Background: I am currently trying to create an AuthorizationPolicy to solve the issue here: Prometheus metrics federation yields HTTP 403 · Issue #11050 · linkerd/linkerd2 · GitHub
Issue: I want to use opentelemetry-collector in a namespace called monitoring
to scrape the Prometheus of linkerd-viz in a different namespace linkerd-viz
.
1) spec.targetRef.namespace
is ignored
According to the documentation here: Authorization Policy | Linkerd the field spec.targetRef.namespace
can be specified. However, the value is ignored. For example, if I create
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
name: collector-linkerd-opentelemetry-collector
namespace: monitoring
spec:
requiredAuthenticationRefs:
- kind: ServiceAccount
name: collector-linkerd-opentelemetry-collector
targetRef:
group: policy.linkerd.io
kind: Server
name: prometheus-admin
namespace: linkerd-viz # <-- namespace set here
Running kubectl get authorizationpolicy -n monitoring -o yaml collector-linkerd-opentelemetry-collector
reveals that spec.targetRef.namespace
was ignored.
2) spec.targetRef.kind=Namespace
is not allowed
I tried something else:
spec:
targetRef:
kind: Namespace
name: linkerd-viz
I get an error message:
admission webhook "linkerd-policy-validator.linkerd.io" denied the request: cannot target another namespace: linkerd-viz