Configuring Linkerd multi-cluster policy

As of the Linkerd 2.11 release, the Linkerd multi-cluster extension also includes a policy configuration that prevents unauthorized access to pods running in the linkerd-multicluster namespace. This policy configuration only grants access to the core Linkerd control plane by default. If you’re using the Linkerd multi-cluster extension with Buoyant Cloud, you’ll need to add the following configuration to the linkerd-multicluster namespace:

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  namespace: linkerd-multicluster
  name: service-mirror-buoyant-cloud
  labels:
    app.kubernetes.io/part-of: linkerd-buoyant
spec:
  server:
    name: service-mirror
  client:
    meshTLS:
      serviceAccounts:
      - name: buoyant-cloud-agent
        namespace: linkerd-buoyant

If you save the above configuration as policy.yaml, you can apply it to your cluster with:

kubectl apply -f policy.yaml

Note: The Buoyant Cloud agent was updated in v0.7.0 to make use of the policy above. If you’re using the Linkerd multi-cluster extension, you should also upgrade the Buoyant Cloud agent running on each of your clusters to v0.7.0 or later, in order to see the full range of multi-cluster features that are available in Buoyant Cloud.