Granular RBAC for metrics

linkerd / linkerd2

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.

https://linkerd.io

Apache License 2.0

10.58k stars 1.27k forks source link

Granular RBAC for metrics #3312

Open grampelberg opened 5 years ago

grampelberg commented 5 years ago

Description

Introduce view isolation for metrics, defined by Kubernetes RBAC, to provide multi-tenancy to security conscious organizations. We previously have done this using an APIService for tap functionality.

The smi-metrics project already implements Linkerd metrics as an APIService. This has the added value of dogfooding smi-metrics and providing common tooling for other integrations in the future.

Details

alenkacz commented 5 years ago

@grampelberg @admc could you please assign this to me? Thanks :)

grampelberg commented 4 years ago

Note: it is probably worth using smi-metrics where it can be used and expanding the spec where it isn't usable instead of creating a new one-off APIService.

PierrePIRONIN commented 4 years ago

Hi ! I’m exactly in this use-case, do you currently work on it ? Thanks

grampelberg commented 4 years ago

@PierrePIRONIN I believe that @alenkacz is currently looking into it. You can use smi-metrics as is to do something similar though.

grampelberg commented 4 years ago

Historical

What problem are you trying to solve?

Many organizations have teams sharing the same cluster which should not see each other's data (multi-tenant). This was addressed for tap as part of #2725. Now that it is possible to have granular, Kubernetes based RBAC policies for tap, statistics should provide a similar benefit.

How should the problem be solved?

Add smi-metrics-adapter to the install.
Move the CLI commands that rely on stats to use the adapter.
Move the dashboard's underlying stat implementation over to use the adapter.

Out of scope

Moving grafana over to the adapter.