Generating authorization policies for an existing application

Buoyant Enterprise for Linkerd provides powerful and expressive authorization policies that allow you to control the types of traffic that are allowed in your cluster, even at the level of individual HTTP routes or gRPC methods.

The BEL CLI includes a linkerd policy generate command to automatically generate policy based on existing traffic on your Kubernetes cluster.

  • Docker installed on your local machine
  • Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant Enterprise for Linkerd Buoyant portal
  • Buoyant Enterprise for Linkerd installed on a Kubernetes cluster
curl | sh

linkerd version
linkerd check

View linkerd policy generate help:

$ linkerd policy generate --help
Generate policy based on current traffic (beta).

  linkerd policy generate [flags]

  # To generate policy:
  linkerd policy generate

  -h, --help   help for generate

Global Flags:
      --api-addr string            Override kubeconfig and communicate directly with the control plane at host:port (mostly for testing)
      --as string                  Username to impersonate for Kubernetes operations
      --as-group stringArray       Group to impersonate for Kubernetes operations
      --cni-namespace string       Namespace in which the Linkerd CNI plugin is installed (default "linkerd-cni")
      --context string             Name of the kubeconfig context to use
      --kubeconfig string          Path to the kubeconfig file to use for CLI requests
  -L, --linkerd-namespace string   Namespace in which Linkerd is installed ($LINKERD_NAMESPACE) (default "linkerd")
      --verbose                    Turn on debug logging

If you do not already have meshed workloads on your cluster, you can install this sample app to demonstrate policy generation:

curl |
  linkerd inject - |
  kubectl apply -f -

linkerd check --proxy

To generate policy for all meshed workloads on your cluster, run:

linkerd policy generate

Depending on the number of Linkerd proxies running on your cluster, this command may take several minutes. It will examine traffic patterns for all running proxies. For each meshed server and port combination found, the output will include the following resources:


The Server defines the meshed workload and port that is receiving traffic. The subsequent MeshTLSAuthentication and AuthorizationPolicy define which meshed workloads are authorized to connect to the Server. The NetworkAuthentication and AuthorizationPolicy named [server]-[port]-allow act as a catch-all, allowing all traffic, meshed and unmeshed, to connect to the Server. This catch-all is in place as a starting point, to ensure that you can apply the generated policy to your cluster without inadvertently denying traffic. Once you are confident that all authorized traffic is captured via policy, you may remove these catch-all resources.

To apply the policy, run:

linkerd policy generate | kubectl apply -f -