Disable live calls from linkerd viz dashboard

[ahysing]

What problem are you trying to solve?

Hi linkerd community.

First off. Me and my company loves what you do. Linkerd is a great tool.

I just installed linkerd with the linkerd viz extension, and released the linkerd dashboard to the developers. Unfortunatly linkerd tap did not pass the security checks for my company. That is why we followed document linkerd.io - Securing your Cluster - Linkerd Dashboard tap access, and removed access to linkerd tap from the dashboard. As expected the tap menu is now restricted. When a user navigates to "tap" under the "tools" menu he or she will be met with an error message. So far this is what we wanted :)

My problem occurs when a user decides to show the dashboard for an individual pod. the dashboard shows up, and we get the information we want to present to the users. By default the tab called "Live Calls" is selected. This causes linkerd to start displaying an error message. The error message states
An error has occurred. Websocket close error [1008: Policy Violation] : missing authorization, visit https://linkerd.io/tap-rbac to remedy
The error occurs as long ass "Live Calls" is selected. As soon as tab "Route Metrics" is selected then the error goes away.

This give my developers a bad user experience. I am not allowed to enable "Live Calls", and the pod dashboards are really useful.

How should the problem be solved?

The simplest way would be to let me configure "Route Metrics" as the default tab.

Any alternatives you've considered?

My users are logged in in a secure manner with Azure AD and the oauth-proxy component. I can grant users access to use "Live Calls" on only the subset of kubernetes namespaces they are contributing to in my company. Then I can enable the "Live Calls" feature for these namespaces.
This will require the linkerd dashboard to concider what user is logged in, and what clusterroles he or she has.

How would users interact with this feature?

through the dashboard.

Would you like to work on this feature?

maybe

[olix0r]

Yeah, I agree it would be best if we could configure/detect this state and just not show the live calls, etc at all if tap is disabled.

[ConnectBhawna]

Hi @ahysing, I am interested in learning about this project and want to work on this project under LFX Mentorship.
Please let me know about any materials or resources that I should learn to get a better understanding of the project and its requirements.

Additionally, I was wondering if there is anything else I can do to get started, such as research and learn about the project from the existing documentation.

[jakada01]

I have some experience in working with react/react Native frameworks for web and android app development. This project seems really interesting as it has perfectly aligned with my skill sets. I am interested in working on this project under 2023 LFX mentorship program.

[YashKamboj]

Hey, I am interested in working and contribute to Linkerd for LFX Mentorship 2023!

[vishwahaha]

Hi @ahysing, I have some experience related to the frameworks and requirements of this project and would love to learn more and work on this under the LFX Mentorship 2023. I have applied and sent my resume & cover letter on the website.
Please let me know if there are any other prerequisites to apply for this.
Thank you!

[GenMech]

Hey @olix0r @ahysing, I am looking forward to contribute to Linkerd and I am applying it under LFX Mentorship. I have submitted my cover letter and Resume on the portal. Please let me know if there are some resources or documentation from where I can have more depth of the project and its requirements.
Thanks You

[ivipularora]

Hi, I am interested in to contribute to Linkerd for LFX mentorship '23, it would be a great help to be provided with resources

[kaustubhreet]

I have some experience in working with react frameworks and node.js for web app development. This project seems really exciting as it has perfectly aligned with my skill sets. I am interested in working on this project under 2023 LFX mentorship program.

[ahysing]

Hi guys.

It is good to see a lot of people wants to contribute. I would love give my support testing and bug fixing with you. However keep in mind that I am not a Linkerd maintainer. I can not grant access or approve pull requests. You have to find the right guys.

with linkerd 2.13.0 we got this new feature where we can blacklist unwanted headers by configuring tap.ignoredHeaders which is able to blacklist problematic headers. For instance Passwords are most often stored as HTTP header Autorization and Cookie.
With this feature in place I don't need to deploy linkerd without tap. With tap installed the crash message I bug reported will go away.

Long story short. I configured tap.ignoredHeaders and deployed tap. The problem went away.