From df1736fcb825d4b2127bcea9b3805c4cd815079d Mon Sep 17 00:00:00 2001 From: Aleksandr Tarasov Date: Wed, 5 Oct 2022 16:58:15 +0300 Subject: [PATCH] Add cluster authentication resource to simplify usage of route-based policies (#13) --- README.md | 23 +++++++++++++++++++ charts/linkerd-easyauth/Chart.yaml | 4 ++-- .../templates/auth-policies.yml | 18 +++++++++++++++ charts/linkerd-easyauth/values.yaml | 18 ++++++++++++++- go.mod | 8 +++---- go.sum | 17 +++++++------- 6 files changed, 72 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 7ed0f44..65bc05d 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,29 @@ meshedApps: - elephants ``` +#### Cluster Network Common Policy +In case of using route-based policy you should authorize requests for passing probes by adding app-specific `HTTPRoute` and policies for it for each app: +```yaml +apiVersion: policy.linkerd.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + name: cool-app-health-check-allow + namespace: cool-ns +spec: + targetRef: + group: policy.linkerd.io + kind: HTTPRoute + name: cool-app-health-check + requiredAuthenticationRefs: + - name: cluster-network-authn + kind: NetworkAuthentication + group: policy.linkerd.io +``` + +The Helm chart generates NetworkAuthentication with name `cluster-network-authn` to authorize cluster network requests. + +You should explicitly provide cluster network or authorize kubelet only. It depends on the K8s implementation you are using and could be setup via `clusterNetwork` section in the values. + #### Kubelet CIDR > **⚠ WARNING: 2.11.x only** diff --git a/charts/linkerd-easyauth/Chart.yaml b/charts/linkerd-easyauth/Chart.yaml index 3d5f1de..7bc0b42 100644 --- a/charts/linkerd-easyauth/Chart.yaml +++ b/charts/linkerd-easyauth/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: "0.6.0" +appVersion: "0.8.0" description: A Helm chart for Linkerd easyauth extension. name: linkerd-easyauth -version: "0.6.0" \ No newline at end of file +version: "0.8.0" \ No newline at end of file diff --git a/charts/linkerd-easyauth/templates/auth-policies.yml b/charts/linkerd-easyauth/templates/auth-policies.yml index 234b3e9..5e1902e 100644 --- a/charts/linkerd-easyauth/templates/auth-policies.yml +++ b/charts/linkerd-easyauth/templates/auth-policies.yml @@ -88,4 +88,22 @@ spec: kind: MeshTLSAuthentication group: policy.linkerd.io {{ end }} +--- +apiVersion: policy.linkerd.io/v1alpha1 +kind: NetworkAuthentication +metadata: + name: cluster-network-authn + namespace: {{ . }} +spec: + networks: + {{- range $.Values.policies.clusterNetwork.cidr }} + - cidr: {{ . }} + {{- end }} + {{- if $.Values.policies.clusterNetwork.generator }} + {{- range $i, $e1 := untilStep (int $.Values.policies.clusterNetwork.generator.low1) (int $.Values.policies.clusterNetwork.generator.high1) 1 }} + {{- range $j, $e2 := untilStep (int $.Values.policies.clusterNetwork.generator.low2) (int $.Values.policies.clusterNetwork.generator.high2) 1 }} + - cidr: {{ $.Values.policies.clusterNetwork.generator.octet0 }}.{{ $e1 }}.{{ $e2 }}.{{ $.Values.policies.clusterNetwork.generator.octet3 }}/32 + {{- end }} + {{- end }} + {{- end }} {{ end }} \ No newline at end of file diff --git a/charts/linkerd-easyauth/values.yaml b/charts/linkerd-easyauth/values.yaml index 6b29839..d96054d 100644 --- a/charts/linkerd-easyauth/values.yaml +++ b/charts/linkerd-easyauth/values.yaml @@ -9,7 +9,7 @@ tolerations: &default_tolerations webhook: image: name: aatarasoff/linkerd-easyauth-webhook - version: 0.6.0 + version: 0.8.0 pullPolicy: IfNotPresent # modify to HA mode @@ -45,3 +45,19 @@ policies: monitoring: enabled: false namespace: monitoring + + # authorize cluster network + clusterNetwork: + # simple implementation + cidr: + - 0.0.0.0/0 + - ::/0 + # generate by pattern octet0:{low1-high1}:{low2-high2}:octet3 (10.169.150.1) + # typical use case: GKE kubelet + generator: +# octet0: 10 +# low1: 168 +# high1: 172 +# low2: 0 +# high2: 256 +# octet3: 1 diff --git a/go.mod b/go.mod index aa40bff..1711e4d 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/fatih/color v1.13.0 - github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b + github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca github.com/sirupsen/logrus v1.9.0 github.com/spf13/cobra v1.5.0 k8s.io/api v0.24.3 @@ -116,15 +116,15 @@ require ( golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect - google.golang.org/grpc v1.48.0 // indirect + google.golang.org/grpc v1.49.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - helm.sh/helm/v3 v3.9.3 // indirect + helm.sh/helm/v3 v3.9.4 // indirect k8s.io/apiextensions-apiserver v0.24.2 // indirect k8s.io/cli-runtime v0.24.2 // indirect - k8s.io/klog/v2 v2.70.1 // indirect + k8s.io/klog/v2 v2.80.0 // indirect k8s.io/kube-aggregator v0.23.5 // indirect k8s.io/kube-openapi v0.0.0-20220627174259-011e075b9cb8 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect diff --git a/go.sum b/go.sum index 6909632..dda6816 100644 --- a/go.sum +++ b/go.sum @@ -377,7 +377,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.m github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ= -github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -680,8 +679,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b h1:x/Mlg6a77FipPphLw709t8Dn1ocqzIVy/ull2V7y4xM= -github.com/linkerd/linkerd2 v0.5.1-0.20220823204551-0bd3f732e68b/go.mod h1:8363Xgo+Fb3uJiC4oWidWIZ01fRHNSZUNsI+02K9LnI= +github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca h1:yINuTxMLGF83CHGtL5/dsmpZjAGn+nLAw28t60K6ZqA= +github.com/linkerd/linkerd2 v0.5.1-0.20220915170415-ee75526ba7ca/go.mod h1:DO7baTy9fP8QJ9TH7PRZLiE2wRO3BtTFfp22K9Ryi04= github.com/linkerd/linkerd2-proxy-api v0.7.0 h1:T/2hDAaPR++5dKc26LiZhvs2PrwgoyowdT3gQJAMmCk= github.com/linkerd/linkerd2-proxy-api v0.7.0/go.mod h1:aEq0Ua1VHiRpqlPzMbPtx/wKqw83zXlNK7FNFOSP2mg= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= @@ -1572,8 +1571,8 @@ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9K google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= -google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w= -google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1635,8 +1634,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= -helm.sh/helm/v3 v3.9.3 h1:etd4Qc45/bnIkBofZIRwrAzYuG3bNWR1EdMN4fsfzoE= -helm.sh/helm/v3 v3.9.3/go.mod h1:3eaWAIqzvlRSD06gR9MMwmp2KBKwlu9av1/1BZpjeWY= +helm.sh/helm/v3 v3.9.4 h1:TCI1QhJUeLVOdccfdw+vnSEO3Td6gNqibptB04QtExY= +helm.sh/helm/v3 v3.9.4/go.mod h1:3eaWAIqzvlRSD06gR9MMwmp2KBKwlu9av1/1BZpjeWY= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -1693,8 +1692,8 @@ k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.70.1 h1:7aaoSdahviPmR+XkS7FyxlkkXs6tHISSG03RxleQAVQ= -k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.80.0 h1:lyJt0TWMPaGoODa8B8bUuxgHS3W/m/bNr2cca3brA/g= +k8s.io/klog/v2 v2.80.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.23.5 h1:UZ+qE3hGo6DcgKySf27Jg7d3X9/6JQkVLUiHZAoAfCY= k8s.io/kube-aggregator v0.23.5/go.mod h1:3ynYx07Co6dzjpKPgipM+1/Mt2Jcm7dY++cRlKLr5s8= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=