Skip to content
main
Switch branches/tags
83 branches 235 tags
Code

Latest commit

@olix0r
olix0r policy: Support empty requiredAuthenticationRefs (#8185)
1a0c1c3 Apr 2, 2022
policy: Support empty `requiredAuthenticationRefs` (#8185) 
Currently, the policy admission controller requires that the
`AuthorizationPolicy` resources include a non-empty
`requiredAuthenticationRefs` field. This means that all authorization
policies require at least a `NetworkAuthentication` to permit traffic.
For example:

```yaml
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: ingress
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: ingress-http
  requiredAuthenticationRefs:
  - group: policy.linkerd.io
    kind: NetworkAuthentication
    name: all-nets
---
apiVersion: policy.linkerd.io/v1alpha1
kind: NetworkAuthentication
metadata:
  name: ingress-all-nets
spec:
  networks:
  - cidr: 0.0.0.0/0
  - cidr: ::/0
```

This is needlessly verbose and can more simply be expressed as:

```yaml
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: ingress
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: ingress-http
  requiredAuthenticationRefs: []
```

That is: there are explicitly no required authentications for this
policy.

This change updates the admission controller to permit such a policy.
Note that the `requiredAuthenticationRefs` field is still required so
that it's harder for simple misconfigurations to result in allowing
traffic.

This change also removes `Default` implementation for resources where do
they not make sense because there are required fields.

Signed-off-by: Oliver Gould <ver@buoyant.io>
1a0c1c3

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.devcontainer
devcontainer: Update tooling versions (#8020)
Mar 7, 2022
.github
build(deps): bump actions/cache from 3.0.0 to 3.0.1 (#8178)
Mar 31, 2022
bin
Add Go types for Policy CRDs (#8171)
Mar 31, 2022
charts
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
cli
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
cni-plugin
Add gosec and errcheck lints (#7954)
Mar 3, 2022
controller
Add Go types for Policy CRDs (#8171)
Mar 31, 2022
grafana
Parametrized datasource in grafana dashboards, better script handling (
Jan 14, 2022
jaeger
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
multicluster
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
pkg
allow pprof to be configurable via helm flags (#8090)
Mar 22, 2022
policy-controller
policy: Support empty requiredAuthenticationRefs (#8185)
Apr 1, 2022
policy-test
policy: Support empty requiredAuthenticationRefs (#8185)
Apr 1, 2022
proto
Remove legacy upgrade and it's references (#7309)
Nov 29, 2021
proxy-identity
Add gosec and errcheck lints (#7954)
Mar 3, 2022
test
cli: Deprecate proxy-version flag (#8027)
Mar 30, 2022
testutil
Add gosec and errcheck lints (#7954)
Mar 3, 2022
viz
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
web
build(deps): bump @fortawesome/free-regular-svg-icons in /web/app (#8151
Mar 31, 2022
.dockerignore
Standardize curl flags with scurl (#7658)
Jan 24, 2022
.editorconfig
Add PodDisruptionBudgets to control plane (#5398) (#5406)
Jan 6, 2021
.gcp.json.enc
Add docker builds and integration tests to CI (#1303)
Jul 11, 2018
.gitattributes
Update gitattributes to improve PR file visilibity (#6767)
Aug 30, 2021
.gitignore
Upload code coverage of unit tests to codecov (#6321)
Jun 23, 2021
.golangci.yml
enable structcheck linter (#8043)
Mar 18, 2022
.helmdocsignore
Add automatic readme generation for charts (#5316)
Dec 2, 2020
.markdownlint.yaml
Lint all markdown files in CI (#4402)
May 20, 2020
.proxy-version
proxy: v2.175.0 (#8142)
Mar 29, 2022
ADOPTERS.md
Adding Livspace as an adopter (#7986)
Mar 1, 2022
BUILD.md
Run lint action from the devcontainer, remove bin/lint script (#7895)
Feb 17, 2022
CHANGES.md
Add change notes for edge-22.3.5 (#8182)
Mar 31, 2022
CODE_OF_CONDUCT.md
Lint all markdown files (#4403)
May 19, 2020
CONTRIBUTING.md
Spelling (#6215)
Jun 7, 2021
Cargo.lock
build(deps): bump pkg-config from 0.3.24 to 0.3.25 (#8186)
Apr 1, 2022
Cargo.toml
Test the policy controller admission webhook (#8008)
Mar 7, 2022
DCO
Add contributing doc and DCO file (#88)
Dec 22, 2017
Dockerfile-debug
Update debian base images to buster-20210208-slim (#5750)
Feb 16, 2021
Dockerfile-proxy
Add read limits in various places (#7968)
Mar 3, 2022
EXTENSIONS.md
Versioned linkerd check hint URLs (#6102)
May 10, 2021
GOVERNANCE.md
add preamble to GOVERNANCE.md (#6008)
Apr 12, 2021
LICENSE
Introducing Conduit, the ultralight service mesh
Dec 5, 2017
MAINTAINERS.md
Add @mateiidavid to maintainers (#6597)
Aug 4, 2021
README.md
reference SECURITY.md from README.md (#5918)
Mar 18, 2021
RELEASE.md
Add release instructions (#7574)
Jan 12, 2022
ROADMAP.md
Update roadmap (#7413)
Dec 13, 2021
SECURITY.md
Spelling (#4872)
Aug 13, 2020
SECURITY_AUDIT.pdf
Add security audit (#3008)
Jun 28, 2019
STEERING.md
add STEERING.md (#5607)
Jan 27, 2021
TEST.md
Remove browser integration tests (#6583)
Aug 4, 2021
deny.toml
Update kube to v0.70, kubert to v0.5 (#8111)
Mar 21, 2022
go.mod
Add Go types for Policy CRDs (#8171)
Mar 31, 2022
go.sum
Add Go types for Policy CRDs (#8171)
Mar 31, 2022
link.yaml
add changes for edge-22.3.3 (#8072)
Mar 15, 2022
rust-toolchain
Update Rust to v1.59.0 (#7964)
Feb 25, 2022
tools.go
Update protoc (#6333)
Jun 21, 2021
Linkerd Repo layout Quickstart and documentation Working in this repo Get involved Community meetings Steering Committee meetings Code of Conduct Security License

README.md

Linkerd

Linkerd

CII Best Practices GitHub Actions Status GitHub license Go Report Card Slack Status

🎈 Welcome to Linkerd! 👋

Linkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd adds critical security, observability, and reliability features to your Kubernetes stack with no code change required.

Linkerd is a Cloud Native Computing Foundation (CNCF) project.

Repo layout

This is the primary repo for the Linkerd 2.x line of development.

The complete list of Linkerd repos is:

Quickstart and documentation

You can run Linkerd on any modern Kubernetes cluster in a matter of seconds. See the Linkerd Getting Started Guide for how.

For more comprehensive documentation, start with the Linkerd docs. (The doc source code is available in the website repo.)

Working in this repo

BUILD.md includes general information on how to work in this repo.

We ❤️ pull requests! See CONTRIBUTING.md for info on contributing changes.

Get involved

Community meetings

We host regular online meetings for contributors, adopters, maintainers, and anyone else interested to connect in a synchronous fashion. These meetings usually take place the last Thursday of the month at 9am Pacific / 4pm UTC.

We're a friendly group, so please feel free to join us!

Steering Committee meetings

We host regular online meetings for the Linkerd Steering Committee. All are welcome to attend, but audio and video participation is limited to Steering Committee members and maintainers. These meetings are currently scheduled on an ad-hoc basis and announced on the linkerd-users mailing list.

Code of Conduct

This project is for everyone. We ask that our users and contributors take a few minutes to review our Code of Conduct.

Security

See SECURITY.md for our security policy, including how to report vulnerabilities.

A third party security audit was performed by Cure53 in June 2019. You can see the full report here.

License

Copyright 2021 the Linkerd Authors. All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

About

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.

linkerd.io

Topics

kubernetes rust golang cloud-native service-mesh linkerd

Resources

Readme

License

Apache-2.0 License

Code of conduct

Code of conduct

Stars

8.3k stars

Watchers

192 watching

Forks

974 forks

Releases 228

edge-22.3.5 Latest
Mar 31, 2022
+ 227 releases

Packages

No packages published

Contributors 246

+ 235 contributors

Languages