Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

convert ServerAuthorizations to AuthorizationPolicies #10079

Merged
merged 7 commits into from
Jan 11, 2023
Merged

convert ServerAuthorizations to AuthorizationPolicies #10079

merged 7 commits into from
Jan 11, 2023

Conversation

adleong
Copy link
Member

@adleong adleong commented Jan 5, 2023

The Linkerd extension charts use ServerAuthorization resources. AuthorizationPolicies are now the recommended resource to use in favor of ServerAuthorizations. We replace all of the ServerAuthorization resources in the Linkerd extension charts with AuthorizationPolicy resources.

Signed-off-by: Alex Leong alex@buoyant.io

adleong added 4 commits January 3, 2023 23:29
@adleong
Remove admin policy resources from extensions
e7bfb12 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong
Add server and authorization for metrics-api to query prometheus
59ff876 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong
update golden files
96f020a 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong
convert ServerAuthorizations to AuthorizationPolicies
3bbe414 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong adleong requested a review from a team as a code owner January 5, 2023 01:22
Base automatically changed from alex/remove-admin-policies to main January 10, 2023 20:47
alpeb
alpeb approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@alpeb alpeb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one comment about a comment 👍

jaeger/charts/linkerd-jaeger/templates/jaeger-injector-policy.yaml Outdated
Comment on lines 53 to 54
# Ideally, this should be restricted to the actual set of IPs the kubelet API
# server uses for webhooks in a cluster. This can't easily be discovered.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this actually targets the kube-api, not the kubelet.

@adleong
Update comment in template
cb393d3 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong
Add group for authorization resources
7219670 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong
Update golden files
90cddc6 
Signed-off-by: Alex Leong <alex@buoyant.io>
@adleong adleong merged commit 52fb2c6 into main Jan 11, 2023
@adleong adleong deleted the alex/rm-server-authorization branch January 11, 2023 23:07
@alpeb alpeb mentioned this pull request Feb 3, 2023
Closed
This was referenced Mar 30, 2023
Closed
Merged
adleong added a commit that referenced this pull request Apr 5, 2023
@adleong
Remove duplicate authorizationpolicy from gateway chart (#10684)
3d6a47b 
Fixes #10612

The Linkerd multicluster gateway chart contains an AuthorizationPolicy for allowing probes to the gateway from remote linked clusters.  However, now that probes are automatically authorized, this explicit AuthorizationPolicy is no longer necessary.  Many such probe authorization resources were removed in #10079 but this one remained and, in fact, became a duplicate of the regular gateway AuthorizationPolicy.

Since probe authorizations are no longer explicitly necessary, this duplicate policy can be removed.

Signed-off-by: Alex Leong <alex@buoyant.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kleimkuhler kleimkuhler kleimkuhler approved these changes

@alpeb alpeb alpeb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adleong @alpeb @kleimkuhler