Closes#8916
When a random Pod (meshed or not) is created in the `linkerd`, `linkerd-viz`, or
`linkerd-jaeger` namespaces their respective `check` subcommands can fail.
We parse Pod names for their owning Deployment by assuming the Pod name has a
randomized suffix. For example, the `linkerd-destination` Deployment creates the
`linkerd-destination-58c57dd675-7tthr` Pod. We split the name on `-` and take
the first two parts (`["linkerd", "destination"]`); those first two parts make
up the Deployment name.
Now, if a random Pod is created in the namespace with the name `test`, we apply
that same logic but hit a runtime error when trying to get the first two parts
of the split. `test` did not split at all since it contains no `-` and therefore
we error with `slice bounds out of range`.
To fix this, we now use the fact that all Linkerd components have a
`linkerd.io/control-plane-component` or `component` label with a value that is
the owning Deployment. This allows us to avoid any extra parsing logic and just
look at a single label value.
Additionally, some of these checks get all the Pods in a namespace with the
`GetPodsByNamespace` method but we don't always need something so general. In
the places where we are checking specifically for Linkerd components, we can
narrow this further by using the expected LabelSelector such as
`linkerd.io/extension=viz`.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Release v1.6.1 of proxy-init adds support for iptables-nft. This change
bumps up the proxy-init version used in code, chart values, and golden
files.
* Update go.mod dep
* Update CNI plugin with new opts
* Update proxy-init ref in golden files and chart values
* Update policy controller CI workflow
Signed-off-by: Matei David <matei@buoyant.io>
In various places we read port configurations from external sources
(either the Kubernetes API or gRPC clients). We have manual checks in
place to ensure that port values are never zero. We can instead assert
this with the type system by using `NonZeroU16`.
This change updates the policy controller to use `NonZeroU16` for port
values. This allows us to replace our manual port value checks with
`NonZero::try_from`, etc.
Signed-off-by: Oliver Gould <ver@buoyant.io>
linkerd2-proxy-api v0.6.0 adds support for inbound proxies to discover
route configurations based on the Gateway API HTTPRoute types. This
change updates the policy controller to index
`gateway.networking.k8s.io/v1beta` `HTTPRoute` types to discover these
policies from the Kubernetes API.
`HTTPRoute` resources may target `Server` resources (as a `parentRef`)
to attach policies to an inbound proxy. When no routes are configured,
a default route is synthesized to allow traffic; but when at least one
route attaches to a server, only requests that match a route are
permitted (other requests are failed with a 404).
Only the *core* subset of the `HTTPRoute` filters are supported:
`RequestRedirect` and `RequestHeaderModifier`. Backends may *not* be
configured on these routes (since they may only apply to inbound/server-
side proxies). No `status` updates are currently performed on these
`HTTPRoute` resources.
This change does not yet allow `AuthorizationPolicy` resources to target
`HTTPRoute` resources. This will be added in a follow-up change.
Signed-off-by: Alex Leong <alex@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
* rust v1.62.0
* golangci-lint v1.46.2
* k3d v5.4.4
* just 1.2.0
* cargo-nextest v0.9.24
Furthermore, the build will update the development Go version to the
latest v1.17 release.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Kubernetes resource type names are not case-sensitive. This change
updates `kind` and `group` comparisons to ignore case.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Now that GitHub flags security issues for Rust projects, there's no need
for our bespoke RUSTSEC auditing workflow.
Signed-off-by: Oliver Gould <ver@buoyant.io>
This release updates the proxy to configure inbound route
configurations--including authorizations and filters--via discovery from
the control plane.
If the controller does not yet configure routes, the proxy uses a
default route. Route authorizations always extend the server's
authorizations, so routes need not be defined to admit traffic. However,
if a server have at least one route, *only* traffic that matches a route
will be permitted, otherwise requests fail with a 404.
If the proxy receives a router filter of an unknown type (i.e., because
the controller is running a later version of the API that includes new
types), then the proxy will FAIL all requests on that route with an
internal server error. It's considered safer to fail hard in this case,
rather than to silently ignore a configured policy that could
potentially be security-sensitive.
---
* build(deps): bump smallvec from 1.8.1 to 1.9.0 (linkerd/linkerd2-proxy#1795)
* build(deps): bump serde_json from 1.0.81 to 1.0.82 (linkerd/linkerd2-proxy#1797)
* build(deps): bump either from 1.6.1 to 1.7.0 (linkerd/linkerd2-proxy#1798)
* Add an HTTP route redirect filter (linkerd/linkerd2-proxy#1799)
* Add HTTP and gRPC route failure-injection filters (linkerd/linkerd2-proxy#1805)
* build(deps): bump tracing-subscriber from 0.3.11 to 0.3.14 (linkerd/linkerd2-proxy#1806)
* build(deps): bump pin-project from 1.0.10 to 1.0.11 (linkerd/linkerd2-proxy#1807)
* build(deps): bump unicode-normalization from 0.1.20 to 0.1.21 (linkerd/linkerd2-proxy#1808)
* build(deps): bump fixedbitset from 0.4.1 to 0.4.2 (linkerd/linkerd2-proxy#1809)
* build(deps): bump serde from 1.0.137 to 1.0.138 (linkerd/linkerd2-proxy#1810)
* build(deps): bump regex from 1.5.6 to 1.6.0
* build(deps): bump once_cell from 1.12.0 to 1.13.0
* build(deps): bump hyper from 0.14.19 to 0.14.20 (linkerd/linkerd2-proxy#1816)
* add shutdown grace period timeout for graceful shutdowns (linkerd/linkerd2-proxy#1815)
* dev: Update dev tooling (linkerd/linkerd2-proxy#1820)
* build(deps): bump serde from 1.0.138 to 1.0.139 (linkerd/linkerd2-proxy#1819)
* build(deps): bump hashbrown from 0.12.1 to 0.12.2 (linkerd/linkerd2-proxy#1818)
* build(deps): bump prettyplease from 0.1.15 to 0.1.16 (linkerd/linkerd2-proxy#1821)
* Revert "build(deps): bump tracing-subscriber from 0.3.11 to 0.3.14 (linkerd/linkerd2-proxy#1806)" (#1822)
* Configure inbound HTTP routes via gRPC (linkerd/linkerd2-proxy#1814)
Signed-off-by: Oliver Gould <ver@buoyant.io>
In 1a0c1c31 we updated the admission controller to allow
`AuthorizationPolicy` resources with an empty
`requiredAuthenticationRefs`. But we did NOT update the indexer, so we
would allow these resources to be created but then fail to honor them in
the API.
To fix this:
1. The `AuthorizationPolicy` admission controller is updated to exercise
the indexer's validation so that it is impossible to admit resources
that will be discarded by the indexer;
2. An e2e test is added to exercise this configuration;
3. The indexer's validation is updated to accept resources with no
authentications.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Fix `linkerd-viz` helm chart documentation for jaeger integration.
Adds miss port to jaeger url example in `value.yaml`. This port is required to
allow the dashboard to proxy to the jaeger instance. This brings the example
given in the `values.yaml` file in line with the web docs.
Closes#8851
Signed-off-by: Harry Walter <harry@bluebamboostudios.com>
Fixes: #8308
We add the `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` annotation to all Linkerd extension deployments. This signals that none of these deployments use persistent storage and they are all eligible for eviction if necessary.
Signed-off-by: Alex Leong <alex@buoyant.io>
Watch events for objects in the kube-system namespace were previously ignored.
In certain situations, this would cause the destination service to return
invalid (outdated) endpoints for services in kube-system - including unmeshed
services.
It [was suggested][1] that kube-system events were ignored to avoid handling
frequent Endpoint updates - specifically from [controllers using Endpoints for
leader elections][2]. As of Kubernetes 1.20, these controllers [default to using
Leases instead of Endpoints for their leader elections][3], obviating the need
to exclude (or filter) updates from kube-system. The exclusions have been
removed accordingly.
[1]: https://github.com/linkerd/linkerd2/pull/4133#issuecomment-594983588
[2]: https://github.com/kubernetes/kubernetes/issues/86286
[3]: https://github.com/kubernetes/kubernetes/pull/94603
Signed-off-by: Jacob Henner <code@ventricle.us>
* Replace deprecated uses of `ResourceExt::name` with
`ResourceExt::name_unchecked`;
* Update k8s-gateway-api to v0.6;
* Update kubert to v0.9.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Kevin Leimkuhler