Linkerd Service Mesh Authorization

Introduction to the

Server and ServerAuthorization are two policy resources in Linkerd that control inbound access to mesh applications.

In linkerd during installation, policyController defaultAllowPolicy field is used to specify the default policy when there is no Server selection pod. This field can be one of the following:

all-unauthenticated: Allow all requests. This is the default setting.
all-authenticated: allows users from the same or different clustersmulti-cluster) in themeshClient request.
cluster-authenticated: allows users from the same clustermeshClient request.
cluster-unauthenticated: allows users from the same clustermeshAnd themeshClient request.
deny: All requests were rejected. (Should then be createdPolicyResources to allow specific communication between services).

Can be set on pod spec or its namespace annotation config. Linkerd. IO/default – the inbound – policy to override the default values.

When a Server is configured for pod & Port, the default behavior is deny traffic, and a ServerAuthorization resource must be created to allow traffic on the Server.

A series of

Chinese Handbook (hacker-linner.com)

Server

Server selects a port on a set of pods in the same namespace as Server. It typically selects a single port on a POD, but it may select multiple ports (for example, admin-HTTP) when referring to ports by name. Although the Server resource is similar to Kubernetes’ Service, it adds the limitation that multiple Server instances cannot overlap: they cannot select the same POD /port pair. Linkerd comes with an Admission Controller to try to prevent the creation of overlapping servers.

When a Server selects a port, traffic is rejected by default, and ServerAuthorization must be used to authorize traffic on the port selected by the Server.

Spec

Server Specs may contain the following top-level fields:

field	value
`podSelector`	`podSelector`Select from the same namespace`pod`.
`port`	Port name or number. Only consider`pod spec` 的 `ports`Port in.
`proxyProtocol`	Configure protocol discovery for inbound connections. replace`config.linkerd.io/opaque-ports`The annotation. It must be`unknown`,`HTTP/1`,`HTTP/2`,`gRPC`,`opaque`,`TLS`One of the. If it is not set, the default value is`unknown`.

podSelector

This is the same as the labelSelector field in Kubernetes. All pods belonging to this selector will belong to the Server group. The podSelector object must contain exactly one of the following fields:

field	value
`matchExpressions`	`matchExpressions` 是 `label selector`List of requirements. The requirement is`AND`Combination.
`matchLabels`	`matchLabels` 是 `{key,value}`Mapping to.

For more details, see the Kubernetes LabelSelector Reference.

Kubernetes. IO/docs/refere…

Server example

A Server selects a POD with a specific label, using gRPC as the proxyProtocol.

apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  namespace: emojivoto
  name: emoji-grpc
spec:
  podSelector:
    matchLabels:
      app: emoji-svc
  port: grpc
  proxyProtocol: gRPC
Copy the code

A Server selects pod with matchExpressions, HTTP/2 as the proxyProtocol, on port 8080.

apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  namespace: emojivoto
  name: backend-services
spec:
  podSelector:
    matchExpressions:
    - {key: app.operator: In.values: [voting-svc.emoji-svc]}
    - {key: environment.operator: NotIn.values: [dev]}
  port: 8080
  proxyProtocol: "HTTP/2"
Copy the code

ServerAuthorization

ServerAuthorization provides a way to authorize traffic to one or more servers.

Spec

The ServerAuthorization Spec must contain the following top-level fields:

field	value
`client`	`client`Description Authorized Access`server`The client of.
`server`	`server`Is identified in the same namespace where this authorization applies`Servers`.

Server

The Server object must contain one of the following fields:

field	value
`name`	Reference by name`Server`Instance.
`selector`	`selector`Selected to apply this authorization in the same namespace`server`.

selector

This is the same as the labelSelector field in Kubernetes. All servers belonging to this selector will apply this authorization. The Selector object must contain exactly one of the following fields:

field	value
`matchExpressions`	MatchExpressions is the list of tag selectors required. The requirement is`AND`Combination.
`matchLabels`	MatchLabels is a mapping of {key,value} pairs.

client

The Client object must contain one of the following fields:

field	value
`meshTLS`	`meshTLS`Used for authorization`mesh`The client accesses the server
`unauthenticated`	A Boolean value that grants unauthenticated clients access to the server.

Alternatively, it can contain the Networks field:

field	value
`networks`	Restrict the clients to which this authorization applies`IP`Address. If not, the server selects the default (usually all)`IP`Or clusters of`pod`Network).

meshTLS

MeshTLS objects must contain exactly one of the following fields:

field	value
`unauthenticatedTLS`	A Boolean value indicating that communication does not require client identity. This is important for the identity controller, which must terminate the TLS connection from a client that does not already have a certificate.
`identities`	List of authorized proxy identity strings (provided via MTLS).``The prefix can be used to match all identities in the domain.``The identity string indicates that all authentication clients are authorized.
`serviceAccounts`	Authorized client`serviceAccount`List of (passed`MTLS`Provide).

serviceAccount

The serviceAccount field contains the following top-level fields:

field	value
`name`	`ServiceAccount`The name of the.
`namespace`	`ServiceAccount`Namespace of. If not, the authorized namespace is used.

ServerAuthorization sample

A mesh ServerAuthorization allowed clients use *. Emojivoto. Serviceaccount. Identity. Linkerd. Cluster. The local agent, That is, all service accounts in the Emojivoto namespace.

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: emojivoto
  name: emoji-grpc
spec:
  # Allow all authenticated clients to access the (read-only) emoji service.
  server:
    selector:
      matchLabels:
        app: emoji-svc
  client:
    meshTLS:
      identities:
        - "*.emojivoto.serviceaccount.identity.linkerd.cluster.local"
Copy the code

A ServerAuthorization that allows any unauthenticated client.

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: emojivoto
  name: web-public
spec:
  server:
    name: web-http
  # Allow all clients to access the web HTTP port without regard for
  # authentication. If unauthenticated connections are permitted, there is no
  # need to describe authenticated clients.
  client:
    unauthenticated: true
    networks:
      - cidr: 0.0. 0. 0/ 0
      - cidr: : : / 0
Copy the code

ServerAuthorization of a mesh client that allows for a specific service account.

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: emojivoto
  name: prom-prometheus
spec:
  server:
    name: prom
  client:
    meshTLS:
      serviceAccounts:
        - namespace: linkerd-viz
          name: prometheus
Copy the code

Introduction to the

A series of

Server

Spec

podSelector

Server example

ServerAuthorization

Spec

Server

selector

client

meshTLS

serviceAccount

ServerAuthorization sample

Related Posts

Memo mode for 23 design patterns

【HTB】Sauna (Kerberoasting, DCSync)

Pyenv + Pipenv