linkerd · vishnarac · Apr 28, 2026
@@ -168,13 +168,11 @@ const (
 	keyKeyName                   = "tls.key"
 )
 
-// AllowedClockSkew sets the allowed skew in clock synchronization
+// DefaultAllowedClockSkew sets the allowed skew in clock synchronization
 // between the system running inject command and the node(s), being
 // based on assumed node's heartbeat interval (5 minutes) plus default TLS
 // clock skew allowance.
-//
-// TODO: Make this default value overridable, e.g. by CLI flag
-const AllowedClockSkew = 5*time.Minute + tls.DefaultClockSkewAllowance
+const DefaultAllowedClockSkew = 5*time.Minute + tls.DefaultClockSkewAllowance
 
 var linkerdHAControlPlaneComponents = []string{
 	"linkerd-destination",
@@ -393,6 +391,7 @@ func (c *Category) WithHintBaseURL(hintBaseURL string) *Category {
 // Options specifies configuration for a HealthChecker.
 type Options struct {
 	IsMainCheckCommand    bool
+	AllowedClockSkew      time.Duration
 	ControlPlaneNamespace string
 	CNINamespace          string
 	DataPlaneNamespace    string
@@ -439,6 +438,10 @@ func NewHealthChecker(categoryIDs []CategoryID, options *Options) *HealthChecker
 		Options: options,
 	}
 
+	if hc.Options != nil && hc.Options.AllowedClockSkew == 0 {
+		hc.Options.AllowedClockSkew = DefaultAllowedClockSkew
+	}
+
 	hc.categories = hc.allCategories()
 
 	checkMap := map[CategoryID]struct{}{}
@@ -2670,7 +2673,7 @@ func (hc *HealthChecker) checkClockSkew(ctx context.Context) error {
 			// we want to check only KubeletReady condition and only execute if the node is ready
 			if condition.Type == corev1.NodeReady && condition.Status == corev1.ConditionTrue {
 				since := time.Since(condition.LastHeartbeatTime.Time)
-				if (since > AllowedClockSkew) || (since < -AllowedClockSkew) {
+				if (since > hc.AllowedClockSkew) || (since < -hc.AllowedClockSkew) {
 					clockSkewNodes = append(clockSkewNodes, node.Name)
 				}
 			}

@@ -15,8 +15,17 @@ const KB = 1024
 const MB = KB * 1024
 
 // ParseScheme converts a scheme string to protobuf
-// TODO: validate scheme
 func ParseScheme(scheme string) *httpPb.Scheme {
+	// Validate and sanitize input
+	scheme = strings.TrimSpace(scheme)
+	if scheme == "" {
+		return &httpPb.Scheme{
+			Type: &httpPb.Scheme_Unregistered{
+				Unregistered: "",
+			},
+		}
+	}
+
 	value, ok := httpPb.Scheme_Registered_value[strings.ToUpper(scheme)]
 	if ok {
 		return &httpPb.Scheme{
@@ -33,8 +42,17 @@ func ParseScheme(scheme string) *httpPb.Scheme {
 }
 
 // ParseMethod converts a method string to protobuf
-// TODO: validate method
 func ParseMethod(method string) *httpPb.HttpMethod {
+	// Validate and sanitize input
+	method = strings.TrimSpace(method)
+	if method == "" {
+		return &httpPb.HttpMethod{
+			Type: &httpPb.HttpMethod_Unregistered{
+				Unregistered: "",
+			},
+		}
+	}
+
 	value, ok := httpPb.HttpMethod_Registered_value[strings.ToUpper(method)]
 	if ok {
 		return &httpPb.HttpMethod{