...
1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: nginx
5spec:
6 selector:
7 matchLabels:
8 app: nginx
9 template:
10 metadata:
11 annotations:
12 linkerd.io/created-by: linkerd/cli dev-undefined
13 linkerd.io/proxy-version: install-proxy-version
14 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
15 labels:
16 app: nginx
17 linkerd.io/control-plane-ns: linkerd
18 linkerd.io/proxy-deployment: nginx
19 linkerd.io/workload-ns: ""
20 spec:
21 containers:
22 - env:
23 - name: _pod_name
24 valueFrom:
25 fieldRef:
26 fieldPath: metadata.name
27 - name: _pod_ns
28 valueFrom:
29 fieldRef:
30 fieldPath: metadata.namespace
31 - name: _pod_nodeName
32 valueFrom:
33 fieldRef:
34 fieldPath: spec.nodeName
35 - name: LINKERD2_PROXY_LOG
36 value: warn,linkerd=info,trust_dns=error
37 - name: LINKERD2_PROXY_LOG_FORMAT
38 value: plain
39 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
40 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
41 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
42 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
43 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
44 value: linkerd-policy.linkerd.svc.cluster.local.:8090
45 - name: LINKERD2_PROXY_POLICY_WORKLOAD
46 value: |
47 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
48 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
49 value: all-unauthenticated
50 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
51 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
52 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
53 value: 3s
54 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
55 value: 5m
56 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
57 value: 1h
58 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
59 value: 100ms
60 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
61 value: 1000ms
62 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
63 value: 5s
64 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
65 value: 90s
66 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
67 value: '[::]:4190'
68 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
69 value: '[::]:4191'
70 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
71 value: 127.0.0.1:4140
72 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
73 value: 127.0.0.1:4140
74 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
75 value: '[::]:4143'
76 - name: LINKERD2_PROXY_INBOUND_IPS
77 valueFrom:
78 fieldRef:
79 fieldPath: status.podIPs
80 - name: LINKERD2_PROXY_INBOUND_PORTS
81 value: "80"
82 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
83 value: svc.cluster.local.
84 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
85 value: 10000ms
86 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
87 value: 10000ms
88 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
89 value: 10s
90 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
91 value: 3s
92 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
93 value: 10s
94 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
95 value: 3s
96 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
97 value: 25,587,3306,4444,5432,6379,9300,11211
98 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
99 value: |
100 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
101 - name: _pod_sa
102 valueFrom:
103 fieldRef:
104 fieldPath: spec.serviceAccountName
105 - name: _l5d_ns
106 value: linkerd
107 - name: _l5d_trustdomain
108 value: cluster.local
109 - name: LINKERD2_PROXY_IDENTITY_DIR
110 value: /var/run/linkerd/identity/end-entity
111 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
112 value: |
113 -----BEGIN CERTIFICATE-----
114 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
115 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
116 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
117 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
118 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
119 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
120 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
121 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
122 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
123 vgUC0d2/9FMueIVMb+46WTCOjsqr
124 -----END CERTIFICATE-----
125 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
126 value: /var/run/secrets/tokens/linkerd-identity-token
127 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
128 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
129 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
130 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
131 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
132 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
133 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
134 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
135 - name: LINKERD2_PROXY_POLICY_SVC_NAME
136 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
137 image: cr.l5d.io/linkerd/proxy:install-proxy-version
138 imagePullPolicy: IfNotPresent
139 lifecycle:
140 postStart:
141 exec:
142 command:
143 - /usr/lib/linkerd/linkerd-await
144 - --timeout=2m
145 - --port=4191
146 livenessProbe:
147 httpGet:
148 path: /live
149 port: 4191
150 initialDelaySeconds: 10
151 timeoutSeconds: 1
152 name: linkerd-proxy
153 ports:
154 - containerPort: 4143
155 name: linkerd-proxy
156 - containerPort: 4191
157 name: linkerd-admin
158 readinessProbe:
159 httpGet:
160 path: /ready
161 port: 4191
162 initialDelaySeconds: 2
163 timeoutSeconds: 1
164 securityContext:
165 allowPrivilegeEscalation: false
166 readOnlyRootFilesystem: true
167 runAsNonRoot: true
168 runAsUser: 2102
169 seccompProfile:
170 type: RuntimeDefault
171 terminationMessagePolicy: FallbackToLogsOnError
172 volumeMounts:
173 - mountPath: /var/run/linkerd/identity/end-entity
174 name: linkerd-identity-end-entity
175 - mountPath: /var/run/secrets/tokens
176 name: linkerd-identity-token
177 - image: nginx
178 name: nginx
179 ports:
180 - containerPort: 80
181 name: http
182 initContainers:
183 - args:
184 - --ipv6=false
185 - --incoming-proxy-port
186 - "4143"
187 - --outgoing-proxy-port
188 - "4140"
189 - --proxy-uid
190 - "2102"
191 - --inbound-ports-to-ignore
192 - 4190,4191,4567,4568
193 - --outbound-ports-to-ignore
194 - 4567,4568
195 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
196 imagePullPolicy: IfNotPresent
197 name: linkerd-init
198 resources:
199 limits:
200 cpu: 100m
201 memory: 20Mi
202 requests:
203 cpu: 100m
204 memory: 20Mi
205 securityContext:
206 allowPrivilegeEscalation: false
207 capabilities:
208 add:
209 - NET_ADMIN
210 - NET_RAW
211 privileged: false
212 readOnlyRootFilesystem: true
213 runAsGroup: 65534
214 runAsNonRoot: true
215 runAsUser: 65534
216 seccompProfile:
217 type: RuntimeDefault
218 terminationMessagePolicy: FallbackToLogsOnError
219 volumeMounts:
220 - mountPath: /run
221 name: linkerd-proxy-init-xtables-lock
222 volumes:
223 - emptyDir: {}
224 name: linkerd-proxy-init-xtables-lock
225 - emptyDir:
226 medium: Memory
227 name: linkerd-identity-end-entity
228 - name: linkerd-identity-token
229 projected:
230 sources:
231 - serviceAccountToken:
232 audience: identity.l5d.io
233 expirationSeconds: 86400
234 path: linkerd-identity-token
235---
View as plain text