Closed whiskeysierra closed 1 year ago
A little follow-up, the issue seems to be slightly bigger (or two separate issues, not sure?!).
With a broken MeshTLSAuthentication
the linkerd-destination
seems to completely choke and actually stop correctly processing others.
We saw tons of logs like this:
linkerd-destination-c769d8694-g4lkp policy 2023-04-21T12:12:09.613527Z INFO meshtlsauthentications:apply{ns=linkerd-viz name=metrics-api-web}:reindex{ns=services-booking-platform}:pod{pod=account-oauth2-session-store-node-2}: linkerd_policy_controller_k8s_index::inbound::index: Illegal AuthorizationPolicy; ignoring server=account-oauth2-session-store-sentinel authorizationpolicy=account-oauth2-session-store-sentinel error=could not find MeshTLSAuthentication account-oauth2-session-store in namespace services-booking-platform
But those actually exists.
As soon as we deleted the faulty MeshTLSAuthentication
the others were processed correctly.
Nice find, @whiskeysierra! I suspect that https://github.com/linkerd/linkerd2/blob/main/policy-controller/k8s/index/src/inbound/index.rs#L628 may be the problem here.
As for the issue with empty identity lists, an empty identity list should be equivalent to not having the Authentication in the first place so I don't think it's ever useful to be able to specify an empty list here. Updating the CRD to add minItems: 1
sounds more correct to me.
Nice find, @whiskeysierra! I suspect that https://github.com/linkerd/linkerd2/blob/main/policy-controller/k8s/index/src/inbound/index.rs#L628 may be the problem here.
Yeah, I don't know Rust so I wasn't quite sure about the scope of the that return statement. If it breaks the loop/sequence early, then yes, that's most likely the problem for the cascading issue with the policies.
As for the issue with empty identity lists, an empty identity list should be equivalent to not having the Authentication in the first place so I don't think it's ever useful to be able to specify an empty list here. Updating the CRD to add
minItems: 1
sounds more correct to me.
Yeah, that would work for me.
Do you consider those to be two separate issues? (Shall I create a second one?)
What is the issue?
The
MeshTLSAuthentication
CRD requires one of eitheridentities
oridentityRefs
. But it does allow empty arrays, while the implementation doesn't.How can it be reproduced?
Create a
MeshTLSAuthentication
with an empty list of identities:Based on the docs:
I'd assume that an empty list is the equivalent of a deny policy, because no client can have an identity that is part of that empty list.
Logs, error output, etc
linkerd-destination logs:
Relevant source code can be found here:
https://github.com/linkerd/linkerd2/blob/9dce7e65190a97ec542c6fe03797ae7f0e583734/policy-controller/k8s/index/src/inbound/meshtls_authentication.rs#L44
output of
linkerd check -o short
Environment
Possible solution
I see two possible options:
minItems: 1
two both properties:identities
andidentityRefs
here https://github.com/linkerd/linkerd2/blob/9dce7e65190a97ec542c6fe03797ae7f0e583734/charts/linkerd-crds/templates/policy/meshtls-authentication.yaml#L39-L86Additional context
https://swagger.io/docs/specification/data-models/data-types/#array-length
Would you like to work on fixing this bug?
yes