Skip to content

Commit

Permalink
Add accessPolicy field to Server CRD
Browse files Browse the repository at this point in the history
Followup to #12844, branched off of alpeb/policy-audit-option

This new field defines the default policy for Servers, i.e. if a request doesn't match the policy associated to a Server then this policy applies.
The values are the same as for `proxy.defaultInboundPolicy` and the `config.linkerd.io/default-inbound-policy` annotation (all-unauthenticated, all-authenticated, cluster-authenticated, cluster-unauthenticated, deny), plus a new value "audit".
The default is "deny", thus remaining backwards-compatible. For this same reason no new version of the CRD is required.

This field is also exposed as an additional printer column.
  • Loading branch information
alpeb committed Jul 15, 2024
1 parent a09570b commit da0455c
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 0 deletions.
9 changes: 9 additions & 0 deletions charts/linkerd-crds/templates/policy/server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,11 @@ spec:
- required: [podSelector]
- required: [externalWorkloadSelector]
properties:
accessPolicy:
type: string
default: deny
description: >-
Default access policy to apply when the traffic doesn't match any of the policy rules.
podSelector:
type: object
description: >-
Expand Down Expand Up @@ -220,3 +225,7 @@ spec:
type: string
description: The protocol of the server
jsonPath: .spec.proxyProtocol
- name: Access Policy
type: string
description: The default access policy applied when the traffic doesn't match any of the policy rules
jsonPath: .spec.accessPolicy
9 changes: 9 additions & 0 deletions cli/cmd/testdata/install_crds.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions cli/cmd/testdata/install_helm_crds_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions cli/cmd/testdata/install_helm_crds_output_ha.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions controller/gen/apis/server/v1beta2/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ type Server struct {

// ServerSpec specifies a Server resource.
type ServerSpec struct {
AccessPolicy string `json:"accessPolicy,omitempty"`
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty"`
ExternalWorkloadSelector *metav1.LabelSelector `json:"externalWorkloadSelector,omitempty"`
Port intstr.IntOrString `json:"port,omitempty"`
Expand Down

0 comments on commit da0455c

Please sign in to comment.