Reference documentation for AuthorizationPolicy about inter-namespace policies are incorrect

Background: I am currently trying to create an AuthorizationPolicy to solve the issue here: Prometheus metrics federation yields HTTP 403 · Issue #11050 · linkerd/linkerd2 · GitHub

Issue: I want to use opentelemetry-collector in a namespace called monitoring to scrape the Prometheus of linkerd-viz in a different namespace linkerd-viz.

1) spec.targetRef.namespace is ignored

According to the documentation here: Authorization Policy | Linkerd the field spec.targetRef.namespace can be specified. However, the value is ignored. For example, if I create

apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: collector-linkerd-opentelemetry-collector
  namespace: monitoring
spec:
  requiredAuthenticationRefs:
  - kind: ServiceAccount
    name: collector-linkerd-opentelemetry-collector
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: prometheus-admin
    namespace: linkerd-viz  # <-- namespace set here

Running kubectl get authorizationpolicy -n monitoring -o yaml collector-linkerd-opentelemetry-collector reveals that spec.targetRef.namespace was ignored.

2) spec.targetRef.kind=Namespace is not allowed

I tried something else:

spec:
  targetRef:
    kind: Namespace
    name: linkerd-viz

I get an error message:

admission webhook "linkerd-policy-validator.linkerd.io" denied the request: cannot target another namespace: linkerd-viz

Thanks @jennydaman! I’ve looked into this and this is an error in the documentation. The targetRef object does not have a namespace field, which is why it appears to be ignored for you. AuthorizationPolicies cannot grant access to resources outside of their own namespace.

I’ll work on getting the docs fixed ASAP, thanks for flagging and sorry for the confusion.