-
Notifications
You must be signed in to change notification settings - Fork 214
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New content dir for 2.11 docs (#1178)
* New content dir for 2.11 docs `/content/2.11` is basically a copy of `/content/2.10`, where all new content pertaining to 2.11 should reside. I tried to remove all direct references to `2.10` and made them relative dir references instead, so this process gets easier as new major versions are released.
- Loading branch information
Showing
121 changed files
with
15,142 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| title: "Overview" | ||
| --- | ||
| <!-- markdownlint-disable --> | ||
| <meta http-equiv="Refresh" content="0; url=overview/"> | ||
| <!-- markdownlint-enable --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| <!doctype html> | ||
| <html lang="en"> | ||
| <head> | ||
| <meta charset="UTF-8"> | ||
| <meta http-equiv="refresh" content="0; url=../tasks/troubleshooting/"> | ||
| <script type="text/javascript"> | ||
| window.onload = function() { | ||
| var hash = window.location.hash; | ||
| window.location.href = window.location.origin + "/2.11/tasks/troubleshooting/" + hash; | ||
| } | ||
| </script> | ||
| <title>Linkerd Check Redirection</title> | ||
| </head> | ||
| <body> | ||
| If you are not redirected automatically, follow this | ||
| <a href='../tasks/troubleshooting/'>link</a>. | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| +++ | ||
| title = "Features" | ||
| weight = 3 | ||
| [sitemap] | ||
| priority = 1.0 | ||
| +++ | ||
|
|
||
| Linkerd offers many features, outlined below. For our walkthroughs and guides, | ||
| please see the [Linkerd task docs]({{% ref "../tasks" %}}). For a reference, | ||
| see the [Linkerd reference docs]({{% ref "../reference" %}}). | ||
|
|
||
| ## Linkerd's features | ||
|
|
||
| {{% sectiontoc "features" %}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| +++ | ||
| title = "Automatic mTLS" | ||
| description = "Linkerd automatically enables mutual Transport Layer Security (TLS) for all communication between meshed applications." | ||
| weight = 4 | ||
| aliases = [ | ||
| "../automatic-tls" | ||
| ] | ||
| +++ | ||
|
|
||
| By default, Linkerd automatically enables mutually-authenticated Transport | ||
| Layer Security (mTLS) for all TCP traffic between meshed pods. This means that | ||
| Linkerd adds authenticated, encrypted communication to your application with | ||
| no extra work on your part. (And because the Linkerd control plane also runs | ||
| on the data plane, this means that communication between Linkerd's control | ||
| plane components are also automatically secured via mTLS.) | ||
|
|
||
| See [Caveats and future work](#caveats-and-future-work) below for some details. | ||
|
|
||
| ## What is mTLS? | ||
|
|
||
| A full definition of mTLS is outside the scope of this doc. For an overview of | ||
| what mTLS is and how it works in Kuberentes clusters, we suggest reading | ||
| through [A Kubernetes engineer's guide to | ||
| mTLS](https://buoyant.io/mtls-guide/). | ||
|
|
||
| ## Which traffic can Linkerd automatically mTLS? | ||
|
|
||
| Linkerd transparently applies mTLS to all TCP communication between meshed | ||
| pods. However, there are still ways in which you may still have non-mTLS | ||
| traffic in your system, including: | ||
|
|
||
| * Traffic to or from non-meshed pods (e.g. Kubernetes healthchecks) | ||
| * Traffic on ports that were marked as [skip ports](../protocol-detection/), | ||
| which bypass the proxy entirely. | ||
|
|
||
| You can [verify which traffic is mTLS'd](../../tasks/validating-your-traffic/) | ||
| in a variety of ways. External systems such as [Buoyant | ||
| Cloud](https://buoyant.io/cloud) can also automatically generate reports of TLS | ||
| traffic patterns on your cluster. | ||
|
|
||
| ## Operational concerns | ||
|
|
||
| Linkerd's mTLS requires some preparation for production use, especially for | ||
| long-lived clusters or clusters that expect to have cross-cluster traffic. | ||
|
|
||
| The trust anchor generated by the default `linkerd install` CLI command expires | ||
| after 365 days. After that, it must be [manually | ||
| rotated](../../tasks/manually-rotating-control-plane-tls-credentials/)—a | ||
| non-trivial task. Alternatively, you can [provide the trust anchor | ||
| yourself](../../tasks/generate-certificates/) and control the expiration date, | ||
| e.g. setting it to 10 years rather than one year. | ||
|
|
||
| Kubernetes clusters that make use of Linkerd's [multi-cluster | ||
| communication](../multicluster/) must share a trust anchor. Thus, the default | ||
| `linkerd install` setup will not work for this situation and you must provide | ||
| an explicit trust anchor. | ||
|
|
||
| Similarly, the default cluster issuer certificate and key expire after a year. | ||
| These must be [rotated before they | ||
| expire](../../tasks/manually-rotating-control-plane-tls-credentials/). | ||
| Alternatively, you can [set up automatic rotation with | ||
| `cert-manager`](../../tasks/automatically-rotating-control-plane-tls-credentials/). | ||
|
|
||
| External systems such as [Buoyant Cloud](https://buoyant.io/cloud) can be used | ||
| to monitor cluster credentials and to send reminders if they are close to | ||
| expiration. | ||
|
|
||
| ## How does Linkerd's mTLS implementation work? | ||
|
|
||
| The [Linkerd control plane](../../reference/architecture/) contains a certificate | ||
| authority (CA) called `identity`. This CA issues TLS certificates to each | ||
| Linkerd data plane proxy. Each certificate is bound to the [Kubernetes | ||
| ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) | ||
| identity of the containing pod. These TLS certificates expire after 24 hours | ||
| and are automatically rotated. The proxies use these certificates to encrypt | ||
| and authenticate TCP traffic to other proxies. | ||
|
|
||
| On the control plane side, Linkerd maintains a set of credentials in the | ||
| cluster: a trust anchor, and an issuer certificate and private key. These | ||
| credentials can be generated by Linkerd during install time, or optionally | ||
| provided by an external source, e.g. [Vault](https://vaultproject.io) or | ||
| [cert-manager](https://github.com/jetstack/cert-manager). The issuer | ||
| certificate and private key are stored in a [Kubernetes | ||
| Secret](https://kubernetes.io/docs/concepts/configuration/secret/); this Secret | ||
| is placed in the `linkerd` namespace and can only be read by the service | ||
| account used by the [Linkerd control plane](../../reference/architecture/)'s | ||
| `identity` component. | ||
|
|
||
| On the data plane side, each proxy is passed the trust anchor in an environment | ||
| variable. At startup, the proxy generates a private key, stored in a [tmpfs | ||
| emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir) which | ||
| stays in memory and never leaves the pod. The proxy connects to the control | ||
| plane's `identity` component, validating the connection to `identity` with the | ||
| trust anchor, and issues a [certificate signing request | ||
| (CSR)](https://en.wikipedia.org/wiki/Certificate_signing_request). The CSR | ||
| contains an initial certificate with identity set to the pod's [Kubernetes | ||
| ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), | ||
| and the actual service account token, so that `identity` can validate that the | ||
| CSR is valid. After validation, the signed trust bundle is returned to the | ||
| proxy, which can use it as both a client and server certificate. These | ||
| certificates are scoped to 24 hours and dynamically refreshed using the same | ||
| mechanism. | ||
|
|
||
| Finally, when a proxy receives an outbound connection from the application | ||
| container within its pod, it looks up that desitnation with the Linkerd control | ||
| plane. If it's in the Kubernetes cluster, the control plane provides the proxy | ||
| with the destination's endpoint addresses, along with metadata including an | ||
| identity name. When the proxy connects to the destination, it initiates a TLS | ||
| handshake and verifies that that the destination proxy's certificate is signed | ||
| by the trust anchor and contains the expected identity. | ||
|
|
||
| ## Caveats and future work | ||
|
|
||
| There are a few known gaps in Linkerd's ability to automatically encrypt and | ||
| authenticate all communication in the cluster. These gaps will be fixed in | ||
| future releases: | ||
|
|
||
| * Linkerd does not currently *enforce* mTLS. Any unencrypted requests inside | ||
| the mesh will be opportunistically upgraded to mTLS. Any requests originating | ||
| from inside or outside the mesh will not be automatically mTLS'd by Linkerd. | ||
| This will be addressed in a future Linkerd release, likely as an opt-in | ||
| behavior as it may break some existing applications. | ||
|
|
||
| * Ideally, the ServiceAccount token that Linkerd uses would not be shared with | ||
| other potential uses of that token. In future Kubernetes releases, Kubernetes | ||
| will support audience/time-bound ServiceAccount tokens, and Linkerd will use | ||
| those instead. |
Oops, something went wrong.