policy: Add support for cluster-scoped default policies (#1210)

The policy controller supports the default policies
`cluster-authenticated` and `cluster-unauthenticated` but the proxy
would error if configured with these policies. In order to use a single
policy annotation honored by both the policy controller and proxy, this
change adds support for a new configuration,
`LINKERD2_POLICY_CLUSTER_NETWORKS`, that allows the proxy to enforce
cluster-scoped defaults. When this configuration is not specified, the
cluster-scoped defaults are not supported.

This default will apply to all ports that are not documented in the
pod's spec (i.e. ports not in the `LINKERD2_PROXY_INBOUND_PORTS`
configuration).

This change also updates policy labeling to track server and authz labels
independently so that keys may overlap, as is required by linkerd/linkerd2#6722

Author: olix0r

linkerd/app/inbound/src/detect.rs

@@ -380,11 +380,12 @@ mod tests {
                 protocol: Protocol::Detect {
                     timeout: std::time::Duration::from_secs(10),
                 },
-                labels: None.into_iter().collect(),
                 tls: tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                     client_id: Some(client_id()),
                     negotiated_protocol: None,
                 }),
+                server_labels: None.into_iter().collect(),
+                authz_labels: None.into_iter().collect(),
             },
         };
 
@@ -412,11 +413,12 @@ mod tests {
                 protocol: Protocol::Detect {
                     timeout: std::time::Duration::from_secs(10),
                 },
-                labels: None.into_iter().collect(),
                 tls: tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                     client_id: Some(client_id()),
                     negotiated_protocol: None,
                 }),
+                server_labels: None.into_iter().collect(),
+                authz_labels: None.into_iter().collect(),
             },
         };
 
@@ -442,11 +444,12 @@ mod tests {
             orig_dst_addr: orig_dst_addr(),
             permit: Permitted {
                 protocol: Protocol::Http1,
-                labels: None.into_iter().collect(),
                 tls: tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                     client_id: Some(client_id()),
                     negotiated_protocol: None,
                 }),
+                server_labels: None.into_iter().collect(),
+                authz_labels: None.into_iter().collect(),
             },
         };
 
@@ -472,11 +475,12 @@ mod tests {
             orig_dst_addr: orig_dst_addr(),
             permit: Permitted {
                 protocol: Protocol::Http1,
-                labels: None.into_iter().collect(),
                 tls: tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                     client_id: Some(client_id()),
                     negotiated_protocol: None,
                 }),
+                server_labels: None.into_iter().collect(),
+                authz_labels: None.into_iter().collect(),
             },
         };
 
@@ -502,11 +506,12 @@ mod tests {
             orig_dst_addr: orig_dst_addr(),
             permit: Permitted {
                 protocol: Protocol::Http2,
-                labels: None.into_iter().collect(),
                 tls: tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                     client_id: Some(client_id()),
                     negotiated_protocol: None,
                 }),
+                server_labels: None.into_iter().collect(),
+                authz_labels: None.into_iter().collect(),
             },
         };
 

linkerd/app/inbound/src/policy/defaults.rs

@@ -1,54 +1,88 @@
-use linkerd_app_core::{Ipv4Net, Ipv6Net};
-use linkerd_server_policy::{Authentication, Authorization, Protocol, ServerPolicy, Suffix};
+use linkerd_app_core::{IpNet, Ipv4Net, Ipv6Net};
+use linkerd_server_policy::{
+    Authentication, Authorization, Labels, Protocol, ServerPolicy, Suffix,
+};
 use std::time::Duration;
 
 pub fn all_authenticated(timeout: Duration) -> ServerPolicy {
-    ServerPolicy {
-        protocol: Protocol::Detect { timeout },
-        authorizations: vec![Authorization {
-            networks: vec![Ipv4Net::default().into(), Ipv6Net::default().into()],
-            authentication: Authentication::TlsAuthenticated {
-                identities: Default::default(),
-                suffixes: vec![Suffix::from(vec![])],
-            },
-            labels: Some(("authz".to_string(), "_all-authenticated".to_string()))
-                .into_iter()
-                .collect(),
-        }],
-        labels: Some(("server".to_string(), "_default".to_string()))
-            .into_iter()
-            .collect(),
-    }
+    mk(
+        "default:all-authenticated",
+        all_nets(),
+        authenticated(),
+        timeout,
+    )
 }
 
 pub fn all_unauthenticated(timeout: Duration) -> ServerPolicy {
-    ServerPolicy {
-        protocol: Protocol::Detect { timeout },
-        authorizations: vec![Authorization {
-            networks: vec![Ipv4Net::default().into(), Ipv6Net::default().into()],
-            authentication: Authentication::Unauthenticated,
-            labels: Some(("authz".to_string(), "_all-unauthenticated".to_string()))
-                .into_iter()
-                .collect(),
-        }],
-        labels: Some(("server".to_string(), "_default".to_string()))
-            .into_iter()
-            .collect(),
-    }
+    mk(
+        "default:all-unauthenticated",
+        all_nets(),
+        Authentication::Unauthenticated,
+        timeout,
+    )
+}
+
+pub fn cluster_authenticated(
+    nets: impl IntoIterator<Item = IpNet>,
+    timeout: Duration,
+) -> ServerPolicy {
+    mk(
+        "default:cluster-authenticated",
+        nets,
+        authenticated(),
+        timeout,
+    )
+}
+
+pub fn cluster_unauthenticated(
+    nets: impl IntoIterator<Item = IpNet>,
+    timeout: Duration,
+) -> ServerPolicy {
+    mk(
+        "default:cluster-unauthenticated",
+        nets,
+        Authentication::Unauthenticated,
+        timeout,
+    )
 }
 
 pub fn all_mtls_unauthenticated(timeout: Duration) -> ServerPolicy {
+    mk(
+        "default:all-tls-unauthenticated",
+        all_nets(),
+        Authentication::TlsUnauthenticated,
+        timeout,
+    )
+}
+
+fn all_nets() -> impl Iterator<Item = IpNet> {
+    vec![Ipv4Net::default().into(), Ipv6Net::default().into()].into_iter()
+}
+
+fn authenticated() -> Authentication {
+    Authentication::TlsAuthenticated {
+        identities: Default::default(),
+        suffixes: vec![Suffix::from(vec![])],
+    }
+}
+
+fn mk(
+    name: &str,
+    nets: impl IntoIterator<Item = IpNet>,
+    authentication: Authentication,
+    timeout: Duration,
+) -> ServerPolicy {
+    let labels = Some(("name".to_string(), name.to_string()))
+        .into_iter()
+        .collect::<Labels>();
+
     ServerPolicy {
         protocol: Protocol::Detect { timeout },
         authorizations: vec![Authorization {
-            networks: vec![Ipv4Net::default().into(), Ipv6Net::default().into()],
-            authentication: Authentication::TlsUnauthenticated,
-            labels: Some(("authz".to_string(), "_all-unauthenticated-tls".to_string()))
-                .into_iter()
-                .collect(),
+            networks: nets.into_iter().map(Into::into).collect(),
+            authentication,
+            labels: labels.clone(),
         }],
-        labels: Some(("server".to_string(), "_default".to_string()))
-            .into_iter()
-            .collect(),
+        labels,
     }
 }

linkerd/app/inbound/src/policy/discover.rs

@@ -162,7 +162,7 @@ fn to_policy(proto: api::Server) -> Result<ServerPolicy> {
                 Ok(Authorization {
                     networks,
                     authentication: authn,
-                    labels,
+                    labels: labels.into_iter().collect(),
                 })
             },
         )
@@ -171,7 +171,7 @@ fn to_policy(proto: api::Server) -> Result<ServerPolicy> {
     Ok(ServerPolicy {
         protocol,
         authorizations,
-        labels: proto.labels,
+        labels: proto.labels.into_iter().collect(),
     })
 }
 

linkerd/app/inbound/src/policy/mod.rs

@@ -12,8 +12,10 @@ use linkerd_app_core::{
     transport::{ClientAddr, OrigDstAddr, Remote},
     Result,
 };
-pub use linkerd_server_policy::{Authentication, Authorization, Protocol, ServerPolicy, Suffix};
-use std::{collections::BTreeMap, sync::Arc};
+pub use linkerd_server_policy::{
+    Authentication, Authorization, Labels, Protocol, ServerPolicy, Suffix,
+};
+use std::sync::Arc;
 use thiserror::Error;
 
 pub(crate) trait CheckPolicy {
@@ -38,8 +40,8 @@ pub(crate) struct Permitted {
     pub protocol: Protocol,
     pub tls: tls::ConditionalServerTls,
 
-    // We want predictable ordering of labels, so we use a BTreeMap.
-    pub labels: BTreeMap<String, String>,
+    pub server_labels: Labels,
+    pub authz_labels: Labels,
 }
 
 #[derive(Clone, Debug, Error)]
@@ -52,7 +54,9 @@ pub(crate) struct DeniedUnauthorized {
     client_addr: Remote<ClientAddr>,
     dst_addr: OrigDstAddr,
     tls: tls::ConditionalServerTls,
+    labels: Labels,
 }
+
 // === impl DefaultPolicy ===
 
 impl From<ServerPolicy> for DefaultPolicy {
@@ -123,6 +127,7 @@ impl AllowPolicy {
             client_addr,
             dst_addr: self.dst,
             tls,
+            labels: self.server.labels.clone(),
         })
     }
 }
@@ -131,12 +136,10 @@ impl AllowPolicy {
 
 impl Permitted {
     fn new(server: &ServerPolicy, authz: &Authorization, tls: tls::ConditionalServerTls) -> Self {
-        let mut labels = BTreeMap::new();
-        labels.extend(server.labels.clone());
-        labels.extend(authz.labels.clone());
         Self {
             protocol: server.protocol,
-            labels,
+            server_labels: server.labels.clone(),
+            authz_labels: authz.labels.clone(),
             tls,
         }
     }