Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add header to HTTP requests to indicate linkerd client ID #4647

Closed
plwhite opened this issue Jun 22, 2020 · 5 comments
Closed

Add header to HTTP requests to indicate linkerd client ID #4647

plwhite opened this issue Jun 22, 2020 · 5 comments
Labels
area/cli area/controller area/proxy help wanted
Projects
Help Wanted

Comments

@plwhite
Copy link

plwhite commented Jun 22, 2020

Feature Request

What problem are you trying to solve?

We'd like applications to be able to verify what other applications are contacting them, knowing that linkerd has verified them. This allows the application of access control and a stronger debugging story.

How should the problem be solved?

Ideally, headers would be added to HTTP requests that indicate what service sent this request, for the application of access restrictions.

This could in principle be multi-valued (so would show that the request went to service A, then service B, before arriving at service C). This would help debugging, though I suspect it would be rather too easy to spoof headers for this to add much security.

There are security implications to this, so this would have to be configurable, and probably disabled by default.

Any alternatives you've considered?

Much of the access control logic could be done via SMI features (i.e. Traffic Access Control).

However, it would still be valuable to be able to apply more fine grained control in the application and to log the remote service for debug purposes.

How would users interact with this feature?

The primary use cases I can think of are the following.

  • Implementing basic access restrictions in the application, pending full SMI access control.

  • Implementing more subtle and detailed access control (e.g. requests from service A are trusted, while requests from service B are not).

  • Logging of where remote traffic arrived from for debugging purposes.
@grampelberg
Copy link
Contributor

This could in principle be multi-valued (so would show that the request went to service A, then service B, before arriving at service C).

This would also require your application propagating the headers.

WDYT about making this an opt-in feature that's configured as an injection flag?

@grampelberg grampelberg added this to To do in Help Wanted via automation Jun 22, 2020
@plwhite
Copy link
Author

plwhite commented Jun 23, 2020

I'd be very happy with this as an opt-in feature with an injection flag. Am I right in saying that injection flags could be at any level, i.e. at pod level or at namespace level?

@grampelberg
Copy link
Contributor

Yup, where "any level" = pod or namespace.

@glenjamin glenjamin mentioned this issue Dec 11, 2020
Closed
@olix0r
Copy link
Member

olix0r commented Sep 30, 2021

Inbound proxies now add an l5d-client-id header for requests transported via mTLS. This is available in today's stable-2.11.0 release.

@olix0r olix0r closed this as completed Sep 30, 2021
Help Wanted automation moved this from To do to Done Sep 30, 2021
@plwhite
Copy link
Author

plwhite commented Oct 4, 2021

Great - looks ideal, thanks

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/cli area/controller area/proxy help wanted
Projects
Help Wanted
  
Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grampelberg @olix0r @plwhite