Newer versions of golangci-lint flag `http.Server` instances that do not
set a `ReadHeaderTimeout` as being vulnerable to "slowloris" attacks,
wherein clients initiate requests that hold connections open
indefinitely.
This change sets a `ReadHeaderTimeout` of 10s. This timeout is fairly
conservative so that clients can eagerly create connections, but is
still constrained enough that these connections won't remain open
indefinitely.
This change also updates kubert to v0.9.1, which instruments a header
read timeout on the policy admission server.
Signed-off-by: Oliver Gould <ver@buoyant.io>
The arm64 integration tests require that the TAG env variable is set properly so that they can invoke the correct tag of the cni-plugin image. However, this env variable is not being set for the integration tests, resulting in the wrong tag being used.
e.g. see https://github.com/linkerd/linkerd2/runs/7810461484?check_suite_focus=true
We set the TAG variable into the GITHUB_ENV so that it is available to the integration test.
Signed-off-by: Alex Leong <alex@buoyant.io>
Closes#9145
This adds the `config.linkerd.io/default-inbound-policy: all-authenticated`
annotation to linkerd-multicluster’s Gateway deployment so that all clients are
required to be authenticated. This ensures that clients — including those for
the `/metrics` and `/env.json` routes — are authenticated.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* Update the devcontainer to use Node 16
* Update markdowlint-cli2 to v0.5.1
* Update the markdown workflow to use a newer action
* Address various markdown linting issues
* Add a `just markdownlint` recipe
* Publish dev:v26
Signed-off-by: Oliver Gould <ver@buoyant.io>
* Properly inherit `linkerd.io/inject: ingress` from NS to workload
Workloads were inheriting it as the default `enabled` mode.
Introduced a new entry in the inject integration test to catch this.
This fix is paired with the ingress doc clarification PR linkerd/website#1398
The proxy-init repo is changing its structure and, as such, we want to
minimize cross-repo dependencies from linkerd2 to linkerd2-proxy-init.
(We expect the cni-plugin code to move in a followup change).
This change duplicates the port range parsing utility (about 50 lines,
plus tests). This avoids stray dependencies on linkerd2-proxy-init.
Signed-off-by: Oliver Gould <ver@buoyant.io>
This release is considered a release candidate for stable-2.12.0 and we
encourage you to try it out! It includes an update to the multicluster extension
which adds support for Kubernetes v1.24 and also updates many CLI commands to
support the new policy resources: ServerAuthorization and HTTPRoute.
* Updated linkerd check to allow RSA signed trust anchors (thanks @danibaeyens)
* Fixed some invalid yaml in the viz extension's tap-injector template (thanks @wc-s)
* Added support for AuthorizationPolicy and HttpRoute to viz authz command
* Added support for AuthorizationPolicy and HttpRoute to viz stat
* Added support for policy metadata in linkerd tap
* Fixed an issue where certain control plane components were not restarting as
necessary after a trust root rotation
* Added a ServiceAccount token Secret to the multicluster extension to support
Kubernetes versions >= v1.24
* Fixed an issuer where the --default-inbound-policy setting was not being
respected
Signed-off-by: Alex Leong <alex@buoyant.io>
When Linkerd is installed with the `--default-inbound-policy` flag, this value gets propagated to the `proxy.defaultInboundPolicy` value which sets the `LINKERD2_PROXY_INBOUND_DEFAULT_POLICY` proxy env var, but not to the `policyController.defaultAllowPolicy` value which sets the `--default-policy` flag on the policy-controller.
Since the policy-controller returns default servers when a server resource does not exist, this causes the `--default-inbound-policy` value to be effectively ignored. We update this to set the `PolicyController.DefaultAllowPolicy` value which is used by the proxy as the default when `proxy.defaultInboundPolicy` is not set.
Signed-off-by: Alex Leong <alex@buoyant.io>
cargo-nextest may not be available when we're running in CI (i.e. for
integration tests). This change restores the fallback behavior to use
cargo-test when cargo-nextest isn't present.
This change updates the integration tests to run policy tests on
justfile changes to catch this sort of problem.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Oliver Gould <ver@buoyant.io>
* Go v1.18.5
* Just v1.4.0
* Nextest v0.9.33
* Update the devcontainer version to v25
* justfile: Use `cargo-nextest` exclusively
* justfile: Fix `_k3d-init` recipe to use proper configured k3d cluster name
* justfile: Add `k3d-use` recipe to switch the default context
Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Oliver Gould <ver@buoyant.io>
Create SA token for mc remote access
As of Kubernetes v1.24, ServiceAccount secrets are no longer
automatically generated. The multicluster `link` requires a token
associated with the 'linkerd-service-mirror-remote-access-default'
ServiceAccount in order to create a kubeconfig that can be used to
create remote clients.
Since tokens are no longer generated when a ServiceAccount is created,
linking clusters is not currently possible in Kubernetes v1.24. This
change introduces a new Secret object, whose type is a "service account
secret", and whose associated ServiceAccount is our remote access SA.
By creating the Secret manually (and associating it with our SA through
annotations), a token will be created by the relevant k8s controllers.
As a result of manually creating a secret, versions smaller than v1.24
will now have two tokens created for the ServiceAccount.
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Fixes#9022
When updating the Linkerd trust root, for example by running a command like `linkerd upgrade --identity-trust-anchors-file=./bundle.crt | kubectl apply -f -` as described in the [trust root rotation docs](https://linkerd.io/2.11/tasks/manually-rotating-control-plane-tls-credentials/#rotating-the-trust-anchor), the trust root is updated in the Linkerd config, but the identity controller does not restart and does not pick up the new root.
We add a trust root checksum annotation which causes the control plane deployments to change when the trust anchor changes, and thus causes them to restart.
Signed-off-by: Alex Leong <alex@buoyant.io>
The `linkerd viz tap` command receives destination metadata labels from the proxy, but only picks out a few to display. Namely, the destination workload resource, pod name, and namespace. However, there are other useful destination metadata labels which are not displayed, such as the server, route, and authorization.
We update the tap command to display all dst labels, including the policy related ones.
Signed-off-by: Alex Leong <alex@buoyant.io>
We updated the `linkerd viz stat` command so that it may target ServerAuthorization and HTTPRoute resources.
For HTTPRoute, we also add an `Unauthorized` column which mirrors the column of the same name when printing stats for `Servers`. This shows the RPS of denied requests to the target HTTPRoute. Furthermore, we also add a "Server" column which shows which Server the route is attached to.
Sample output:
```console
> linkerd -n emojivoto viz stat authorizationpolicies
NAME SUCCESS RPS LATENCY_P50 LATENCY_P95 LATENCY_P99
emoji-grpc 100.00% 2.0rps 1ms 1ms 1ms
linkerd-metrics 100.00% 0.4rps 1ms 1ms 1ms
linkerd-probes 100.00% 0.8rps 1ms 1ms 1ms
prom - - - - -
web-public 50.00% 2.0rps 1ms 2ms 2ms
> linkerd -n emojivoto viz stat httproutes
NAME SERVER UNAUTHORIZED SUCCESS RPS LATENCY_P50 LATENCY_P95 LATENCY_P99
linkerd-metrics linkerd-admin 0.0rps 100.00% 0.4rps 1ms 1ms 1ms
linkerd-probes linkerd-admin 0.0rps 100.00% 0.8rps 1ms 1ms 1ms
```
Signed-off-by: Alex Leong <alex@buoyant.io>
The `linkerd viz authz` command shows metrics for all ServerAuthorizations which belong to Servers of the given resource. Now that we have AuthorizationPolicies in addition to ServerAuthorizations, we need to update this command to display those as well. We would also like to augment this with HTTPRoute data when an AuthorizationPolicy targets a HTTPRoute.
We add 2 new columns to the output: Route and AuthorizationPolicy. The new behavior of this command is that it finds all Servers of the given resource, and displays metrics for those Servers, broken down by HTTPRoute and authorization, filling in either the AuthorizationPolicy or ServerAuthorization column as appropriate. We also add a row with the authorization displayed as [UNAUTHORIZED] to show the RPS of denied requests.
```console
> linkerd viz authz -n emojivoto deploy
ROUTE SERVER AUTHORIZATION_POLICY SERVER_AUTHORIZATION SUCCESS RPS LATENCY_P50 LATENCY_P95 LATENCY_P99
default emoji-grpc emoji-grpc 100.00% 2.0rps 1ms 1ms 1ms
linkerd-probes linkerd-admin linkerd-probes 100.00% 1.2rps 1ms 2ms 2ms
default voting-grpc [UNAUTHORIZED] [UNAUTHORIZED] - 1.0rps - - -
default web-http web-public 50.00% 2.0rps 2ms 3ms 9ms
```
Signed-off-by: Alex Leong <alex@buoyant.io>
The Kubernetes extension includes syntax awareness for our Helm template
files. This change updates the devcontainer configuration to include
this extension by default.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Problem
If using imagePullSecrets, the tap-injector Service Account will render into an invalid k8s manifest.
Solution
Render the imagePullSecrets after `metadata.labels` are correctly rendered.
Validation
Used `helm template` after the fix, and I no longer run into the error message.
Fixes#9109
Signed-off-by: Weichung Shaw <weichung.shaw@gmail.com>
Co-authored-by: Weichung Shaw <weichung@weichung-xps-13-7390.cust.communityfibre.co.uk>
It can be difficult to understand why a given module is a part of our Go
dependencies. This change adds utility scripts--inspired by Rust's
`cargo tree`--that use `go mod graph` to inspect Go dependencies.
* `go-mod-tree` -- like `cargo tree`, prints all dependencies from an
optional root module.
* `go-mod-versions` -- enumerates all versions of a module in the Go
dependency graph
* `go-mod-why` -- like `cargo tree -i`, prints the tree of modules that
depend on a given module.
Signed-off-by: Oliver Gould <ver@buoyant.io>
* Allows RSA signed trust anchors on linkerd cli (#7771)
Linkerd currently forces using an ECDSA P-256
issuer certificate along with a ECDSA trust
anchor. Still, it's still cryptographically valid
to have an ECDSA P-256 issuer certificate issued
by an RSA signed CA.
CheckCertAlgoRequirements checks if CA cert uses
ECDSA or RSA 2048/4096 signing algorithm.
Fixes#7771
Signed-off-by: Baeyens, Daniel <daniel.baeyens@gmail.com>
Co-authored-by: Alejandro Pedraza <alejandro@buoyant.io>
Oliver Gould
dependabot[bot]
William Morgan
Alex Leong
Kevin Leimkuhler
Alejandro Pedraza
Matei David
Weichung Shaw
Dani Baeyens
wowq