Comments (7)
So, I finally had the time and refactored our Global network policy to what's shown below. Now viz
works just fine!
apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
name: allow-linkerd-traffic
spec:
egress:
# Allow all egress FROM linkerd
- action: Allow
source:
namespaceSelector: app.kubernetes.io/name in { 'linkerd', 'linkerd-cni', 'linkerd-viz' }
# Allow egress FROM any pod TO linkerd
- action: Allow
destination:
namespaceSelector: app.kubernetes.io/name in { 'linkerd', 'linkerd-cni', 'linkerd-viz' }
ingress:
# Allow ingress TO any pod FROM linkerd
- action: Allow
source:
namespaceSelector: app.kubernetes.io/name in { 'linkerd', 'linkerd-cni', 'linkerd-viz' }
# Allow ingress TO linkerd FROM any pod
- action: Allow
destination:
namespaceSelector: app.kubernetes.io/name in { 'linkerd', 'linkerd-cni', 'linkerd-viz' }
# Needs to be lower than regular NetworkPolicies so it gets a priority (1000)
order: 500
types:
- Ingress
- Egress
p.s.: apiVersion
may differ since we are using the GKE integration.
from linkerd-viz.
@davi5e off the top of my head, the only viz component that I can think of that should need egress access is the dashboard (i.e. the web
deployment). I believe that other than the dashboard, all of core viz functionality should work without egress access. Does this match what you're seeing? Are there specific failures you're encountering in your cluster?
from linkerd-viz.
@adleong I'll try to install it again Wednesday and post back more information/answers.
As for what I'm seeing, our "problem" is that all traffic is blocked by default due to a GlobalNetworkPolicy
. In doing so, we need to painstakingly open every port for every workload, which ensures our security standards.
Setting this up is a huge pain, though. For example, we need to open EGRESS to kubernetes.default:443
in case some pod needs to talk to the control plane. We need to configure every INGRESS
port and corresponding EGRESS
communication...
Not knowing where to start makes the job all the more tedious since we'd rely on Calico's log report that tell us which packages are being dropped.
Anyhow, as I mentioned, I'll schedule some time to do this in 2 days.
EDIT: I had to reschedule the set up, hopefully will do it next week.
from linkerd-viz.
Ah, I hadn't realized that talking to the Kubernetes control plane would count as egress traffic for these purposes. Almost all Linkerd control plane components talk to the Kubernetes control plane. Anyway, I'm looking forward to seeing your findings.
from linkerd-viz.
@davi5e just curious if you've had a chance to look into this. Is there anything actionable we can do to help on this, or should we close this issue for now?
from linkerd-viz.
To determine any and all ports Linkerd Viz uses is a painstaking work and we are having trouble scheduling the time to do the deployment process.
Overall, Linkerd itself is working fine and the Viz component that is missing after the upgrade is still very much uninstalled... We will try to replicate the same network policies used in the linkerd
namespace and cross our fingers, but generally I think we may be the only ones to have the Calico integration in production with block-all-traffic-by-default (maybe because GKE forces Istio to be used). It does amaze me that no one seems to request INGRESS/EGRESS port configurations, even though they became practical only using GlobalNetworkPolicies
...
Anyhow, I'd say there is nothing actionable to be done. At first I thought someone would have a list of ports or hopefully a whole network policy configuration to paste here (or in the docs). As is, I can be the one to do this but I can not say when this issue will be tackled internally...
from linkerd-viz.
That's totally fair @davi5e. I'm closing this issue now, but please reach out if we can be of assistance!
from linkerd-viz.
Related Issues (20)
- Prometheus upgrade requires change to kubernetes_sd_configs role
- Upgrade to 0.9.0, support new metrics labels HOT 1
- Support more flexible router labels HOT 1
- support for minutely/hourly graphs
- linkerd-viz assumes marathon master runs on localhost HOT 4
- DCOS 1.9 linkerd-viz never deploys HOT 3
- Q: communication to/from linkerd with enabled tls HOT 3
- consider increasing scrape_interval, or making it configurable
- Configurable scrape_interval is broken, breaks 1m Grafana graphs HOT 2
- linkerd health metrics
- Consul startup doc error HOT 1
- display connection and client pool metrics
- How to integrate auth? HOT 4
- Limit linkerd instances search to a particular Kubernetes namespace? HOT 6
- Share dashboard configurations on Grafana.com HOT 2
- Upgrade to Grafana 5, use datasources
- Linkerd2-viz chart? HOT 1
- improvement for documentaiton regarding grafana HOT 1
- Prometheus does not install under minikube/podman
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linkerd-viz.