You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I am using linkerd primarily to ensure mTLS between pods. Currently the default inbound policy is "all-unauthenticated".
This allows pods from kube-system (I am using an Azure Kubernetes Service cluster which deploys many there) to talk to meshed pods unsecured, while communication between meshed pods is secure. Additionally, I have a CronJob whose Pods are not meshed (linkerd injection is disabled), because they would never complete (if there is a way to include the Job's pods into the meshed - I am happy to change the setup). The cronjob's pods are able to talk to meshed pods in this scenario.
Now, I would like to make the default inbound policy stricter and use "cluster-authenticated". The effect of this change, is that the kube-system pods as well as the CronJob's pods are not able to talk to the meshed pods anymore. So far expected. My question relates to how to mitigate this.
I want kube-system pods to talk to meshed pods insecurely despite the default inbound policy being "cluster-authenticated".
I want my CronJob's pods to talk to meshed pods of the same namespace insecurely despite the default inbound policy being "cluster-authenticated".
Can I allow all traffic from a namespace (i.e. kube-system)?
My CronJob pod should talk to a redis cluster in the same namespace insecurely and I would like to do this as simple as possible. Each redis pod also needs to talk to every other redis pod and their sentinel sidecars.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi, I am using linkerd primarily to ensure mTLS between pods. Currently the default inbound policy is "all-unauthenticated".
This allows pods from kube-system (I am using an Azure Kubernetes Service cluster which deploys many there) to talk to meshed pods unsecured, while communication between meshed pods is secure. Additionally, I have a CronJob whose Pods are not meshed (linkerd injection is disabled), because they would never complete (if there is a way to include the Job's pods into the meshed - I am happy to change the setup). The cronjob's pods are able to talk to meshed pods in this scenario.
Now, I would like to make the default inbound policy stricter and use "cluster-authenticated". The effect of this change, is that the kube-system pods as well as the CronJob's pods are not able to talk to the meshed pods anymore. So far expected. My question relates to how to mitigate this.
Can I allow all traffic from a namespace (i.e. kube-system)?
My CronJob pod should talk to a redis cluster in the same namespace insecurely and I would like to do this as simple as possible. Each redis pod also needs to talk to every other redis pod and their sentinel sidecars.
Beta Was this translation helpful? Give feedback.
All reactions