Skip to content

Authorization Policy server port should not rely on 'containerPort' in k8s spec #7640

@mattstam

Description

@mattstam

What is the issue?

Linkerd Authorization Policy server resource needs ports defined. If these ports are not included in the containers spec, traffic will be rejected with the linkerd-proxy logging unauthorized connection on unknown port.

This seems intuitive, however, reliance on these ports being defined in the spec should not be necessary because these are purely information. From https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#container-v1-core:

List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed.

Considering traffic can flow fine normally on these ports even when not specified here, relying on it should be avoided. In many cases, developers simply may not have specified these ports in their container spec.

How can it be reproduced?

Server Resource:

apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: server-http
spec:
  port: 8080
  podSelector:
    matchLabels:
      app: server
  proxyProtocol: HTTP/1

ServerAuthorization Resource:

apiVersion: policy.linkerd.io/v1beta1
kind: ServerAuthorization
metadata:
  name: server-http-auth
spec:
  server:
    name: server-http
  client:
    meshTLS:
      identities:
        - "*"

combined with a pod that has app=server that does not specify:

        ports:
          - containerPort: 8080

Logs, error output, etc

WARN ThreadId(01) inbound: linkerd_app_core::serve: Server failed to become ready error=unauthorized connection on unknown port <port>

Where port is the one defined in the server resource and attempted to be connected on.

output of linkerd check -o short

N/A, but IIRC this showed no issue or suggestion about this problem.

Environment

  • K8s version: v1.22.1
  • Cluster Environment: AKS
  • OS: Linux
  • Linkerd version: v2.11

Possible solution

Fix for now is to just add the port in the container spec:

        ports:
          - containerPort: <port>

but as stated, Linkerd should try to avoid having a dependance on this.

Additional context

No response

Would you like to work on fixing this bug?

No response

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions