convert ServerAuthorizations to AuthorizationPolicies (#10079)

The Linkerd extension charts use ServerAuthorization resources. AuthorizationPolicies are now the recommended resource to use in favor of ServerAuthorizations. We replace all of the ServerAuthorization resources in the Linkerd extension charts with AuthorizationPolicy resources. Signed-off-by: Alex Leong <alex@buoyant.io>
linkerd · Jan 11, 2023 · 52fb2c6 · 52fb2c6
1 parent cb0f9eb
commit 52fb2c6
Show file tree

Hide file tree

Showing 10 changed files with 827 additions and 406 deletions.
diff --git a/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml b/jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml
@@ -18,42 +18,40 @@ spec:
   port: jaeger-injector
   proxyProtocol: TLS
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: Server
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: jaeger-injector-admin
+  name: jaeger-injector
   labels:
     linkerd.io/extension: jaeger
     component: jaeger-injector
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  podSelector:
-    matchLabels:
-      linkerd.io/extension: jaeger
-      component: jaeger-injector
-  port: admin-http
-  proxyProtocol: HTTP/1
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: jaeger-injector-webhook
+  requiredAuthenticationRefs:
+  - group: policy.linkerd.io
+    kind: NetworkAuthentication
+    name: kube-api-server
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: ServerAuthorization
+apiVersion: policy.linkerd.io/v1alpha1
+kind: NetworkAuthentication
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: jaeger-injector
+  name: kube-api-server
   labels:
-    linkerd.io/extension: jaeger
-    component: jaeger-injector
+    linkerd.io/extension: viz
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  server:
-    selector:
-      matchLabels:
-        linkerd.io/extension: jaeger
-        component: jaeger-injector
-  client:
-    # traffic coming from the kubelet and from kube-api
-    unauthenticated: true
+  # Ideally, this should be restricted to the actual set of IPs the kube-api
+  # server uses for webhooks in a cluster. This can't easily be discovered.
+  networks:
+  - cidr: "0.0.0.0/0"
+  - cidr: "::/0"
diff --git a/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml b/jaeger/charts/linkerd-jaeger/templates/tracing-policy.yaml
@@ -122,28 +122,119 @@ spec:
   port: 13133
   proxyProtocol: HTTP/1
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: ServerAuthorization
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: collector
+  name: collector-otlp
   labels:
     linkerd.io/extension: jaeger
     component: collector
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  server:
-    selector:
-      matchLabels:
-        linkerd.io/extension: jaeger
-        component: collector
-  client:
-    # allow connections from any pod (meshed or not) sending trace data
-    unauthenticated: true
-{{ end -}}
-{{ if .Values.jaeger.enabled -}}
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-otlp
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: collector-otlp-http
+  labels:
+    linkerd.io/extension: jaeger
+    component: collector
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-otlp-http
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: collector-opencensus
+  labels:
+    linkerd.io/extension: jaeger
+    component: collector
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-opencensus
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: collector-zipkin
+  labels:
+    linkerd.io/extension: jaeger
+    component: collector
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-zipkin
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: collector-jaeger-thrift
+  labels:
+    linkerd.io/extension: jaeger
+    component: collector
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-jaeger-thrift
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: collector-jaeger-grpc
+  labels:
+    linkerd.io/extension: jaeger
+    component: collector
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+  annotations:
+    {{ include "partials.annotations.created-by" . }}
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: collector-jaeger-grpc
+  # allow connections from any pod (meshed or not) sending trace data
+  requiredAuthenticationRefs: []
 ---
 apiVersion: policy.linkerd.io/v1beta1
 kind: Server
@@ -163,8 +254,8 @@ spec:
   port: grpc
   proxyProtocol: gRPC
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: ServerAuthorization
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
   name: jaeger-grpc
@@ -175,12 +266,14 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  server:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
     name: jaeger-grpc
-  client:
-    meshTLS:
-      serviceAccounts:
-      - name: collector
+  requiredAuthenticationRefs:
+    - kind: ServiceAccount
+      name: collector
+      namespace: {{.Release.Namespace}}
 ---
 apiVersion: policy.linkerd.io/v1beta1
 kind: Server
@@ -200,8 +293,8 @@ spec:
   port: admin
   proxyProtocol: HTTP/1
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: ServerAuthorization
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
   name: jaeger-admin
@@ -212,14 +305,15 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  server:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
     name: jaeger-admin
-  client:
-    meshTLS:
-      serviceAccounts:
-      # if not using linkerd-viz' prometheus, replace its SA here
-      - name: prometheus
-        namespace: linkerd-viz
+  requiredAuthenticationRefs:
+    # if not using linkerd-viz' prometheus, replace its SA here
+    - kind: ServiceAccount
+      name: prometheus
+      namespace: linkerd-viz
 ---
 apiVersion: policy.linkerd.io/v1beta1
 kind: Server
@@ -239,8 +333,8 @@ spec:
   port: ui
   proxyProtocol: HTTP/1
 ---
-apiVersion: policy.linkerd.io/v1beta1
-kind: ServerAuthorization
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
 metadata:
   namespace: {{ .Release.Namespace }}
   name: jaeger-ui
@@ -251,12 +345,13 @@ metadata:
   annotations:
     {{ include "partials.annotations.created-by" . }}
 spec:
-  server:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
     name: jaeger-ui
-  client:
-    meshTLS:
-      serviceAccounts:
-      # for the optional dashboard integration
-      - name: web
-        namespace: linkerd-viz
+  requiredAuthenticationRefs:
+    # for the optional dashboard integration
+    - kind: ServiceAccount
+      name: web
+      namespace: linkerd-viz
 {{ end -}}