Securing Your Cluster

Linkerd provides powerful introspection into your Kubernetes cluster andservices. Linkerd installations are secure by default. This page illustratesbest practices to enable this introspection in a secure way.

Tap

The default Linkerd installation includes Tap support. This feature is availablevia the following commands:

Depending on your RBAC setup, you may need to perform additional steps to enableyour user(s) to perform Tap actions.

NoteIf you are on GKE, skip to the GKE section below.

Check for Tap access

Use kubectl to determine whether your user is authorized to perform tapactions. For more information, see theKubernetes docs on authorization.

To determine if you can watch pods in all namespaces:

  1. kubectl auth can-i watch pods.tap.linkerd.io --all-namespaces

To determine if you can watch deployments in the emojivoto namespace:

  1. kubectl auth can-i watch deployments.tap.linkerd.io -n emojivoto

To determine if a specific user can watch deployments in the emojivoto namespace:

  1. kubectl auth can-i watch deployments.tap.linkerd.io -n emojivoto --as $(whoami)

You can also use the Linkerd CLI's —as flag to confirm:

  1. $ linkerd tap -n linkerd deploy/linkerd-controller --as $(whoami)
  2. Error: HTTP error, status Code [403] (deployments.tap.linkerd.io "linkerd-controller" is forbidden: User "siggy" cannot watch resource "deployments/tap" in API group "tap.linkerd.io" in the namespace "linkerd")
  3. ...

Enabling Tap access

If the above commands indicate you need additional access, you can enable accesswith as much granularity as you choose.

Granular Tap access

To enable tap access to all resources in all namespaces, you may bind your userto the linkerd-linkerd-tap-admin ClusterRole, installed by default:

  1. $ kubectl describe clusterroles/linkerd-linkerd-tap-admin
  2. Name: linkerd-linkerd-tap-admin
  3. Labels: linkerd.io/control-plane-component=tap
  4. linkerd.io/control-plane-ns=linkerd
  5. Annotations: kubectl.kubernetes.io/last-applied-configuration:
  6. {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"linkerd.io/control-plane-compone...
  7. PolicyRule:
  8. Resources Non-Resource URLs Resource Names Verbs
  9. --------- ----------------- -------------- -----
  10. *.tap.linkerd.io [] [] [watch]

NoteThis ClusterRole name includes the Linkerd namespace, so it may vary if youinstalled Linkerd into a non-default namespace:linkerd-[LINKERD_NAMESPACE]-tap-admin

To bind the linkerd-linkerd-tap-admin ClusterRole to a particular user:

  1. kubectl create clusterrolebinding \
  2. $(whoami)-tap-admin \
  3. --clusterrole=linkerd-linkerd-tap-admin \
  4. --user=$(whoami)

You can verify you now have tap access with:

  1. $ linkerd tap -n linkerd deploy/linkerd-controller --as $(whoami)
  2. req id=3:0 proxy=in src=10.244.0.1:37392 dst=10.244.0.13:9996 tls=not_provided_by_remote :method=GET :authority=10.244.0.13:9996 :path=/ping
  3. ...

Cluster admin access

To simply give your user cluster-admin access:

  1. kubectl create clusterrolebinding \
  2. $(whoami)-cluster-admin \
  3. --clusterrole=cluster-admin \
  4. --user=$(whoami)

NoteNot recommended for production, only do this for testing/development.

GKE

Google Kubernetes Engine (GKE) provides access to your Kubernetes cluster viaGoogle Cloud IAM. See theGKE IAM Docs formore information.

Because GCloud provides this additional level of access, there are cases wherekubectl auth can-i will report you have Tap access when your RBAC user maynot. To validate this, check whether your GCloud user has Tap access:

  1. $ kubectl auth can-i watch pods.tap.linkerd.io --all-namespaces
  2. yes

And then validate whether your RBAC user has Tap access:

  1. $ kubectl auth can-i watch pods.tap.linkerd.io --all-namespaces --as $(gcloud config get-value account)
  2. no - no RBAC policy matched

If the second command reported you do not have access, you may enable accesswith:

  1. kubectl create clusterrolebinding \
  2. $(whoami)-tap-admin \
  3. --clusterrole=linkerd-linkerd-tap-admin \
  4. --user=$(gcloud config get-value account)

To simply give your user cluster-admin access:

  1. kubectl create clusterrolebinding \
  2. $(whoami)-cluster-admin \
  3. --clusterrole=cluster-admin \
  4. --user=$(gcloud config get-value account)

NoteNot recommended for production, only do this for testing/development.

Linkerd Dashboard tap access

By default, the Linkerd dashboard has the RBACprivileges necessary to tap resources.

To confirm:

  1. $ kubectl auth can-i watch pods.tap.linkerd.io --all-namespaces --as system:serviceaccount:linkerd:linkerd-web
  2. yes

This access is enabled via a linkerd-linkerd-web-admin ClusterRoleBinding:

  1. $ kubectl describe clusterrolebindings/linkerd-linkerd-web-admin
  2. Name: linkerd-linkerd-web-admin
  3. Labels: linkerd.io/control-plane-component=web
  4. linkerd.io/control-plane-ns=linkerd
  5. Annotations: kubectl.kubernetes.io/last-applied-configuration:
  6. {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"labels":{"linkerd.io/control-plane-...
  7. Role:
  8. Kind: ClusterRole
  9. Name: linkerd-linkerd-tap-admin
  10. Subjects:
  11. Kind Name Namespace
  12. ---- ---- ---------
  13. ServiceAccount linkerd-web linkerd

If you would like to restrict the Linkerd dashboard's tap access. You mayinstall Linkerd with the —restrict-dashboard-privileges flag:

  1. linkerd install --restrict-dashboard-privileges

This will omit the linkerd-linkerd-web-admin ClusterRoleBinding. If you havealready installed Linkerd, you may simply delete the ClusterRoleBindingmanually:

  1. kubectl delete clusterrolebindings/linkerd-linkerd-web-admin

To confirm:

  1. $ kubectl auth can-i watch pods.tap.linkerd.io --all-namespaces --as system:serviceaccount:linkerd:linkerd-web
  2. no