Buoyant Cloud
Configuring Linkerd multi-cluster policy
As of the Linkerd 2.11 release, the Linkerd multi-cluster extension also includes a policy configuration that prevents unauthorized access to pods running in the linkerd-multicluster
namespace. This policy configuration only grants access to the core Linkerd control plane by default.
If you’re using the Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the following configuration to the linkerd-multicluster
namespace:
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-multicluster
name: service-mirror-buoyant-cloud
labels:
app.kubernetes.io/part-of: linkerd-buoyant
spec:
server:
name: service-mirror
client:
meshTLS:
serviceAccounts:
- name: buoyant-cloud-agent
namespace: linkerd-buoyant
If you save the above configuration as policy.yaml
, you can apply it to your cluster with:
kubectl apply -f policy.yaml
Note: The Buoyant Cloud agent was updated in v0.7.0 to make use of the policy above. If you’re using the Linkerd multi-cluster extension, you should also upgrade the Buoyant Cloud agent running on each of your clusters to v0.7.0 or later, in order to see the full range of multi-cluster features that are available in Buoyant Cloud.