Generating authorization policies for an existing application

Buoyant Enterprise for Linkerd provides powerful and expressive authorization policies that allow you to control the types of traffic that are allowed in your cluster, even at the level of individual HTTP routes or gRPC methods.

The BEL CLI includes a linkerd policy generate command to automatically generate policy based on existing traffic on your Kubernetes cluster.

If you do not already have meshed workloads on your cluster, you can install this sample app to demonstrate policy generation:

curl |
  linkerd inject - |
  kubectl apply -f -

linkerd check --proxy

To generate policy for all meshed workloads on your cluster, run:

linkerd policy generate

Depending on the number of Linkerd proxies running on your cluster, this command may take several minutes. It will examine traffic patterns for all running proxies. For each meshed server and port combination found, the output will include the following resources:


The Server defines the meshed workload and port that is receiving traffic. The subsequent MeshTLSAuthentication and AuthorizationPolicy define which meshed workloads are authorized to connect to the Server. The NetworkAuthentication and AuthorizationPolicy named [server]-[port]-allow act as a catch-all, allowing all traffic, meshed and unmeshed, to connect to the Server. This catch-all is in place as a starting point, to ensure that you can apply the generated policy to your cluster without inadvertently denying traffic. Once you are confident that all authorized traffic is captured via policy, you may remove these catch-all resources.

To apply the policy, run:

linkerd policy generate | kubectl apply -f -

For more information about using linkerd policy generate, see the BEL CLI reference page.