Configuring Linkerd multi-cluster policy

As of the Linkerd 2.11 release, the Linkerd multi-cluster extension also includes a policy configuration that prevents unauthorized access to pods running in the linkerd-multicluster namespace. This policy configuration only grants access to the core Linkerd control plane by default. If you’re using the Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the following configuration to the linkerd-multicluster namespace:

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: linkerd-multicluster
  name: service-mirror-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  server:
    name: service-mirror
  client:
    meshTLS:
      serviceAccounts:
        - name: buoyant-cloud-agent
          namespace: linkerd-buoyant

If you save the above configuration as policy.yaml, you can apply it to your cluster with:

kubectl apply -f policy.yaml