Possible to enforce L7 policies?


#1

I’m familiar with Kubernetes’ L3/L4 Network Policies and was wondering if it’s possible with Linkerd2 to enforce communication policies on the application level. For example, let’s say I want to declare that between the dev and the prod namespace there is no communication allowed, or, say, all pods labelled sensitive don’t have egress, by default.


#2

Yes, Linkerd would be a great way to enforce this sort of policy (and more!). We’re still designing how this would work. The current approach is to solidify service identity first (via TLS certs), with the assumption that policy should be done on top of that. We’re looking at things like OPA and SPIFFE as possible component s as well.


#3

Got it, thanks for the clarification @william! So, is it fair to say that until the identity bits (along with SPIFFE/OPA) are sorted, the recommendation is to indeed use L3/L4 Network Policies to enforce communication policies. Any other suggestions for the time being? Also, if there’s a design doc for this topic, I’d be interested to review/feedback it :wink:


#4

Yes, that’s correct. Stay tuned for a design doc; that’s in progress.


#5

I’d also be interested in where this is heading. Is there any progress on this?


#6

@eelcoh indirectly. Later this month we’ll release 2.1, which has a concept of service profiles. These allow us to attach configuration to service objects, and are the first step to specifying policy of any sort.