Enforce traffic goes via Linkerd?

[btrepp]

This may be more obvious, but I can't seem to figure out a good way of requiring traffic goes via the mesh, rather than direct.
It seems Linkerd really wants to be 'transparent' in app configuration, this makes sense, you want the app to work with or without it, but it ends up feeling really 'fail-open' rather than 'fail-shut'. If for some reason the sidecars have issues, pods start talking directly.

I'd like the opposite, if the sidecars are failing to be injected, I don't want workloads to speak. The general solution seems to be using Network Policies, but also not all Kubernetes clusters have them by default, and well, if I am securing things via network policy, I get less utility out of the identity-first aspect of the mesh.

I feel like if there was a way to either a) have workloads check they are in the mesh, eg maybe via some headers that they can verify, or b) have the network connectivity fail if the sidecars didn't get injected, would be great for a fail-closed scenario.

Perhaps I have missed a massive hole in the documentation, or there is a strategy, but the identities of the mesh don't extend to the workloads, so unless the workloads also implement their own auth, they don't know if the traffic came over the mesh, or the mesh is down and someones making up requests and sending it to them.

My current best strategy might be to introduce SPIRE, and have the workloads validate SPIFFE, that way they can at least verify some auth between them, Linkerd itself here would be more for 'transport' security via mTLS, and the mesh part. There's advantages for specific tools for specific purposes, but part of me feels like I missed something :)

[alpeb]

Please take a look at Authorization Policy. You want to set the default inbound policy to cluster-authenticated, which will deny all traffic that is not meshed. That is enforced by proxies on the inbound/server side, so you need to make sure workloads get injected or else refuse to get deployed. The high availability mode achieves this by setting webhookFailurePolicy: Fail, which ensures the proxy injector succeeds or otherwise the pod in question is not admitted into the cluster. This mode also applies a different set of settings to make linkerd's control plane more resilient.