Authorization Policy
Linkerd’s server authorization policy allows you to control which types of traffic are allowed to meshed pods. For example, you can restrict communication to a particular service to only come from certain other services; or you can enforce that mTLS must be used on a certain port; and so on.
Adding traffic policy on your services
By default Linkerd allows all traffic to transit the mesh, and uses a variety of mechanisms, including retries and load balancing, to ensure that requests are delivered successfully.
Sometimes, however, we want to restrict which types of traffic are allowed. Linkerd’s policy features allow you to deny traffic under certain conditions. It is configured with two basic mechanisms:
- A set of basic default policies, which can be set at the cluster, namespace, workload, and pod level through Kubernetes annotations.
ServerandServerAuthorizationCRDs that specify fine-grained policy for specific ports.
These mechanisms work in conjunction. For example, a default cluster-wide
policy of deny would prohibit any traffic to any meshed pod; traffic must
then be explicitly allowed through the use of Server and
ServerAuthorization CRDs.
Policy annotations
The config.linkerd.io/default-inbound-policy annotation can be set at a
namespace, workload, and pod level, and will determine the default traffic
policy at that point in the hierarchy. Valid default policies include:
all-unauthenticated: inbound proxies allow all connectionsall-authenticated: inbound proxies allow only mTLS connections from other meshed pods.cluster-unauthenticated: inbound proxies allow all connections from client IPs in the cluster’sclusterNetworks(must be configured at install-time).cluster-authenticated: inbound proxies allow only mTLS connections from other meshed pods from IPs in the cluster’sclusterNetworks.denyinbound proxies deny all connections that are not explicitly authorized.
See the Policy reference for more default policies.
Every cluster has a default policy (by default, all-unauthenticated), set at
install / upgrade time. Annotations that are present at the workload or
namespace level at pod creation time can override that value to determine the
default policy for that pod. Note that the default policy is fixed at proxy
initialization time, and thus, after a pod is created, changing the annotation
will not change the default policy for that pod.
Policy CRDs
The Server and ServerAuthorization CRDs further configure Linkerd’s policy
beyond the default policies. In contrast to annotations, these CRDs can be
changed dynamically and policy behavior will be updated on the fly.
A Server selects a port and a set of pods that is subject to policy. This set
of pods can correspond to a single workload, or to multiple workloads (e.g.
port 4191 for every pod in a namespace). Once created, a Server resource
denies all traffic to that port, and traffic to that port can only be enabled
by creating ServerAuthorization resources.
A ServerAuthorization defines a set of allowed traffic to a Server. A
ServerAuthorization can allow traffic based on any number of things,
including IP address; use of mTLS; specific mTLS identities (including
wildcards, to allow for namespace selection); specific Service Accounts; and
more.
See the Policy reference for more on
the Server and ServerAuthorization resources.
Policy rejections
Any traffic that is known to be HTTP (including HTTP/2 and gRPC) that is denied by policy will result in the proxy returning an HTTP 403. Any non-HTTP traffic will be denied at the TCP level, i.e. by refusing the connection.
Note that dynamically changing the policy may result in abrupt termination of existing TCP connections.
Examples
See emojivoto-policy.yml for an example set of policy definitions for the Emojivoto sample application.