Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

injector: Configure config.linkerd.io/default-inbound-policy #6720

Closed
olix0r opened this issue Aug 20, 2021 · 0 comments · Fixed by #6750
Closed

injector: Configure config.linkerd.io/default-inbound-policy #6720

olix0r opened this issue Aug 20, 2021 · 0 comments · Fixed by #6750
Assignees
@kleimkuhler
Labels
area/injector priority/P0 Release Blocker
Milestone
stable-2.11.0

Comments

@olix0r
Copy link
Member

olix0r commented Aug 20, 2021

  • The config.linkerd.io/default-inbound-policy annotation may be set on a pod or namespace; otherwise the cluster-wide default applies (from .Values.policyController.defaultAllowPolicy). If the annotation is not set on an injected pod, we must always set it with the next-most-specific-scoped value.
  • Possible values include all-unauthenticated, all-authenticated, cluster-unauthenticated, cluster-authenticated, and deny. If an invalid value is specified proxies will fail during initialization (so it may be best to do this validation in the injector to fail before the pod is scheduled).
  • The the LINKERD2_PROXY_INBOUND_DEFAULT_POLICY environment configuration must be set with the value of this annotation so that the proxy can discover its own default.
  • The the LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS environment configuration must be set with the value of .Values.clusterNetworks.

Related to linkerd/linkerd2-proxy#1210
@olix0r olix0r added this to the stable-2.11.0 milestone Aug 20, 2021
@olix0r olix0r added the priority/P0 Release Blocker label Aug 20, 2021
@olix0r olix0r changed the title injector: Configure the config.linkerd.io/default-inbound-policy injector: Configure config.linkerd.io/default-inbound-policy Aug 20, 2021
@kleimkuhler kleimkuhler self-assigned this Aug 24, 2021
@kleimkuhler kleimkuhler mentioned this issue Aug 25, 2021
Merged
kleimkuhler added a commit that referenced this issue Aug 26, 2021
@kleimkuhler
proxy-injector: add default-inbound-policy annotation (#6750)
152290e 
The proxy injector now adds the `config.linkerd.io/default-inbound-policy` annotation to all injected pods.

Closes #6720.

If the pod has the annotation before injection then that value is used. If the pod does not have the annotation but the namespace does, then it inherits that. If both the pod and the namespace do not have the annotation, then it defaults to `.Values.policyController.defaultAllowPolicy`.

Upon injecting the sidecar container into the pod, this annotation value is used to set the `LINKERD2_PROXY_INBOUND_DEFAULT_POLICY` environment variable. Additionally, `LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS` is also set to the value of `.Values.clusterNetworks`.

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@kleimkuhler kleimkuhler

Labels
area/injector priority/P0 Release Blocker
Projects
None yet
Milestone
stable-2.11.0
Development

Successfully merging a pull request may close this issue.

proxy-injector: add default-inbound-policy annotation linkerd/linkerd2
2 participants
@olix0r @kleimkuhler