linkerd2
linkerd2 copied to clipboard
Published
20 hours ago •
linkerd
linkerd
`ext-namespace-metadata-linkerd-config` Role is missing the `linkerd.io/control-plane-ns` label
What problem are you trying to solve?
I'm trying to select all resources installed by the linkerd install command, using the linkerd.io/control-plane-ns label. This works for all resources except the ext-namespace-metadata-linkerd-config Role, which doesn't include that label.
Sample output:
$ kubectl get clusterrole,clusterrolebinding,configmap,cronjob,deployment,mutatingwebhookconfiguration,namespace,role,rolebinding,secret,service,serviceaccount,validatingwebhookconfiguration -A -l linkerd.io/control-plane-ns=linkerd
NAME CREATED AT
clusterrole.rbac.authorization.k8s.io/linkerd-heartbeat 2024-03-15T18:56:10Z
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-destination 2024-03-15T18:56:09Z
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity 2024-03-15T18:56:09Z
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector 2024-03-15T18:56:10Z
clusterrole.rbac.authorization.k8s.io/linkerd-policy 2024-03-15T18:56:09Z
NAME ROLE AGE
clusterrolebinding.rbac.authorization.k8s.io/linkerd-destination-policy ClusterRole/linkerd-policy 2m47s
clusterrolebinding.rbac.authorization.k8s.io/linkerd-heartbeat ClusterRole/linkerd-heartbeat 2m46s
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-destination ClusterRole/linkerd-linkerd-destination 2m47s
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity ClusterRole/linkerd-linkerd-identity 2m47s
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector ClusterRole/linkerd-linkerd-proxy-injector 2m46s
NAMESPACE NAME DATA AGE
linkerd configmap/linkerd-config 2 2m46s
linkerd configmap/linkerd-identity-trust-roots 1 2m46s
NAMESPACE NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
linkerd cronjob.batch/linkerd-heartbeat 06 19 * * * False 0 <none> 2m45s
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
linkerd deployment.apps/linkerd-destination 1/1 1 1 2m45s
linkerd deployment.apps/linkerd-identity 1/1 1 1 2m46s
linkerd deployment.apps/linkerd-proxy-injector 1/1 1 1 2m45s
NAMESPACE NAME WEBHOOKS AGE
mutatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-proxy-injector-webhook-config 1 2m46s
NAMESPACE NAME STATUS AGE
namespace/linkerd Active 2m47s
NAMESPACE NAME CREATED AT
linkerd role.rbac.authorization.k8s.io/linkerd-heartbeat 2024-03-15T18:56:09Z
linkerd role.rbac.authorization.k8s.io/remote-discovery 2024-03-15T18:56:09Z
NAMESPACE NAME ROLE AGE
linkerd rolebinding.rbac.authorization.k8s.io/linkerd-destination-remote-discovery Role/remote-discovery 2m47s
linkerd rolebinding.rbac.authorization.k8s.io/linkerd-heartbeat Role/linkerd-heartbeat 2m47s
NAMESPACE NAME TYPE DATA AGE
linkerd secret/linkerd-config-overrides Opaque 1 2m44s
linkerd secret/linkerd-identity-issuer Opaque 2 2m46s
linkerd secret/linkerd-policy-validator-k8s-tls kubernetes.io/tls 2 2m47s
linkerd secret/linkerd-proxy-injector-k8s-tls kubernetes.io/tls 2 2m46s
linkerd secret/linkerd-sp-validator-k8s-tls kubernetes.io/tls 2 2m47s
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
linkerd service/linkerd-dst ClusterIP 10.96.157.32 <none> 8086/TCP 2m46s
linkerd service/linkerd-dst-headless ClusterIP None <none> 8086/TCP 2m46s
linkerd service/linkerd-identity ClusterIP 10.96.240.64 <none> 8080/TCP 2m46s
linkerd service/linkerd-identity-headless ClusterIP None <none> 8080/TCP 2m46s
linkerd service/linkerd-policy ClusterIP None <none> 8090/TCP 2m45s
linkerd service/linkerd-policy-validator ClusterIP 10.96.196.143 <none> 443/TCP 2m45s
linkerd service/linkerd-proxy-injector ClusterIP 10.96.122.62 <none> 443/TCP 2m45s
linkerd service/linkerd-sp-validator ClusterIP 10.96.215.196 <none> 443/TCP 2m45s
NAMESPACE NAME SECRETS AGE
linkerd serviceaccount/linkerd-destination 0 2m47s
linkerd serviceaccount/linkerd-heartbeat 0 2m46s
linkerd serviceaccount/linkerd-identity 0 2m47s
linkerd serviceaccount/linkerd-proxy-injector 0 2m46s
NAMESPACE NAME WEBHOOKS AGE
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-policy-validator-webhook-config 1 2m47s
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-sp-validator-webhook-config 1 2m47s
You can see that there's a roles table, but it only includes the linkerd-heartbeat and remote-discovery roles.
How should the problem be solved?
Update the ext-namespace-metadata-linkerd-config Role to include this label? It seems like every other resource defined in the linkerd-control-plane helm chart has it.
$ grep -L linkerd.io/control-plane-ns charts/linkerd-control-plane/templates/*.yaml
charts/linkerd-control-plane/templates/config-rbac.yaml
$ grep -l linkerd.io/control-plane-ns charts/linkerd-control-plane/templates/*.yaml
charts/linkerd-control-plane/templates/config.yaml
charts/linkerd-control-plane/templates/destination-rbac.yaml
charts/linkerd-control-plane/templates/destination.yaml
charts/linkerd-control-plane/templates/heartbeat-rbac.yaml
charts/linkerd-control-plane/templates/heartbeat.yaml
charts/linkerd-control-plane/templates/identity-rbac.yaml
charts/linkerd-control-plane/templates/identity.yaml
charts/linkerd-control-plane/templates/namespace.yaml
charts/linkerd-control-plane/templates/podmonitor.yaml
charts/linkerd-control-plane/templates/proxy-injector-rbac.yaml
charts/linkerd-control-plane/templates/proxy-injector.yaml
charts/linkerd-control-plane/templates/psp.yaml
Any alternatives you've considered?
None
How would users interact with this feature?
No response
Would you like to work on this feature?
yes
