buoyant.io

Configuring Linkerd multi-cluster policy

The Linkerd multi-cluster extension includes a policy configuration that prevents unauthorized access to pods running in the linkerd-multicluster namespace. This policy configuration only grants access to the core Linkerd control plane by default. If you’re using the Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the following configuration to the linkerd-multicluster namespace:

apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
  name: service-mirror-agent-authn
  namespace: linkerd-multicluster
spec:
  identityRefs:
    - name: buoyant-cloud-agent
      namespace: linkerd-buoyant
      kind: ServiceAccount
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: linkerd-multicluster
  name: linkerd-admin-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: linkerd-admin
  requiredAuthenticationRefs:
    - group: policy.linkerd.io
      kind: MeshTLSAuthentication
      name: service-mirror-agent-authn
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: linkerd-multicluster
  name: service-local-mirror-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: local-service-mirror
  requiredAuthenticationRefs:
    - group: policy.linkerd.io
      kind: MeshTLSAuthentication
      name: service-mirror-agent-authn
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: linkerd-multicluster
  name: controller-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: controller
  requiredAuthenticationRefs:
    - group: policy.linkerd.io
      kind: MeshTLSAuthentication
      name: service-mirror-agent-authn

If you save the above configuration as policy.yaml, you can apply it to your cluster with:

kubectl apply -f policy.yaml

Upgrading from an older Linkerd installation

If you are upgrading from an older Linkerd multi-cluster installation (pre-2.19), you’ll also need to apply the following configuration:

apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: linkerd-multicluster
  name: service-mirror-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: service-mirror
  requiredAuthenticationRefs:
    - group: policy.linkerd.io
      kind: MeshTLSAuthentication
      name: service-mirror-agent-authn