Configuring Linkerd multi-cluster policy
As of the Linkerd 2.11 release, the Linkerd multi-cluster extension also includes a policy configuration that prevents unauthorized access to pods running in the
linkerd-multicluster namespace. This policy configuration only grants access to the core Linkerd control plane by default.
If you’re using the Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the following configuration to the
apiVersion: policy.linkerd.io/v1beta1 kind: ServerAuthorization metadata: namespace: linkerd-multicluster name: service-mirror-buoyant-cloud labels: app.kubernetes.io/part-of: linkerd-buoyant spec: server: name: service-mirror client: meshTLS: serviceAccounts: - name: buoyant-cloud-agent namespace: linkerd-buoyant
If you save the above configuration as
policy.yaml, you can apply it to your cluster with:
kubectl apply -f policy.yaml
Note: The Buoyant Cloud agent was updated in v0.7.0 to make use of the policy above. If you’re using the Linkerd multi-cluster extension, you should also upgrade the Buoyant Cloud agent running on each of your clusters to v0.7.0 or later, in order to see the full range of multi-cluster features that are available in Buoyant Cloud.