What's on this page
Linkerd.io references
Generating authorization policies for an existing application
Buoyant Enterprise for Linkerd provides powerful and expressive authorization policies that allow you to control the types of traffic that are allowed in your cluster, even at the level of individual HTTP routes or gRPC methods.
The BEL CLI includes a linkerd policy generate
command to automatically
generate policy based on existing traffic on your Kubernetes cluster.
Prerequisites
- Docker installed on your local machine
- Credentials to access the BEL Azure Container Registry (ACR) provided on the Buoyant Enterprise for Linkerd Buoyant portal
- Buoyant Enterprise for Linkerd installed on a Kubernetes cluster
Install the Buoyant Enterprise for Linkerd CLI
curl https://enterprise.buoyant.io/install | sh
linkerd version
linkerd check
View linkerd policy generate
help:
$ linkerd policy generate --help
Generate policy based on current traffic (beta).
Usage:
linkerd policy generate [flags]
Examples:
# To generate policy:
linkerd policy generate
Flags:
-h, --help help for generate
Global Flags:
--api-addr string Override kubeconfig and communicate directly with the control plane at host:port (mostly for testing)
--as string Username to impersonate for Kubernetes operations
--as-group stringArray Group to impersonate for Kubernetes operations
--cni-namespace string Namespace in which the Linkerd CNI plugin is installed (default "linkerd-cni")
--context string Name of the kubeconfig context to use
--kubeconfig string Path to the kubeconfig file to use for CLI requests
-L, --linkerd-namespace string Namespace in which Linkerd is installed ($LINKERD_NAMESPACE) (default "linkerd")
--verbose Turn on debug logging
Install sample app
If you do not already have meshed workloads on your cluster, you can install this sample app to demonstrate policy generation:
curl https://run.linkerd.io/emojivoto.yml |
linkerd inject - |
kubectl apply -f -
linkerd check --proxy
Generate policy
To generate policy for all meshed workloads on your cluster, run:
linkerd policy generate
Depending on the number of Linkerd proxies running on your cluster, this command may take several minutes. It will examine traffic patterns for all running proxies. For each meshed server and port combination found, the output will include the following resources:
Resource | Name |
---|---|
Server | [server]-[port] |
MeshTLSAuthentication | [server]-[port] |
AuthorizationPolicy | [server]-[port] |
NetworkAuthentication | [server]-[port]-allow |
AuthorizationPolicy | [server]-[port]-allow |
The Server
defines the meshed workload and port that is receiving traffic. The
subsequent MeshTLSAuthentication
and AuthorizationPolicy
define which meshed
workloads are authorized to connect to the Server
. The NetworkAuthentication
and AuthorizationPolicy
named [server]-[port]-allow
act as a catch-all,
allowing all traffic, meshed and unmeshed, to connect to the Server
. This
catch-all is in place as a starting point, to ensure that you can apply the
generated policy to your cluster without inadvertently denying traffic. Once you
are confident that all authorized traffic is captured via policy, you may remove
these catch-all resources.
To apply the policy, run:
linkerd policy generate | kubectl apply -f -