{"id":21926661,"url":"https://github.com/aatarasoff/linkerd-easyauth","last_synced_at":"2025-04-19T17:07:24.534Z","repository":{"id":41128080,"uuid":"508392911","full_name":"aatarasoff/linkerd-easyauth","owner":"aatarasoff","description":"EasyAuth extension for Linkerd2","archived":false,"fork":false,"pushed_at":"2023-11-21T07:26:57.000Z","size":347,"stargazers_count":19,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2023-11-21T17:36:21.399Z","etag":null,"topics":["kubernetes","linkerd","linkerd-extensions","linkerd2","service-mesh","servicemesh"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aatarasoff.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null}},"created_at":"2022-06-28T17:23:07.000Z","updated_at":"2023-11-21T17:36:21.399Z","dependencies_parsed_at":"2023-11-20T17:45:45.007Z","dependency_job_id":null,"html_url":"https://github.com/aatarasoff/linkerd-easyauth","commit_stats":null,"previous_names":[],"tags_count":16,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aatarasoff%2Flinkerd-easyauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aatarasoff%2Flinkerd-easyauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aatarasoff%2Flinkerd-easyauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aatarasoff%2Flinkerd-easyauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aatarasoff","download_url":"https://codeload.github.com/aatarasoff/linkerd-easyauth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226995197,"owners_count":17714778,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","linkerd","linkerd-extensions","linkerd2","service-mesh","servicemesh"],"created_at":"2024-11-28T22:10:06.589Z","updated_at":"2024-11-28T22:10:07.105Z","avatar_url":"https://github.com/aatarasoff.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Linkerd EasyAuth Extension\n\n## Motivation\n\nSimplify the Linkerd Authorization Policies management according to [the article](https://itnext.io/a-practical-guide-for-linkerd-authorization-policies-6cfdb50392e9) by giving a bunch of predefined policies and opinionated structures.\n\nSpecial checkers to find obsolete resources and misconfigurations, plus ultra-fast `authz` command implementation (up to 10x faster than original one).\n\n## Supported versions\n\n| Linkerd Version | EasyAuth Version |\n| --------------- | ---------------- |\n| 2.11.x          | 0.1.0 - 0.4.0    |\n| 2.12.x          | \\\u003e= 0.5.0        |\n| 2.13.x          | \\\u003e= 0.5.0        |\n| 2.14.x          | \\\u003e= 0.5.0        |\n\nNew `AuthorizationPolicy` is supported since `0.6.0`. New `HTTPRoute` is supported since `0.8.0`\n\n## How to use it\n\n## CLI\n\nGrab latest binaries from the releases page: https://github.com/aatarasoff/linkerd-easyauth/releases.\n\n### Usage\n\n```bash\nlinkerd easyauth [COMMAND] -n \u003cnamespace\u003e [FLAGS]\n```\n\n### Supported commands\n\n- `authcheck`: checks for obsolete `Server` and policies resources like `ServerAuthorization`, `AuthorizationPolicy`, `MeshTLSAuthentication`, `NetworkAuthentication`, and `HTTPRoute`, checks that PODs ports have `Server` resource\n- `list`: list of Pods that were injected by `linkerd.io/easyauth-enabled: true` annotation (more information below)\n- `authz`: fast implementation for fetch the list authorization policies for a resource (use caching)\n\n## Helm chart\n\nInstall the helm chart with injector and policies:\n\n```bash\n\u003e kubectl create ns linkerd-easyauth\n\n# Edit namespace and add standard linkerd annotations\n\n\u003e helm repo add linkerd-easyauth https://aatarasoff.github.io/linkerd-easyauth\n\u003e helm install -n linkerd-easyauth linkerd-easyauth linkerd-easyauth/linkerd-easyauth --values your_values.yml\n```\n\n### What the helm chart provides\n\n- Injector that adds `linkerd.io/easyauth-enabled: true` label for all meshed pods (you can limit namespaces via helmchart)\n- `Server` in terms of Linkerd authorization policies for `linkerd-admin-port`\n- `AuthorizationPolicy` resources that provides basic allow policies for ingress, Linkerd itself, and monitoring\n\n### What the helm chart does not provide\n\nBecause the `Server` should be one per service per port, we can define the server for the linkerd proxy admin port only.\nFor each port that should be used by other pods, or Linkerd you should add the server definition manually:\n\n```yaml\n---\napiVersion: policy.linkerd.io/v1beta1\nkind: Server\nmetadata:\n  namespace: \u003capp-namespace\u003e\n  name: \u003capp-server-name\u003e\n  labels:\n    linkerd.io/server-type: common\nspec:\n  podSelector:\n    matchLabels:\n      \u003capp-label\u003e: \u003capp-unique-value\u003e\n  port: \u003cmy-port-name\u003e\n```\n\n### Important Values\n\n#### Meshed Apps Namespaces\n\nBecause all `AuthorizationPolicy` policies are Namespaced scope then we should add common policies to each namespace with our apps:\n\n```\nmeshedApps:\n  namespaces:\n    - hippos\n    - elephants\n```\n\n#### Cluster Network Common Policy\n\nIn case of using route-based policy you should authorize requests for passing probes by adding app-specific `HTTPRoute` and policies for it for each app:\n\n```yaml\napiVersion: policy.linkerd.io/v1alpha1\nkind: AuthorizationPolicy\nmetadata:\n  name: cool-app-health-check-allow\n  namespace: cool-ns\nspec:\n  targetRef:\n    group: policy.linkerd.io\n    kind: HTTPRoute\n    name: cool-app-health-check\n  requiredAuthenticationRefs:\n    - name: cluster-network-authn\n      kind: NetworkAuthentication\n      group: policy.linkerd.io\n```\n\nThe Helm chart generates NetworkAuthentication with name `cluster-network-authn` to authorize cluster network requests.\n\nYou should explicitly provide cluster network or authorize kubelet only. It depends on the K8s implementation you are using and could be setup via `clusterNetwork` section in the values.\n\n#### Kubelet CIDR\n\n\u003e **⚠ WARNING: 2.11.x only**\n\nBecause of [the issue](https://github.com/linkerd/linkerd2/issues/7050), in 2.11.x version of Linkerd you should explicitly provide CIDR for kubelet.\nIt depends on the K8s implementation you are using.\n\nThere are two possibility. If you can define CIDR precisely then you can use it\n\n```yaml\nkubelet:\n  cidr:\n    - cidr: 10.164.0.0/20\n```\n\nIf you cannot do it, but you have GKE-like pattern then you can define octets and ranges for generation the bunch of `/32` CIDR:\n\n```yaml\nkubelet:\n  cidr: []\n  # generate by pattern octet0:{low1-high1}:{low2-high2}:octet3 (10.169.150.1)\n  generator:\n    octet0: 10\n    low1: 168\n    high1: 172\n    low2: 0\n    high2: 256\n    octet3: 1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faatarasoff%2Flinkerd-easyauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faatarasoff%2Flinkerd-easyauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faatarasoff%2Flinkerd-easyauth/lists"}