What's on this page
Linkerd.io references
Generating authorization policies for an existing application
Buoyant Enterprise for Linkerd provides powerful and expressive authorization policies that allow you to control the types of traffic that are allowed in your cluster, even at the level of individual HTTP routes or gRPC methods.
The BEL CLI includes a linkerd policy generate command to automatically
generate policy based on existing traffic on your Kubernetes cluster.
Prerequisites
- Buoyant Enterprise for Linkerd installed on a Kubernetes cluster
- The
BUOYANT_LICENSEenvironment variable set, with functioning BEL CLI
Step 1: Install sample app
If you do not already have meshed workloads on your cluster, you can install this sample app to demonstrate policy generation:
curl https://run.linkerd.io/emojivoto.yml |
linkerd inject - |
kubectl apply -f -
linkerd check --proxy
Step 2: Generate policy
To generate policy for all meshed workloads on your cluster, run:
linkerd policy generate
Depending on the number of Linkerd proxies running on your cluster, this command may take several minutes. It will examine traffic patterns for all running proxies. For each meshed server and port combination found, the output will include the following resources:
| Resource | Name |
|---|---|
| Server | [server]-[port] |
| MeshTLSAuthentication | [server]-[port] |
| AuthorizationPolicy | [server]-[port] |
| NetworkAuthentication | [server]-[port]-allow |
| AuthorizationPolicy | [server]-[port]-allow |
The Server defines the meshed workload and port that is receiving traffic. The
subsequent MeshTLSAuthentication and AuthorizationPolicy define which meshed
workloads are authorized to connect to the Server. The NetworkAuthentication
and AuthorizationPolicy named [server]-[port]-allow act as a catch-all,
allowing all traffic, meshed and unmeshed, to connect to the Server. This
catch-all is in place as a starting point, to ensure that you can apply the
generated policy to your cluster without inadvertently denying traffic. Once you
are confident that all authorized traffic is captured via policy, you may remove
these catch-all resources.
To apply the policy, run:
linkerd policy generate | kubectl apply -f -
Learning more
For more information about using linkerd policy generate, see the BEL CLI
reference page.