,7 +374,7 @@ run_test(){
|
|||
|
||||
printf 'Test script: [%s] Params: [%s]\n' "${filename##*/}" "$*"
|
||||
# Exit on failure here
|
||||
GO111MODULE=on go test -test.timeout=60m --failfast --mod=readonly "$filename" --linkerd="$linkerd_path" --helm-path="$helm_path" --default-allow-policy="$default_allow_policy" --k8s-context="$context" --integration-tests "$@" || exit 1
|
||||
GO111MODULE=on go test -test.timeout=60m --failfast --mod=readonly "$filename" --linkerd="$linkerd_path" --helm-path="$helm_path" --default-inbound-policy="$default_inbound_policy" --k8s-context="$context" --integration-tests "$@" || exit 1
|
||||
}
|
||||
|
||||
# Returns the latest version for the release channel
|
||||
|
|
@ -456,7 +456,7 @@ run_deep_test() {
|
|||
}
|
||||
|
||||
run_default-policy-deny_test() {
|
||||
export default_allow_policy='deny'
|
||||
export default_inbound_policy='deny'
|
||||
run_test "$test_directory/install/install_test.go"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -169,7 +169,6 @@ Kubernetes: `>=1.21.0-0`
|
|||
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information |
|
||||
| podAnnotations | object | `{}` | Additional annotations to add to all pods |
|
||||
| podLabels | object | `{}` | Additional labels to add to all pods |
|
||||
| policyController.defaultAllowPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" |
|
||||
| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the proxy |
|
||||
| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image |
|
||||
| policyController.image.version | string | linkerdVersion | Tag for the proxy container Docker image |
|
||||
|
|
@ -199,6 +198,7 @@ Kubernetes: `>=1.21.0-0`
|
|||
| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook |
|
||||
| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready |
|
||||
| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. |
|
||||
| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" |
|
||||
| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services |
|
||||
| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy |
|
||||
| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image |
|
||||
|
|
|
|||
|
|
@ -261,7 +261,7 @@ spec:
|
|||
- --server-tls-certs=/var/run/linkerd/tls/tls.crt
|
||||
- --cluster-networks={{.Values.clusterNetworks}}
|
||||
- --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}}
|
||||
- --default-policy={{.Values.policyController.defaultAllowPolicy}}
|
||||
- --default-policy={{.Values.proxy.defaultInboundPolicy}}
|
||||
- --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}}
|
||||
- --log-format={{.Values.controllerLogFormat}}
|
||||
{{- if .Values.policyController.probeNetworks }}
|
||||
|
|
|
|||
|
|
@ -70,11 +70,6 @@ policyController:
|
|||
# @default -- linkerdVersion
|
||||
version: ""
|
||||
|
||||
# -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
|
||||
# "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
|
||||
# @default -- "all-unauthenticated"
|
||||
defaultAllowPolicy: "all-unauthenticated"
|
||||
|
||||
# -- Log level for the policy controller
|
||||
logLevel: info
|
||||
|
||||
|
|
@ -178,6 +173,10 @@ proxy:
|
|||
opaquePorts: "25,587,3306,4444,5432,6379,9300,11211"
|
||||
# -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
|
||||
shutdownGracePeriod: ""
|
||||
# -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated",
|
||||
# "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny"
|
||||
# @default -- "all-unauthenticated"
|
||||
defaultInboundPolicy: "all-unauthenticated"
|
||||
|
||||
# proxy-init configuration
|
||||
proxyInit:
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ env:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: {{.Values.proxy.defaultInboundPolicy | default .Values.policyController.defaultAllowPolicy}}
|
||||
value: {{.Values.proxy.defaultInboundPolicy}}
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: {{.Values.clusterNetworks | quote}}
|
||||
{{ if .Values.proxy.inboundConnectTimeout -}}
|
||||
|
|
|
|||
|
|
@ -60,8 +60,7 @@ func TestRender(t *testing.T) {
|
|||
PullPolicy: "ImagePullPolicy",
|
||||
Version: "PolicyControllerVersion",
|
||||
},
|
||||
LogLevel: "log-level",
|
||||
DefaultAllowPolicy: "default-allow-policy",
|
||||
LogLevel: "log-level",
|
||||
Resources: &charts.Resources{
|
||||
CPU: charts.Constraints{
|
||||
Limit: "cpu-limit",
|
||||
|
|
@ -98,9 +97,10 @@ func TestRender(t *testing.T) {
|
|||
Inbound: 4143,
|
||||
Outbound: 4140,
|
||||
},
|
||||
UID: 2102,
|
||||
OpaquePorts: "25,443,587,3306,5432,11211",
|
||||
Await: true,
|
||||
UID: 2102,
|
||||
OpaquePorts: "25,443,587,3306,5432,11211",
|
||||
Await: true,
|
||||
DefaultInboundPolicy: "default-allow-policy",
|
||||
},
|
||||
ProxyInit: &charts.ProxyInit{
|
||||
IptablesMode: "legacy",
|
||||
|
|
@ -582,7 +582,7 @@ func TestValidate(t *testing.T) {
|
|||
if err != nil {
|
||||
t.Fatalf("Unexpected error: %v\n", err)
|
||||
}
|
||||
values.PolicyController.DefaultAllowPolicy = "everybody"
|
||||
values.Proxy.DefaultInboundPolicy = "everybody"
|
||||
expected := "--default-inbound-policy must be one of: all-authenticated, all-unauthenticated, cluster-authenticated, cluster-unauthenticated, deny (got everybody)"
|
||||
|
||||
err = validateValues(context.Background(), nil, values)
|
||||
|
|
|
|||
|
|
@ -374,7 +374,7 @@ func makeProxyFlags(defaults *l5dcharts.Values) ([]flag.Flag, *pflag.FlagSet) {
|
|||
|
||||
flag.NewStringFlag(proxyFlags, "default-inbound-policy", defaults.Proxy.DefaultInboundPolicy, "Inbound policy to use to control inbound access to the proxy",
|
||||
func(values *l5dcharts.Values, value string) error {
|
||||
values.PolicyController.DefaultAllowPolicy = value
|
||||
values.Proxy.DefaultInboundPolicy = value
|
||||
return nil
|
||||
}),
|
||||
|
||||
|
|
@ -545,7 +545,6 @@ func validateValues(ctx context.Context, k *k8s.KubernetesAPI, values *l5dcharts
|
|||
}
|
||||
}
|
||||
|
||||
err = validatePolicy(values.PolicyController.DefaultAllowPolicy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -624,6 +623,10 @@ func validateProxyValues(values *l5dcharts.Values) error {
|
|||
}
|
||||
}
|
||||
|
||||
if err := validatePolicy(values.Proxy.DefaultInboundPolicy); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -799,7 +798,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1105,7 +1104,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1477,7 +1476,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: my.custom.registry/linkerd-io/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: my.custom.registry/linkerd-io/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1095,7 +1094,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1457,7 +1456,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -501,7 +501,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -549,7 +548,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -875,7 +874,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1221,7 +1220,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1628,7 +1627,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -501,7 +501,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -549,7 +548,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -875,7 +874,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1221,7 +1220,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1628,7 +1627,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -405,7 +405,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -453,7 +452,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -729,7 +728,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1035,7 +1034,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1356,7 +1355,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -450,7 +450,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -498,7 +497,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -768,7 +767,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1077,7 +1076,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1453,7 +1452,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -477,7 +477,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -525,7 +524,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -845,7 +844,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1194,7 +1193,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1606,7 +1605,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -481,7 +481,6 @@ data:
|
|||
fiz: buz
|
||||
foo: bar
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -529,7 +528,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -853,7 +852,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1206,7 +1205,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1626,7 +1625,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -472,7 +472,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -520,7 +519,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -835,7 +834,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1184,7 +1183,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1596,7 +1595,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1067,7 +1066,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1401,7 +1400,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -467,7 +467,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: default-allow-policy
|
||||
image:
|
||||
name: PolicyControllerImageName
|
||||
pullPolicy: ImagePullPolicy
|
||||
|
|
@ -516,7 +515,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: default-allow-policy
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: ProxyImageName
|
||||
|
|
@ -788,7 +787,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "ClusterNetworks"
|
||||
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
||||
|
|
@ -1093,7 +1092,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "ClusterNetworks"
|
||||
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
||||
|
|
@ -1470,7 +1469,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "ClusterNetworks"
|
||||
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
||||
|
|
@ -1679,7 +1678,7 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpwb2xpY3lDb250cm9sbGVyOgogIGRlZmF1bHRBbGxvd1BvbGljeTogZGVmYXVsdC1hbGxvdy1wb2xpY3kKICBpbWFnZToKICAgIG5hbWU6IFBvbGljeUNvbnRyb2xsZXJJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUG9saWN5Q29udHJvbGxlclZlcnNpb24KICBsb2dMZXZlbDogbG9nLWxldmVsCiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICBsaW1pdDogY3B1LWxpbWl0CiAgICAgIHJlcXVlc3Q6IGNwdS1yZXF1ZXN0CiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiBtZW1vcnktbGltaXQKICAgICAgcmVxdWVzdDogbWVtb3J5LXJlcXVlc3QKcG9saWN5VmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwb2xpY3kgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByaW9yaXR5Q2xhc3NOYW1lOiBQcmlvcml0eUNsYXNzTmFtZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBpbWFnZToKICAgIG5hbWU6IFByb3h5SW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFByb3h5VmVyc2lvbgogIGluYm91bmRDb25uZWN0VGltZW91dDogIiIKICBvcGFxdWVQb3J0czogMjUsNDQzLDU4NywzMzA2LDU0MzIsMTEyMTEKICBvdXRib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6IGNwdS1saW1pdAogICAgICByZXF1ZXN0OiBjcHUtcmVxdWVzdAogICAgbWVtb3J5OgogICAgICBsaW1pdDogbWVtb3J5LWxpbWl0CiAgICAgIHJlcXVlc3Q6IG1lbW9yeS1yZXF1ZXN0CnByb3h5Q29udGFpbmVyTmFtZTogUHJveHlDb250YWluZXJOYW1lCnByb3h5SW5pdDoKICBpZ25vcmVJbmJvdW5kUG9ydHM6ICIiCiAgaWdub3JlT3V0Ym91bmRQb3J0czogIjQ0MyIKICBpbWFnZToKICAgIG5hbWU6IFByb3h5SW5pdEltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQcm94eUluaXRWZXJzaW9uCiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICByZXF1ZXN0OiAxMG0KICAgIG1lbW9yeToKICAgICAgbGltaXQ6IDUwTWkKICAgICAgcmVxdWVzdDogMTBNaQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQp3ZWJob29rRmFpbHVyZVBvbGljeTogV2ViaG9va0ZhaWx1cmVQb2xpY3kK
|
||||
linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIG9wYXF1ZVBvcnRzOiAyNSw0NDMsNTg3LDMzMDYsNTQzMiwxMTIxMQogIG91dGJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICBsaW1pdDogY3B1LWxpbWl0CiAgICAgIHJlcXVlc3Q6IGNwdS1yZXF1ZXN0CiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiBtZW1vcnktbGltaXQKICAgICAgcmVxdWVzdDogbWVtb3J5LXJlcXVlc3QKcHJveHlDb250YWluZXJOYW1lOiBQcm94eUNvbnRhaW5lck5hbWUKcHJveHlJbml0OgogIGlnbm9yZUluYm91bmRQb3J0czogIiIKICBpZ25vcmVPdXRib3VuZFBvcnRzOiAiNDQzIgogIGltYWdlOgogICAgbmFtZTogUHJveHlJbml0SW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFByb3h5SW5pdFZlcnNpb24KICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo=
|
||||
kind: Secret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -474,7 +474,6 @@ data:
|
|||
podAnnotations: {}
|
||||
podLabels: {}
|
||||
policyController:
|
||||
defaultAllowPolicy: all-unauthenticated
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/policy-controller
|
||||
pullPolicy: ""
|
||||
|
|
@ -522,7 +521,7 @@ data:
|
|||
accessLog: ""
|
||||
await: true
|
||||
capabilities: null
|
||||
defaultInboundPolicy: ""
|
||||
defaultInboundPolicy: all-unauthenticated
|
||||
enableExternalProfiles: false
|
||||
image:
|
||||
name: cr.l5d.io/linkerd/proxy
|
||||
|
|
@ -798,7 +797,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1104,7 +1103,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
@ -1475,7 +1474,7 @@ spec:
|
|||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: "$(_pod_ns):$(_pod_name)"
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
value: "all-unauthenticated"
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
|
|
|
|||
|
|
@ -139,11 +139,10 @@ type (
|
|||
|
||||
// PolicyController contains the fields to configure the policy controller container
|
||||
PolicyController struct {
|
||||
Image *Image `json:"image"`
|
||||
Resources *Resources `json:"resources"`
|
||||
LogLevel string `json:"logLevel"`
|
||||
DefaultAllowPolicy string `json:"defaultAllowPolicy"`
|
||||
ProbeNetworks []string `json:"probeNetworks"`
|
||||
Image *Image `json:"image"`
|
||||
Resources *Resources `json:"resources"`
|
||||
LogLevel string `json:"logLevel"`
|
||||
ProbeNetworks []string `json:"probeNetworks"`
|
||||
}
|
||||
|
||||
// Image contains the details to define a container image
|
||||
|
|
|
|||
|
|
@ -71,8 +71,7 @@ func TestNewValues(t *testing.T) {
|
|||
Image: &Image{
|
||||
Name: "cr.l5d.io/linkerd/policy-controller",
|
||||
},
|
||||
LogLevel: "info",
|
||||
DefaultAllowPolicy: "all-unauthenticated",
|
||||
LogLevel: "info",
|
||||
Resources: &Resources{
|
||||
CPU: Constraints{
|
||||
Limit: "",
|
||||
|
|
@ -115,6 +114,7 @@ func TestNewValues(t *testing.T) {
|
|||
InboundConnectTimeout: "100ms",
|
||||
OpaquePorts: "25,587,3306,4444,5432,6379,9300,11211",
|
||||
Await: true,
|
||||
DefaultInboundPolicy: "all-unauthenticated",
|
||||
},
|
||||
ProxyInit: &ProxyInit{
|
||||
IptablesMode: "legacy",
|
||||
|
|
|
|||
|
|
@ -159,8 +159,8 @@ func TestInstallOrUpgradeCli(t *testing.T) {
|
|||
vizArgs = append(vizArgs, "--set", fmt.Sprintf("clusterDomain=%s", TestHelper.GetClusterDomain()))
|
||||
}
|
||||
|
||||
if policy := TestHelper.DefaultAllowPolicy(); policy != "" {
|
||||
args = append(args, "--set", "policyController.defaultAllowPolicy="+policy)
|
||||
if policy := TestHelper.DefaultInboundPolicy(); policy != "" {
|
||||
args = append(args, "--set", "proxy.defaultInboundPolicy="+policy)
|
||||
}
|
||||
|
||||
if TestHelper.UpgradeFromVersion() != "" {
|
||||
|
|
@ -656,11 +656,8 @@ func TestOverridesSecret(t *testing.T) {
|
|||
knownKeys["cniEnabled"] = true
|
||||
}
|
||||
|
||||
if policy := TestHelper.DefaultAllowPolicy(); policy != "" {
|
||||
if _, ok := knownKeys["policyController"]; !ok {
|
||||
knownKeys["policyController"] = tree.Tree{}
|
||||
}
|
||||
knownKeys["policyController"].(tree.Tree)["defaultAllowPolicy"] = policy
|
||||
if policy := TestHelper.DefaultInboundPolicy(); policy != "" {
|
||||
knownKeys["proxy"].(tree.Tree)["defaultInboundPolicy"] = policy
|
||||
}
|
||||
|
||||
// Check if the keys in overridesTree match with knownKeys
|
||||
|
|
|
|||
|
|
@ -25,22 +25,22 @@ import (
|
|||
|
||||
// TestHelper provides helpers for running the linkerd integration tests.
|
||||
type TestHelper struct {
|
||||
linkerd string
|
||||
version string
|
||||
namespace string
|
||||
vizNamespace string
|
||||
upgradeFromVersion string
|
||||
clusterDomain string
|
||||
externalIssuer bool
|
||||
externalPrometheus bool
|
||||
multicluster bool
|
||||
multiclusterSrcCtx string
|
||||
multiclusterTgtCtx string
|
||||
uninstall bool
|
||||
cni bool
|
||||
calico bool
|
||||
defaultAllowPolicy string
|
||||
httpClient http.Client
|
||||
linkerd string
|
||||
version string
|
||||
namespace string
|
||||
vizNamespace string
|
||||
upgradeFromVersion string
|
||||
clusterDomain string
|
||||
externalIssuer bool
|
||||
externalPrometheus bool
|
||||
multicluster bool
|
||||
multiclusterSrcCtx string
|
||||
multiclusterTgtCtx string
|
||||
uninstall bool
|
||||
cni bool
|
||||
calico bool
|
||||
defaultInboundPolicy string
|
||||
httpClient http.Client
|
||||
KubernetesHelper
|
||||
helm
|
||||
installedExtensions []string
|
||||
|
|
@ -205,7 +205,7 @@ func NewTestHelper() *TestHelper {
|
|||
uninstall := flag.Bool("uninstall", false, "whether to run the 'linkerd uninstall' integration test")
|
||||
cni := flag.Bool("cni", false, "whether to install linkerd with CNI enabled")
|
||||
calico := flag.Bool("calico", false, "whether to install calico CNI plugin")
|
||||
defaultAllowPolicy := flag.String("default-allow-policy", "", "if non-empty, passed to --set policyController.defaultAllowPolicy at linkerd's install time")
|
||||
defaultInboundPolicy := flag.String("default-inbound-policy", "", "if non-empty, passed to --set proxy.defaultInboundPolicy at linkerd's install time")
|
||||
flag.Parse()
|
||||
|
||||
if !*runTests {
|
||||
|
|
@ -246,13 +246,13 @@ func NewTestHelper() *TestHelper {
|
|||
multiclusterReleaseName: *multiclusterHelmReleaseName,
|
||||
upgradeFromVersion: *upgradeHelmFromVersion,
|
||||
},
|
||||
clusterDomain: *clusterDomain,
|
||||
externalIssuer: *externalIssuer,
|
||||
externalPrometheus: *externalPrometheus,
|
||||
cni: *cni,
|
||||
calico: *calico,
|
||||
uninstall: *uninstall,
|
||||
defaultAllowPolicy: *defaultAllowPolicy,
|
||||
clusterDomain: *clusterDomain,
|
||||
externalIssuer: *externalIssuer,
|
||||
externalPrometheus: *externalPrometheus,
|
||||
cni: *cni,
|
||||
calico: *calico,
|
||||
uninstall: *uninstall,
|
||||
defaultInboundPolicy: *defaultInboundPolicy,
|
||||
}
|
||||
|
||||
version, err := testHelper.LinkerdRun("version", "--client", "--short")
|
||||
|
|
@ -375,9 +375,9 @@ func (h *TestHelper) Uninstall() bool {
|
|||
return h.uninstall
|
||||
}
|
||||
|
||||
// DefaultAllowPolicy returns the override value for policyController.defaultAllowPolicy
|
||||
func (h *TestHelper) DefaultAllowPolicy() string {
|
||||
return h.defaultAllowPolicy
|
||||
// DefaultInboundPolicy returns the override value for proxy.defaultInboundPolicy
|
||||
func (h *TestHelper) DefaultInboundPolicy() string {
|
||||
return h.defaultInboundPolicy
|
||||
}
|
||||
|
||||
// UpgradeFromVersion returns the base version of the upgrade test.
|
||||
|
|
|
|||
Loading…
Reference in New Issue