1 package cmd
2
3 import (
4 "os"
5 "text/template"
6
7 pkgcmd "github.com/linkerd/linkerd2/pkg/cmd"
8 "github.com/linkerd/linkerd2/pkg/version"
9 "github.com/spf13/cobra"
10 )
11
12 const (
13 allowScrapePolicy = `---
14 apiVersion: policy.linkerd.io/v1beta2
15 kind: Server
16 metadata:
17 name: proxy-admin
18 namespace: {{ .TargetNs }}
19 annotations:
20 linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
21 labels:
22 linkerd.io/extension: {{ .ExtensionName }}
23 spec:
24 podSelector:
25 matchExpressions:
26 - key: linkerd.io/control-plane-ns
27 operator: Exists
28 port: linkerd-admin
29 proxyProtocol: HTTP/1
30 ---
31 apiVersion: policy.linkerd.io/v1alpha1
32 kind: HTTPRoute
33 metadata:
34 name: proxy-metrics
35 namespace: {{ .TargetNs }}
36 annotations:
37 linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
38 labels:
39 linkerd.io/extension: {{ .ExtensionName }}
40 spec:
41 parentRefs:
42 - name: proxy-admin
43 kind: Server
44 group: policy.linkerd.io
45 rules:
46 - matches:
47 - path:
48 value: "/metrics"
49 ---
50 apiVersion: policy.linkerd.io/v1alpha1
51 kind: HTTPRoute
52 metadata:
53 name: proxy-probes
54 namespace: {{ .TargetNs }}
55 annotations:
56 linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
57 labels:
58 linkerd.io/extension: {{ .ExtensionName }}
59 spec:
60 parentRefs:
61 - name: proxy-admin
62 kind: Server
63 group: policy.linkerd.io
64 rules:
65 - matches:
66 - path:
67 value: "/live"
68 - path:
69 value: "/ready"
70 ---
71 apiVersion: policy.linkerd.io/v1alpha1
72 kind: AuthorizationPolicy
73 metadata:
74 name: prometheus-scrape
75 namespace: {{ .TargetNs }}
76 annotations:
77 linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
78 labels:
79 linkerd.io/extension: {{ .ExtensionName }}
80 spec:
81 targetRef:
82 group: policy.linkerd.io
83 kind: HTTPRoute
84 name: proxy-metrics
85 requiredAuthenticationRefs:
86 - kind: ServiceAccount
87 name: prometheus
88 namespace: {{ .VizNs }}
89 ---
90 apiVersion: policy.linkerd.io/v1alpha1
91 kind: AuthorizationPolicy
92 metadata:
93 name: proxy-probes
94 namespace: {{ .TargetNs }}
95 annotations:
96 linkerd-io/created-by: {{ .ChartName }} {{ .Version }}
97 labels:
98 linkerd.io/extension: {{ .ExtensionName }}
99 spec:
100 targetRef:
101 group: policy.linkerd.io
102 kind: HTTPRoute
103 name: proxy-probes
104 requiredAuthenticationRefs:
105 - kind: NetworkAuthentication
106 group: policy.linkerd.io
107 name: kubelet
108 namespace: {{ .VizNs }}`
109 )
110
111 type templateOptions struct {
112 ChartName string
113 Version string
114 ExtensionName string
115 VizNs string
116 TargetNs string
117 }
118
119
120 func newCmdAllowScrapes() *cobra.Command {
121 options := templateOptions{
122 ExtensionName: ExtensionName,
123 ChartName: vizChartName,
124 Version: version.Version,
125 VizNs: defaultNamespace,
126 }
127 cmd := &cobra.Command{
128 Use: "allow-scrapes {-n | --namespace } namespace",
129 Short: "Output Kubernetes resources to authorize Prometheus scrapes",
130 Long: `Output Kubernetes resources to authorize Prometheus scrapes in a namespace or cluster with config.linkerd.io/default-inbound-policy: deny.`,
131 Example: `# Allow scrapes in the 'emojivoto' namespace
132 linkerd viz allow-scrapes --namespace emojivoto | kubectl apply -f -`,
133 Args: cobra.NoArgs,
134 PreRunE: func(cmd *cobra.Command, args []string) error {
135 return cmd.MarkFlagRequired("namespace")
136 },
137 RunE: func(cmd *cobra.Command, args []string) error {
138 t := template.Must(template.New("allow-scrapes").Parse(allowScrapePolicy))
139 return t.Execute(os.Stdout, options)
140 },
141 }
142 cmd.Flags().StringVarP(&options.TargetNs, "namespace", "n", options.TargetNs, "The namespace in which to authorize Prometheus scrapes.")
143
144 pkgcmd.ConfigureNamespaceFlagCompletion(
145 cmd, []string{"n", "namespace"},
146 kubeconfigPath, impersonate, impersonateGroup, kubeContext)
147 return cmd
148 }
149
View as plain text