-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove gRPC tap server listener from controller (#3276)
### Summary As an initial attempt to secure the connection from clients to the gRPC tap server on the tap Pod, the tap `addr` only listened on localhost. As @adleong pointed out #3257, this was not actually secure because the inbound proxy would establish a connection to localhost anyways. This change removes the gRPC tap server listener and changes `TapByResource` requests to interface with the server object directly. From this, we know that all `TapByResourceRequests` have gone through the tap APIServer and thus authorized by RBAC. ### Details [NewAPIServer](https://github.com/linkerd/linkerd2/blob/ef90e0184f238cbe79987a84f36d4eb91cbcda46/controller/tap/apiserver.go#L25-L26) now takes a [GRPCTapServer](https://github.com/linkerd/linkerd2/blob/f6362dfa805de9a009188014256ecd66e7dc3bfc/controller/tap/server.go#L33-L34) instead of a `pb.TapClient` so that `TapByResource` requests can interact directly with the [TapByResource](https://github.com/linkerd/linkerd2/blob/f6362dfa805de9a009188014256ecd66e7dc3bfc/controller/tap/server.go#L49-L50) method. `GRPCTapServer.TapByResource` now makes a private [grpcTapServer](https://github.com/linkerd/linkerd2/blob/ef90e0184f238cbe79987a84f36d4eb91cbcda46/controller/tap/handlers.go#L373-L374) that satisfies the [tap.TapServer](https://godoc.org/github.com/linkerd/linkerd2/controller/gen/controller/tap#TapServer) interface. Because this interface is satisfied, we can interact with the tap server methods without spawning an additional listener. Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
- Loading branch information
1 parent
6567206
commit c9c41e2
Showing
6 changed files
with
79 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters