linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/cli/cmd
History
Andrew Seigner a59c1dd32d
Introduce tap APIService, update `linkerd tap` (#3167) 
The Tap Service enabled tapping of any meshed pod, regardless of user
privilege.

This change introduces a new Tap APIService. Kubernetes provides
authentication and authorization of Tap requests, and then forwards
requests to a new Tap APIServer, which implements a Kubernetes
aggregated APIServer. The Tap APIServer authenticates the client TLS
from Kubernetes, and authorizes the user via a SubjectAccessReview.

This change also modifies the `linkerd tap` command to make requests
against the new APIService.

The Tap APIService implements these Kubernetes-style endpoints:
POST /apis/tap.linkerd.io/v1alpha1/watch/namespaces/:ns/tap
POST /apis/tap.linkerd.io/v1alpha1/watch/namespaces/:ns/:res/:name/tap
GET  /apis
GET  /apis/tap.linkerd.io
GET  /apis/tap.linkerd.io/v1alpha1
GET  /healthz
GET  /healthz/log
GET  /healthz/ping
GET  /metrics
GET  /openapi/v2
GET  /version

Users authorize to the new `tap.linkerd.io/v1alpha1` via RBAC. Only the
`watch` verb is supported. Access is also available via subresources
such as `deployments/tap` and `pods/tap`.

This change introduces the following resources into the default Linkerd
install:
- Global
  - APIService/v1alpha1.tap.linkerd.io
  - ClusterRoleBinding/linkerd-linkerd-tap-auth-delegator
- `linkerd` namespace:
  - Secret/linkerd-tap-tls
- `kube-system` namespace:
  - RoleBinding/linkerd-linkerd-tap-auth-reader

Tasks not covered by this PR:
- `linkerd top`
- `linkerd dashboard`
- `linkerd profile --tap`
- removal of the unauthenticated tap controller

Fixes #2725, #3162, #3172

Signed-off-by: Andrew Seigner <siggy@buoyant.io>
 		2019-08-01 14:02:45 -07:00
..
testdata Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
check.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
check_test.go Output check result as json (#2666) 2019-05-20 09:04:28 -07:00
completion.go CLI help updates: non-experimental auto-inject; unhide install-cni (#2319) 2019-02-18 15:32:46 -08:00
completion_test.go Rename CLI from conduit to linkerd (#1312) 2018-07-12 17:14:07 -07:00
dashboard.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
doc.go Generate CLI docs for usage by the website (#2296) 2019-02-15 13:28:31 -08:00
edges.go Introduce -A as a shorthand for --all-namespaces (#3125) 2019-07-24 07:50:22 -07:00
edges_test.go Updating CLI output for `linkerd edges` (#3048) 2019-07-17 12:23:34 -07:00
endpoints.go Have `linkerd endpoints` use `Destination.Get` (#2990) 2019-07-03 09:11:03 -05:00
endpoints_test.go Have `linkerd endpoints` use `Destination.Get` (#2990) 2019-07-03 09:11:03 -05:00
get.go Introduce -A as a shorthand for --all-namespaces (#3125) 2019-07-24 07:50:22 -07:00
get_test.go Fix most golint issues that are not comment related (#1982) 2018-12-20 10:37:47 -08:00
inject.go Remove unused argument (#3149) 2019-07-26 11:39:25 -05:00
inject_test.go Fix inject with path and add tests (#3038) 2019-07-05 09:26:25 -05:00
inject_util.go Fix inject with path and add tests (#3038) 2019-07-05 09:26:25 -05:00
install-cni-plugin.go proxy: Upgrade to identity-capable proxy (#2524) 2019-03-19 14:20:39 -07:00
install-cni-plugin_test.go proxy: Upgrade to identity-capable proxy (#2524) 2019-03-19 14:20:39 -07:00
install-sp.go Update ServiceProfile CRD to version v1alpha2 and remove validation (#3078) 2019-07-23 11:46:31 -07:00
install-sp_test.go lint: Enable scopelint (#2364) 2019-02-24 08:59:51 -08:00
install.go Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
install_test.go Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
logs.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
logs_test.go Introduce inject integration tests (#2616) 2019-04-05 11:42:49 -07:00
main_test.go Introduce inject integration tests (#2616) 2019-04-05 11:42:49 -07:00
metrics.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
profile.go cli: Consolidate the public API clients (#2527) 2019-03-19 20:52:39 -07:00
profile_test.go Update ServiceProfile CRD to version v1alpha2 and remove validation (#3078) 2019-07-23 11:46:31 -07:00
public_api.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
root.go Introduce `linkerd --as` flag for impersonation (#3173) 2019-07-31 16:05:33 -07:00
routes.go add service profile integration tests for service profile metrics (#2685) 2019-04-18 11:01:49 -07:00
routes_test.go lint: Enable goconst (#2365) 2019-02-25 12:00:03 -08:00
stat.go Introduce -A as a shorthand for --all-namespaces (#3125) 2019-07-24 07:50:22 -07:00
stat_test.go Show pod status more clearly (#1967) (#2989) 2019-07-10 12:44:44 -07:00
tap.go Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
tap_test.go Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
top.go cli: Consolidate the public API clients (#2527) 2019-03-19 20:52:39 -07:00
uninject.go Promote the shared injection check to the CLI and webhook (#2555) 2019-03-27 14:51:05 -07:00
uninject_test.go Check the cluster's config for install & inject (#2535) 2019-03-21 12:49:46 -07:00
upgrade.go Introduce tap APIService, update `linkerd tap` (#3167) 2019-08-01 14:02:45 -07:00
upgrade_test.go Introduce Cluster Heartbeat cronjob (#3056) 2019-07-23 17:12:30 -07:00
version.go Use port-forwarding for linkerd CLIs (#2757) 2019-05-02 14:41:26 +02:00
version_test.go Use port-forwarding for linkerd CLIs (#2757) 2019-05-02 14:41:26 +02:00