My thoughts on some of the open questions

[mateiidavid]

Following in @adleong's footsteps, I thought I'd start a discussion to express some thoughts. Fortunately, nothing really stands out to me. I think the design doc makes sense and I had a bit of a play with the policies to see what would happen conceptually.

With that being said, there are some open questions to address.

Q: What should we call the API group? polixy is a placeholder (policy + olix0r). We should change this to something a bit more concrete. This name should probably match the controller's name.
A: is authz too basic? (linkerd-authz-controller).

Q: Do we want to stick with a controller written in Rust? Or would it be better to re-implement this with client-go?
A: Not sure how the rest of the team feels but I'd be pretty excited to get some hands on experience with Rust. I'm hoping I'll be quick to pick it up.

Q: What Linkerd CLI tools do we need to interact with policies?
A: I just posted in a separate discussion a question about the networks field.

• In the same spirit, since a policy may include a whole pod CIDR block, would it be a good user experience to display which nodes in the cluster are allowed to communicate with the server?

• Something that I again think would be useful (and might be obvious) is to list the ACL for a given server; something similar to what the client is doing.

• I'm not sure how useful this would be, but perhaps a CLI tool that lists TLS requirements, or maybe even more simplified which servers allow unauthenticated connections.

Q: How do policies interact with the multi-cluster gateway?
A: So, I don't really have an answer for this but having worked on multicluster for a while now is something that I'm interested in. Since there is an extra hop would we want to check policies on the gateway? Would in this case servers have to allow traffic from the gateway implicitly (in my mind this wouldn't be desirable since it's hard to know where the traffic comes from past the gateway). Interested to see what the rest think here!

Anyway, these are some quick thoughts after trying it out today. Curious what the rest think!