proxy-injector: add default-inbound-policy annotation
#6750
Conversation
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
pkg/inject/inject.go
Outdated
| @@ -66,6 +66,7 @@ var ( | |||
| k8s.ProxyOutboundConnectTimeout, | |||
| k8s.ProxyInboundConnectTimeout, | |||
| k8s.ProxyAwait, | |||
| k8s.ProxyDefaultInboundPolicy, | |||
There was a problem hiding this comment.
Should we also have a cmd flag in makeProxyFlags to make it easy to configure without having to manually add the annotation (especially useful when the manifests are somewhere and accessed using a URL)? 🤔
There was a problem hiding this comment.
Will make a follow-up issue to add this as polish for stable.
| @@ -34,6 +34,10 @@ env: | |||
| value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Values.namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} | |||
| - name: LINKERD2_PROXY_POLICY_WORKLOAD | |||
| value: "$(_pod_ns):$(_pod_name)" | |||
| - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY | |||
| value: {{.Values.proxy.defaultInboundPolicy | default .Values.policyController.defaultAllowPolicy}} | |||
There was a problem hiding this comment.
Wondering if .Values.policyController.defaultAllowPolicy is useful in any manner for the user? It could be even be confusing in a way? proxy.defaultInboundPolicy totally makes sense as its a proxy level configuration. Maybe we can remove this and fall-back to the default value directly i.e all-unauthenticated? 🤔
There was a problem hiding this comment.
I think we want to support a global default policy that isn't set per-workload
There was a problem hiding this comment.
It's possible that the cluster's default allow policy is more restricted than all-unauthenticated which is why we want to fall back to that here.
PR linkerd#6750 adds the config.linkerd.io/default-inbound-policy annotation for setting the default inbound policy for an injected proxy. This commit adds support for a default-inbound-policy flag in makeProxyFlags so that it can be set with the linkerd inject command. Closes linkerd#6754 Signed-off-by: ahmedalhulaibi <ahmed.alhulaibi41@gmail.com>
PR linkerd#6750 adds the config.linkerd.io/default-inbound-policy annotation for setting the default inbound policy for an injected proxy. This commit adds support for a default-inbound-policy flag in makeProxyFlags so that it can be set with the linkerd inject command. Closes linkerd#6754 Signed-off-by: ahmedalhulaibi <ahmed.alhulaibi41@gmail.com> tests: use all-authenticated constant
PR #6750 adds the config.linkerd.io/default-inbound-policy annotation for setting the default inbound policy for an injected proxy. This commit adds support for a default-inbound-policy flag in makeProxyFlags so that it can be set with the linkerd inject command. Closes #6754 Signed-off-by: ahmedalhulaibi <ahmed.alhulaibi41@gmail.com>
The proxy injector now adds the
config.linkerd.io/default-inbound-policyannotation to all injected pods.Closes #6720.
If the pod has the annotation before injection then that value is used. If the pod does not have the annotation but the namespace does, then it inherits that. If both the pod and the namespace do not have the annotation, then it defaults to
.Values.policyController.defaultAllowPolicy.Upon injecting the sidecar container into the pod, this annotation value is used to set the
LINKERD2_PROXY_INBOUND_DEFAULT_POLICYenvironment variable. Additionally,LINKERD2_PROXY_POLICY_CLUSTER_NETWORKSis also set to the value of.Values.clusterNetworks.Signed-off-by: Kevin Leimkuhler kevin@kleimkuhler.com