mirror of https://github.com/linkerd/linkerd2.git
a59c1dd32d
The Tap Service enabled tapping of any meshed pod, regardless of user privilege. This change introduces a new Tap APIService. Kubernetes provides authentication and authorization of Tap requests, and then forwards requests to a new Tap APIServer, which implements a Kubernetes aggregated APIServer. The Tap APIServer authenticates the client TLS from Kubernetes, and authorizes the user via a SubjectAccessReview. This change also modifies the `linkerd tap` command to make requests against the new APIService. The Tap APIService implements these Kubernetes-style endpoints: POST /apis/tap.linkerd.io/v1alpha1/watch/namespaces/:ns/tap POST /apis/tap.linkerd.io/v1alpha1/watch/namespaces/:ns/:res/:name/tap GET /apis GET /apis/tap.linkerd.io GET /apis/tap.linkerd.io/v1alpha1 GET /healthz GET /healthz/log GET /healthz/ping GET /metrics GET /openapi/v2 GET /version Users authorize to the new `tap.linkerd.io/v1alpha1` via RBAC. Only the `watch` verb is supported. Access is also available via subresources such as `deployments/tap` and `pods/tap`. This change introduces the following resources into the default Linkerd install: - Global - APIService/v1alpha1.tap.linkerd.io - ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator - `linkerd` namespace: - Secret/linkerd-tap-tls - `kube-system` namespace: - RoleBinding/linkerd-linkerd-tap-auth-reader Tasks not covered by this PR: - `linkerd top` - `linkerd dashboard` - `linkerd profile --tap` - removal of the unauthenticated tap controller Fixes #2725, #3162, #3172 Signed-off-by: Andrew Seigner <siggy@buoyant.io> |
||
|---|---|---|
| .. | ||
| protohttp.go | ||
| protohttp_test.go | ||