Is it possible to control who joins the mesh?

16 views
Skip to first unread message

Ioannis Mavroukakis

unread,
May 12, 2017, 5:56:22 AM5/12/17
to linkerd-users
Hello everyone. I've been trying to figure out where it's possible, via configuration, to allow or deny a linkerd instance to join a mesh. 
In particular, given two environments, development and production, is it possible to restrict a development linkerd to join the production mesh? One solution would be to do this on a network level via firewall rules or network partitioning, but I would
be interested to know if this is also doable via configuration, i.e. deny access to all  linkerd nodes in a particular ip range.

Thanks for your time in advance,

Ioannis

Nicolas Marchildon

unread,
May 12, 2017, 9:33:31 AM5/12/17
to Ioannis Mavroukakis, linkerd-users
Hello Ioannis.

You will be able to do that with mutual TLS authentication once it's implemented:


There seems to be great interest to have this feature. In the meantime, I believe clients can check the server certificate, so that you could avoid having them connect to a server they are not supposed to.

An other way would be to use different ports, if you can manage the configuration differences.

Nicolas

--
You received this message because you are subscribed to the Google Groups "linkerd-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linkerd-users+unsubscribe@googlegroups.com.
To post to this group, send email to linker...@googlegroups.com.
Visit this group at https://groups.google.com/group/linkerd-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/linkerd-users/08179067-986c-4986-bd0d-f13236dabc64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Nicolas Marchildon | Senior Software Developer - Intelerad
+1-514-931-6222 ext. 7312 | nicolas.m...@intelerad.com
Website | Twitter | LinkedIn | Blog


This email or any attachments may contain confidential or legally privileged information intended for the sole use of the addressees. Any use, redistribution, disclosure, or reproduction of this information, except as intended, is prohibited. If you received this email in error, please notify the sender and remove all copies of the message, including any attachments.

Ioannis Mavroukakis

unread,
May 12, 2017, 10:17:23 AM5/12/17
to linkerd-users
Thanks Nicolas very useful info!


On Friday, 12 May 2017 14:33:31 UTC+1, Nicolas Marchildon wrote:
Hello Ioannis.

You will be able to do that with mutual TLS authentication once it's implemented:


There seems to be great interest to have this feature. In the meantime, I believe clients can check the server certificate, so that you could avoid having them connect to a server they are not supposed to.

An other way would be to use different ports, if you can manage the configuration differences.

Nicolas
2017-05-12 5:56 GMT-04:00 Ioannis Mavroukakis <imavro...@gmail.com>:
Hello everyone. I've been trying to figure out where it's possible, via configuration, to allow or deny a linkerd instance to join a mesh. 
In particular, given two environments, development and production, is it possible to restrict a development linkerd to join the production mesh? One solution would be to do this on a network level via firewall rules or network partitioning, but I would
be interested to know if this is also doable via configuration, i.e. deny access to all  linkerd nodes in a particular ip range.

Thanks for your time in advance,

Ioannis

--
You received this message because you are subscribed to the Google Groups "linkerd-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linkerd-user...@googlegroups.com.



--
Nicolas Marchildon | Senior Software Developer - Intelerad
+1-514-931-6222 ext. 7312 | nicolas.m...@intelerad.com
Website | Twitter | LinkedIn | Blog
Reply all
Reply to author
Forward
0 new messages