All Policies

Require Linkerd Server

In Linkerd 2.11, a Server resource selects ports on a set of Pods in the same Namespace and is used to deny traffic which then must be authorized later. Ensuring that Linkerd policy is enforced on Pods in the mesh is important to maintaining a secure environment. This policy, requiring Linkerd 2.11+, has two rules designed to check Deployments (exposing ports) and Services to ensure a corresponding Server resource exists first.

Policy Definition

/linkerd/require-linkerd-server/require-linkerd-server.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-linkerd-server
 5  annotations:
 6    policies.kyverno.io/title: Require Linkerd Server
 7    policies.kyverno.io/category: Linkerd
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment, Server
10    kyverno.io/kyverno-version: "1.8.0"
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/description: >-
13      In Linkerd 2.11, a Server resource selects ports on a set of Pods in the
14      same Namespace and is used to deny traffic which then must be authorized later.
15      Ensuring that Linkerd policy is enforced on Pods in the mesh is important to maintaining
16      a secure environment. This policy, requiring Linkerd 2.11+, has two rules designed to check
17      Deployments (exposing ports) and Services to ensure a corresponding Server resource
18      exists first.      
19spec:
20  validationFailureAction: audit
21  background: true
22  rules:
23  - name: check-deployment-has-server
24    match:
25      any:
26      - resources:
27          kinds:
28          - Deployment
29    preconditions:
30      all:
31      - key: "{{ request.object.spec.template.spec.containers[].ports[] || `[]` | length(@) }}"
32        operator: GreaterThanOrEquals
33        value: 1
34    context:
35    - name: server_count
36      apiCall:
37        urlPath: "/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers"
38        jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)"
39    validate:
40      message: "Every Deployment declaring ports requires a matching Server."
41      deny:
42        conditions:
43          any:
44          - key: "{{server_count}}"
45            operator: LessThan
46            value: 1
47  - name: check-service-has-server
48    match:
49      any:
50      - resources:
51          kinds:
52          - Service
53    context:
54    - name: server_count
55      apiCall:
56        urlPath: "/apis/policy.linkerd.io/v1beta1/namespaces/{{request.namespace}}/servers"
57        jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.selector}}`)] | length(@)"
58    validate:
59      message: "Every Service requires a matching Server."
60      deny:
61        conditions:
62          any:
63          - key: "{{server_count}}"
64            operator: LessThan
65            value: 1
Create policy issue