This release includes a security improvement. When a user manually specified the
`policyValidator.keyPEM` setting, the value was incorrectly included in the
`linkerd-config` configmap. This means that this private key was erroneously
exposed to service accounts with read access to this configmap. Practically,
this means that the Linkerd `proxy-injector`, `identity`, and `heartbeat` pods
could read this value. This should **not** have exposed this private key to
other unauthorized users unless additional role bindings were added outside of
Linkerd. Nevertheless, we recommend that users who manually set control plane
certificates update the credentials for the policy validator after upgrading
Linkerd.
Additionally, the linkerd-multicluster extensions has several fixes related to
fail fast errors during link watch restarts, improper label matching for
mirrored services, and properly cleaning up mirrored endpoints in certain
situations.
Lastly, the proxy can now retry gRPC requests that have responses with a
TRAILERS frame. A fix to reduce redundant load balancer updates should also
result in less connection churn.
* Changed unit tests to use newly introduced `prommatch` package for asserting
expected metrics (thanks @krzysztofdrys!)
* Fixed Docker container runtime check to only during `linkerd install` rather
than `linkerd check --pre`
* Changed linkerd-multicluster's remote cluster watcher to assume the gateway is
alive when starting—fixing fail fast errors from occurring during restarts
(thanks @chenaoxd!)
* Added `matchLabels` and `matchExpressions` to linkerd-multicluster's Link CRD
* Fixed linkerd-multicluster's label selector to properly select resources that
match the expected label value, rather than just the presence of the label
* Fixed linkerd-multicluster's cluster watcher to properly clean up endpoints
belonging to remote headless services that are no longer mirrored
* Added the HttpRoute CRD which will be used by future policy features
* Fixed CNI plugin event processing where file updates could sometimes be
skipped leading to the update not being acknowledged
* Fixed redundant load balancer updates in the proxy that could cause
unnecessary connection churn
* Fixed gRPC request retries for responses that contain a TRAILERS frame
* Fixed the dashboard's `linkerd check` due to missing RBAC for listing pods in
the cluster
* Fixed API check that ensures access to the Server CRD (thanks @aatarasoff!)
* Changed `linkerd authz` to match the labels of pre-fetched Pods rather than
the multiple API calls it was doing—resulting in significant speed-up (thanks
@aatarasoff!)
* Unset `policyValidtor.keyPEM` in `linkerd-config` ConfigMap
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
This change adds a linter for GitHub Actions workflows. In most cases,
Linkerd's workflows cannot be properly tested until they are triggered
in CI. This can lead to issues that are caught only during reviews (if
caught at all) or when the actions are triggered. Since running actions
can be an expensive operation (mostly in time spent), it would be useful
to have an automated way of checking our workflows and actions for
failures.
To lint our workflows, we introduce a new action to lint the workflow
templates and check the embeded scripts. The action itself will run only
when files are changed in the `.github/` directory.
Additionally, this change includes fixes to our embedded scripts, as
flagged by the action that has been introduced.
The change pins actionlint to v1.6.15.
Closes#8728
Signed-off-by: Matei David <matei@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
Part of #8792
Instead of fetching a list of Pods that match a certain selector for each
ServerAuthorization, we now use a pre-fetched list of pods each time.
Signed-off-by: aatarasoff [aatarasoff@gmail.com](mailto:aatarasoff@gmail.com)
Fixes#8665
We add validation for HTTPRoute resources to the policy admission controller. We validate that for any HTTPRoute which has a Server as a parent_ref, that it doesn't have unsupported filters. For the moment we do not support any HTTP filters. As we add support for HTTP filter types, we should update the validator accordingly.
Signed-off-by: Alex Leong <alex@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
We have seen frequent CI failure related to failing to load images which may be related to #8771. We revert that change to see if this improves CI reliability.
This reverts commit a57ee67fd7.
Signed-off-by: Alex Leong <alex@buoyant.io>
Fixes#8564
Removes the enum of allowed values from the proxyProtocol field in the Server CRD. Instead, we rely on the admission controller to validate this field.
Before:
```
The Server "myserver" is invalid: spec.proxyProtocol: Unsupported value: "invalid": supported values: "unknown", "HTTP/1", "HTTP/2", "gRPC", "opaque", "TLS"
```
After:
```
k apply -f myserver.yml
Error from server: error when creating "myserver.yml": admission webhook "linkerd-policy-validator.linkerd.io" denied the request: unknown variant `invalid`, expected one of `unknown`, `HTTP/1`, `HTTP/2`, `gRPC`, `opaque`, `TLS`
```
Signed-off-by: Alex Leong <alex@buoyant.io>
Closes#8565.
With this change, AuthorizationPolicys can now reference ServiceAccounts for
their target authentications. This allows users to avoid the requirement of
creating a MeshTLSAuthentication resource that references a single
ServiceAccount.
The policy admission controller only allows an AuthorizationPolicy to reference
a single MeshTLSAuthentication _or_ a ServiceAccount; it cannot reference both.
Additionally, if a ServiceAccount is reference it can onl be a single
one—similar to MeshTLSAuthentications.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Direct image import should be faster, when docker and cluster are on the
same node.
Change import mode for bin/image-load
Signed-off-by: Krzysztof Dryś <krzysztofdrys@gmail.com>
Co-authored-by: Oliver Gould <ver@buoyant.io>
This release updates the proxy's service discovery module to avoid
redundant load balancer updates that could cause unnecessary connection
churn.
This release also includes improvements to the proxy's retry handling of
gRPC requests. The proxy would not retry requests when a response's
status code was emitted in a TRAILERS frame. This has been fixed.
This release also includes a number of internal changes that set up for
per-route authorization. There should be no user-facing impact at this
point except for the introduction of additional metrics labels.
---
* build(deps): bump mio from 0.8.3 to 0.8.4 (linkerd/linkerd2-proxy#1760)
* build(deps): bump quote from 1.0.18 to 1.0.19 (linkerd/linkerd2-proxy#1761)
* build(deps): bump tower-service from 0.3.1 to 0.3.2 (linkerd/linkerd2-proxy#1762)
* build(deps): bump proc-macro2 from 1.0.39 to 1.0.40 (linkerd/linkerd2-proxy#1763)
* build(deps): bump syn from 1.0.96 to 1.0.98 (linkerd/linkerd2-proxy#1764)
* build(deps): bump prettyplease from 0.1.12 to 0.1.14 (linkerd/linkerd2-proxy#1766)
* build(deps): bump anyhow from 1.0.57 to 1.0.58 (linkerd/linkerd2-proxy#1767)
* dev: Update build settings (linkerd/linkerd2-proxy#1765)
* Dedupe discovery updates (linkerd/linkerd2-proxy#1759)
* build(deps): bump quote from 1.0.19 to 1.0.20 (linkerd/linkerd2-proxy#1768)
* deny: Remove tokio-util from exceptions (linkerd/linkerd2-proxy#1769)
* dev: Update memory contraints (linkerd/linkerd2-proxy#1770)
* Reorganize `server-policy` to set up for routes (linkerd/linkerd2-proxy#1771)
* inbound: Rename policy-enforcement layers (linkerd/linkerd2-proxy#1772)
* ci: Split fuzzer logic into a script (linkerd/linkerd2-proxy#1773)
* build(deps): bump prettyplease from 0.1.14 to 0.1.15 (linkerd/linkerd2-proxy#1775)
* build(deps): bump indexmap from 1.9.0 to 1.9.1 (linkerd/linkerd2-proxy#1776)
* integration: Cleanup test server (linkerd/linkerd2-proxy#1777)
* http-retry: Move the ReplayBody type into a module (linkerd/linkerd2-proxy#1778)
* inbound: Add route authorization labels (linkerd/linkerd2-proxy#1774)
* Rename HTTPRoutePermit to HttpRoutePermit (linkerd/linkerd2-proxy#1779)
* retry gRPC requests are immediately terminated by trailers (linkerd/linkerd2-proxy#1706)
* inbound: Record policy metrics for opaque-transport connections (linkerd/linkerd2-proxy#1780)
* build(deps): bump tj-actions/changed-files from 23 to 23.1 (linkerd/linkerd2-proxy#1782)
* build(deps): bump derive_arbitrary from 1.1.2 to 1.1.3 (linkerd/linkerd2-proxy#1783)
* build(deps): bump arbitrary from 1.1.2 to 1.1.3 (linkerd/linkerd2-proxy#1784)
* inbound: Record TCP metrics for forwarded TLS connections (linkerd/linkerd2-proxy#1785)
* inbound: Cleanup in preparation for route policies #1781 (linkerd/linkerd2-proxy#1786)
* Add HTTP route matchers to support the Gateway API (linkerd/linkerd2-proxy#1787)
* build(deps): bump unicode-normalization from 0.1.19 to 0.1.20 (linkerd/linkerd2-proxy#1789)
* build(deps): bump linked-hash-map from 0.5.4 to 0.5.6 (linkerd/linkerd2-proxy#1790)
* build(deps): bump smallvec from 1.8.0 to 1.8.1 (linkerd/linkerd2-proxy#1791)
* build(deps): bump jemalloc-sys from 0.5.0+5.3.0 to 0.5.1+5.3.0-patched (linkerd/linkerd2-proxy#1792)
* Introduce per-route authorization policies (linkerd/linkerd2-proxy#1781)
* inbound: Add a header-modification route filter (linkerd/linkerd2-proxy#1793)
* docs: update justfile man page link (linkerd/linkerd2-proxy#1794)
Signed-off-by: Oliver Gould <ver@buoyant.io>
K3d now includes a *v1.24* release channel. This change updates the
policy controller test workflow to use that fixed version instead of
*latest*.
Signed-off-by: Oliver Gould <ver@buoyant.io>
The CNI plugin watches for file changes and reacts accordingly. To
append our CNI plugin configuration to an existing configuration file,
we keep a watch on the config file directory, and whenever a new file is
created (or modified) we append to it. To avoid redundancy and infinite
loops, after a file has been processed, we save its SHA in-memory.
Whenever a new update is received, we calculate the file's SHA, and if
it differs from the previous one, we update it (since the file hasn't
been 'seen' by our script yet). The in-memory SHA is continously
overridden as updates are received and processed.
In our processing logic, we override the SHA only if the file exists (in
short, we want to avoid processing the SHA on 'DELETE' events). However,
when a different CNI plugin deletes the file, it typically re-creates it
immediately after. Since we do not check for the event type and instead
rely only on file existence, we end up calculating the SHA for a new
file before the file has had a chance to be processed when its
associated 'CREATE' event is picked up. This means that new files will
essentially be skipped from being updated, since the script considers
them to have been processed already (since their SHA was calculated when
the previous file was deleted).
This change fixes the bug by introducing a type check for the event in
addition to checking the file's existence. This allows us to be sure
that new files are only processed when the 'CREATE' event is picked up,
ensuring we do not skip them.
Signed-off-by: Matei David <matei@buoyant.io>
Fixes#8660
We add the HttpRoute CRD to the CRDs installed with `linkerd install --crds` and `linkerd upgrade --crds`. You can use the `--set installHttpRoute=false` to skip installing this CRD.
Signed-off-by: Alex Leong <alex@buoyant.io>
As part of #7082 we need to add HA mode to linkerd-multicluster's service mirror
component. Before adding configuration for it, we should have a basic unit test
that asserts the output of `linkerd multicluster link`.
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Closes#8475
When a headless service that was exported no longer is, we currently continue to
mirror it and its endpoints. The bug is as follows
1. The service is updated (say with `mirror.linkerd.io/exported: false`) and
`createOrUpdateService` is called
2. The service is _not_ exported, so we queue a `RemoteServiceDeleted`
3. The `RemoteServiceDeleted` is processed and the service and its mirror
endpoints are deleted
4. The service's endpoints are updated (on the remote cluser with the new label)
and `handleCreateOrUpdateEndpoints` is called
5. The endpoints belong to a headless service so
`createOrUpdateHeadlessEndpoints` is called
6. `createOrUpdateHeadlessEndpoints` recreates the just-deleted service and
endpoints
We should stop processing the service update after `3`; the service and it's
endpionts have been properly deleted.
To fix this, we should avoid calling `handleCreateOrUpdateEndpoints` when the
new endpoints are not exported. Currently we only avoid calling this function
when both the old _and_ new endpoints are not exported.
In the case of endpoints going from being exported to be not being exported, we
don't really care about the old set's status. Therefore, to fix this bug we
remove that check and avoid calling `handleCreateOrUpdateEndpoints` when the new
set is no longer exported.
I've tested this to make sure the issue is fixed. Testing can be done
manually—which is what I did—or as explained
[here](https://github.com/linkerd/linkerd2/pull/8734#pullrequestreview-1018622066).
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
The Link created by `linkerd multicluster link` has a match expression that checks for the existance of the `mirror.linkerd.io/exported` label on services; if the label exists then the service is mirrored. This is not always correct because if `mirror.linkerd.io/exported: false`, the service mirror still mirrors the service even though it should not.
The fix for this was not related to label matching — it is already handled correctly. What needed to be fixed was the actual Link CRD to allow for `matchLabels` and `matchExpressions.values`.
The default `matchLabel` is now `mirror.linkerd.io/exported: "true"` as changed in `newLinkOptionsWithDefault`.
Users can now also properly set match properties with the `-l` flag. Before these resulted in parsing errors since the Link CRD did not support these properly
```shell
$ bin/linkerd --context k3d-x multicluster link --cluster-name k3d-x -l 'mirror.linkerd.io/exported in (true)' |kubectl --context k3d-y apply -f -
...
$ bin/linkerd --context k3d-x mc link --cluster-name k3d-x --api-server-address https://172.18.0.3:6443 -l 'foo.bar=mirror-me' > link-x.yaml
```
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
dependabot[bot]