linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard
verified publisher icon linkerd

fix(policy-controller)!: Disallow requests to undefined service ports

Open adleong opened this issue 7 months ago • 0 comments

Fixes https://github.com/linkerd/linkerd2/issues/13922

When a meshed client attempts to connect to a clusterIP Service on a port that is not present in that service's spec, Linkerd allows that connection through anyway. This is in contrast to bare kube-proxy behavior where only the ports defined in the service spec are forwarded to the service endpoints.

We update the policy-controller to return an opaque route with a forbidden filter for such connections. This causes the outbound Linkerd proxy to immediately reset the connection if a client attempts to connect to a port not defined in the service spec.

This shows up in Linkerd proxy metrics as a Forbidden error with the "undefined-port" synthetic route:

outbound_tcp_route_close_total{
	parent_group="core",
	parent_kind="Service",
	parent_namespace="default",
	parent_name="nginx",
	parent_port="80",
	parent_section_name="",
	route_group="",
	route_kind="default",
	route_namespace="",
	route_name="undefined-port"
	,target_ip=""
	target_port="80",
	error="forbidden"
} 1

adleong avatar Jun 17 '25 23:06 adleong