Skip to content

Commit

Permalink
Add cluster authentication resource to simplify usage of route-based …
Browse files Browse the repository at this point in the history
…policies (#13)
  • Loading branch information
aatarasoff authored Oct 5, 2022
1 parent eafa014 commit df1736f
Show file tree
Hide file tree
Showing 6 changed files with 72 additions and 16 deletions.
23 changes: 23 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,29 @@ meshedApps:
- elephants
```

#### Cluster Network Common Policy
In case of using route-based policy you should authorize requests for passing probes by adding app-specific `HTTPRoute` and policies for it for each app:
```yaml
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: cool-app-health-check-allow
namespace: cool-ns
spec:
targetRef:
group: policy.linkerd.io
kind: HTTPRoute
name: cool-app-health-check
requiredAuthenticationRefs:
- name: cluster-network-authn
kind: NetworkAuthentication
group: policy.linkerd.io
```
The Helm chart generates NetworkAuthentication with name `cluster-network-authn` to authorize cluster network requests.

You should explicitly provide cluster network or authorize kubelet only. It depends on the K8s implementation you are using and could be setup via `clusterNetwork` section in the values.

#### Kubelet CIDR
> **⚠ WARNING: 2.11.x only**

Expand Down
4 changes: 2 additions & 2 deletions charts/linkerd-easyauth/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
appVersion: "0.6.0"
appVersion: "0.8.0"
description: A Helm chart for Linkerd easyauth extension.
name: linkerd-easyauth
version: "0.6.0"
version: "0.8.0"
18 changes: 18 additions & 0 deletions charts/linkerd-easyauth/templates/auth-policies.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,22 @@ spec:
kind: MeshTLSAuthentication
group: policy.linkerd.io
{{ end }}
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
name: cluster-network-authn
namespace: {{ . }}
spec:
networks:
{{- range $.Values.policies.clusterNetwork.cidr }}
- cidr: {{ . }}
{{- end }}
{{- if $.Values.policies.clusterNetwork.generator }}
{{- range $i, $e1 := untilStep (int $.Values.policies.clusterNetwork.generator.low1) (int $.Values.policies.clusterNetwork.generator.high1) 1 }}
{{- range $j, $e2 := untilStep (int $.Values.policies.clusterNetwork.generator.low2) (int $.Values.policies.clusterNetwork.generator.high2) 1 }}
- cidr: {{ $.Values.policies.clusterNetwork.generator.octet0 }}.{{ $e1 }}.{{ $e2 }}.{{ $.Values.policies.clusterNetwork.generator.octet3 }}/32
{{- end }}
{{- end }}
{{- end }}
{{ end }}
18 changes: 17 additions & 1 deletion charts/linkerd-easyauth/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ tolerations: &default_tolerations
webhook:
image:
name: aatarasoff/linkerd-easyauth-webhook
version: 0.6.0
version: 0.8.0
pullPolicy: IfNotPresent

# modify to HA mode
Expand Down Expand Up @@ -45,3 +45,19 @@ policies:
monitoring:
enabled: false
namespace: monitoring

# authorize cluster network
clusterNetwork:
# simple implementation
cidr:
- 0.0.0.0/0
- ::/0
# generate by pattern octet0:{low1-high1}:{low2-high2}:octet3 (10.169.150.1)
# typical use case: GKE kubelet
generator:
# octet0: 10
# low1: 168
# high1: 172
# low2: 0
# high2: 256
# octet3: 1
8 changes: 4 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.18

require (
github.com/fatih/color v1.13.0
github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b
github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca
github.com/sirupsen/logrus v1.9.0
github.com/spf13/cobra v1.5.0
k8s.io/api v0.24.3
Expand Down Expand Up @@ -116,15 +116,15 @@ require (
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
google.golang.org/grpc v1.48.0 // indirect
google.golang.org/grpc v1.49.0 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
helm.sh/helm/v3 v3.9.3 // indirect
helm.sh/helm/v3 v3.9.4 // indirect
k8s.io/apiextensions-apiserver v0.24.2 // indirect
k8s.io/cli-runtime v0.24.2 // indirect
k8s.io/klog/v2 v2.70.1 // indirect
k8s.io/klog/v2 v2.80.0 // indirect
k8s.io/kube-aggregator v0.23.5 // indirect
k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
Expand Down
17 changes: 8 additions & 9 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m
github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ=
github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
Expand Down Expand Up @@ -680,8 +679,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b h1:x/Mlg6a77FipPphLw709t8Dn1ocqzIVy/ull2V7y4xM=
github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b/go.mod h1:8363Xgo+Fb3uJiC4oWidWIZ01fRHNSZUNsI+02K9LnI=
github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca h1:yINuTxMLGF83CHGtL5/dsmpZjAGn+nLAw28t60K6ZqA=
github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca/go.mod h1:DO7baTy9fP8QJ9TH7PRZLiE2wRO3BtTFfp22K9Ryi04=
github.com/linkerd/linkerd2-proxy-api v0.7.0 h1:T/2hDAaPR++5dKc26LiZhvs2PrwgoyowdT3gQJAMmCk=
github.com/linkerd/linkerd2-proxy-api v0.7.0/go.mod h1:aEq0Ua1VHiRpqlPzMbPtx/wKqw83zXlNK7FNFOSP2mg=
github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
Expand Down Expand Up @@ -1572,8 +1571,8 @@ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9K
google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
Expand Down Expand Up @@ -1635,8 +1634,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
helm.sh/helm/v3 v3.9.3 h1:etd4Qc45/bnIkBofZIRwrAzYuG3bNWR1EdMN4fsfzoE=
helm.sh/helm/v3 v3.9.3/go.mod h1:3eaWAIqzvlRSD06gR9MMwmp2KBKwlu9av1/1BZpjeWY=
helm.sh/helm/v3 v3.9.4 h1:TCI1QhJUeLVOdccfdw+vnSEO3Td6gNqibptB04QtExY=
helm.sh/helm/v3 v3.9.4/go.mod h1:3eaWAIqzvlRSD06gR9MMwmp2KBKwlu9av1/1BZpjeWY=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
Expand Down Expand Up @@ -1693,8 +1692,8 @@ k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ=
k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/klog/v2 v2.80.0 h1:lyJt0TWMPaGoODa8B8bUuxgHS3W/m/bNr2cca3brA/g=
k8s.io/klog/v2 v2.80.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-aggregator v0.23.5 h1:UZ+qE3hGo6DcgKySf27Jg7d3X9/6JQkVLUiHZAoAfCY=
k8s.io/kube-aggregator v0.23.5/go.mod h1:3ynYx07Co6dzjpKPgipM+1/Mt2Jcm7dY++cRlKLr5s8=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
Expand Down

0 comments on commit df1736f

Please sign in to comment.