linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/viz/cmd/allow-scrapes.go

149 lines
3.8 KiB
Go
Raw Blame History

package cmd
import (
"os"
"text/template"
pkgcmd "github.com/linkerd/linkerd2/pkg/cmd"
"github.com/linkerd/linkerd2/pkg/version"
"github.com/spf13/cobra"
)
const (
allowScrapePolicy = `---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
name: proxy-admin
namespace: {{ .TargetNs }}
annotations:
linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
labels:
linkerd.io/extension: {{ .ExtensionName }}
spec:
podSelector:
matchExpressions:
- key: linkerd.io/control-plane-ns
operator: Exists
port: linkerd-admin
proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: HTTPRoute
metadata:
name: proxy-metrics
namespace: {{ .TargetNs }}
annotations:
linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
labels:
linkerd.io/extension: {{ .ExtensionName }}
spec:
parentRefs:
- name: proxy-admin
kind: Server
group: policy.linkerd.io
rules:
- matches:
- path:
value: "/metrics"
---
apiVersion: policy.linkerd.io/v1alpha1
kind: HTTPRoute
metadata:
name: proxy-probes
namespace: {{ .TargetNs }}
annotations:
linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
labels:
linkerd.io/extension: {{ .ExtensionName }}
spec:
parentRefs:
- name: proxy-admin
kind: Server
group: policy.linkerd.io
rules:
- matches:
- path:
value: "/live"
- path:
value: "/ready"
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: prometheus-scrape
namespace: {{ .TargetNs }}
annotations:
linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
labels:
linkerd.io/extension: {{ .ExtensionName }}
spec:
targetRef:
group: policy.linkerd.io
kind: HTTPRoute
name: proxy-metrics
requiredAuthenticationRefs:
- kind: ServiceAccount
name: prometheus
namespace: {{ .VizNs }}
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: proxy-probes
namespace: {{ .TargetNs }}
annotations:
linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
labels:
linkerd.io/extension: {{ .ExtensionName }}
spec:
targetRef:
group: policy.linkerd.io
kind: HTTPRoute
name: proxy-probes
requiredAuthenticationRefs:
- kind: NetworkAuthentication
group: policy.linkerd.io
name: kubelet
namespace: {{ .VizNs }}`
)
type templateOptions struct {
ChartName string
Version string
ExtensionName string
VizNs string
TargetNs string
}
// newCmdAllowScrapes creates a new cobra command `allow-scrapes`
func newCmdAllowScrapes() *cobra.Command {
options := templateOptions{
ExtensionName: ExtensionName,
ChartName: vizChartName,
Version: version.Version,
VizNs: defaultNamespace,
}
cmd := &cobra.Command{
Use: "allow-scrapes {-n | --namespace } namespace",
Short: "Output Kubernetes resources to authorize Prometheus scrapes",
Long: `Output Kubernetes resources to authorize Prometheus scrapes in a namespace or cluster with config.linkerd.io/default-inbound-policy: deny.`,
Example: `# Allow scrapes in the 'emojivoto' namespace
linkerd viz allow-scrapes --namespace emojivoto | kubectl apply -f -`,
Args: cobra.NoArgs,
PreRunE: func(cmd *cobra.Command, args []string) error {
return cmd.MarkFlagRequired("namespace")
},
RunE: func(cmd *cobra.Command, args []string) error {
t := template.Must(template.New("allow-scrapes").Parse(allowScrapePolicy))
return t.Execute(os.Stdout, options)
},
}
cmd.Flags().StringVarP(&options.TargetNs, "namespace", "n", options.TargetNs, "The namespace in which to authorize Prometheus scrapes.")
pkgcmd.ConfigureNamespaceFlagCompletion(
cmd, []string{"n", "namespace"},
kubeconfigPath, impersonate, impersonateGroup, kubeContext)
return cmd
}
Reference in New Issue View Git Blame Copy Permalink