-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for resources opting-out of tap #2807
Conversation
Fixes #2778 Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Integration test results for ecd598f: success 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good! left a couple tioli comments. 🚢 👍
flags.BoolVar( | ||
&options.disableTap, "disable-tap", options.disableTap, | ||
"Disables resources from from being tapped", | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
until the proxy supports it, should we do flags.MarkHidden("disable-tap")
? maybe reference a Github issue in a comment for the proxy change? or, since the control-plane is also filtering, maybe this is ok?
related: does this mean both the control-plane and the proxy will independently guard against tapping?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As is, tapping gets disabled through the control plane API, but that doesn't disallow someone hitting directly the proxy. I think it makes sense to mark the flag hidden in the meantime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #2811 to track proxy-side work
…tappable Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Integration test results for a6d3528: success 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⭐ very nice 🚫 👞
Fixes #2778
This one is just for the control-plane side of things.
The env var injected into the sidecar proxy was labeled
LINKERD2_PROXY_TAP_DISABLED
.