Configuring Linkerd multi-cluster policy
As of the Linkerd 2.11 release, the
Linkerd multi-cluster extension
also includes a policy configuration that prevents unauthorized access to pods
running in the linkerd-multicluster
namespace. This policy configuration only
grants access to the core Linkerd control plane by default. If you’re using the
Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the
following configuration to the linkerd-multicluster
namespace:
apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
namespace: linkerd-multicluster
name: service-mirror-buoyant-cloud
labels:
app.kubernetes.io/part-of: linkerd-buoyant
spec:
server:
name: service-mirror
client:
meshTLS:
serviceAccounts:
- name: buoyant-cloud-agent
namespace: linkerd-buoyant
If you save the above configuration as policy.yaml
, you can apply it to your
cluster with:
kubectl apply -f policy.yaml