1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 name: redis
5spec:
6 selector:
7 matchLabels:
8 app: redis
9 template:
10 metadata:
11 annotations:
12 linkerd.io/created-by: linkerd/cli dev-undefined
13 linkerd.io/proxy-version: install-proxy-version
14 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
15 labels:
16 app: redis
17 linkerd.io/control-plane-ns: linkerd
18 linkerd.io/proxy-deployment: redis
19 linkerd.io/workload-ns: ""
20 spec:
21 containers:
22 - env:
23 - name: _pod_name
24 valueFrom:
25 fieldRef:
26 fieldPath: metadata.name
27 - name: _pod_ns
28 valueFrom:
29 fieldRef:
30 fieldPath: metadata.namespace
31 - name: _pod_nodeName
32 valueFrom:
33 fieldRef:
34 fieldPath: spec.nodeName
35 - name: LINKERD2_PROXY_LOG
36 value: warn,linkerd=info,trust_dns=error
37 - name: LINKERD2_PROXY_LOG_FORMAT
38 value: plain
39 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
40 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
41 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
42 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
43 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
44 value: linkerd-policy.linkerd.svc.cluster.local.:8090
45 - name: LINKERD2_PROXY_POLICY_WORKLOAD
46 value: |
47 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
48 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
49 value: all-unauthenticated
50 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
51 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
52 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
53 value: 3s
54 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
55 value: 5m
56 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
57 value: 1h
58 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
59 value: 100ms
60 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
61 value: 1000ms
62 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
63 value: 5s
64 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
65 value: 90s
66 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
67 value: '[::]:4190'
68 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
69 value: '[::]:4191'
70 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
71 value: 127.0.0.1:4140
72 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
73 value: 127.0.0.1:4140
74 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
75 value: '[::]:4143'
76 - name: LINKERD2_PROXY_INBOUND_IPS
77 valueFrom:
78 fieldRef:
79 fieldPath: status.podIPs
80 - name: LINKERD2_PROXY_INBOUND_PORTS
81 value: "6379"
82 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
83 value: svc.cluster.local.
84 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
85 value: 10000ms
86 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
87 value: 10000ms
88 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
89 value: 10s
90 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
91 value: 3s
92 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
93 value: 10s
94 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
95 value: 3s
96 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
97 value: 25,587,3306,4444,5432,6379,9300,11211
98 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
99 value: |
100 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
101 - name: _pod_sa
102 valueFrom:
103 fieldRef:
104 fieldPath: spec.serviceAccountName
105 - name: _l5d_ns
106 value: linkerd
107 - name: _l5d_trustdomain
108 value: cluster.local
109 - name: LINKERD2_PROXY_IDENTITY_DIR
110 value: /var/run/linkerd/identity/end-entity
111 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
112 value: |
113 -----BEGIN CERTIFICATE-----
114 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
115 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
116 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
117 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
118 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
119 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
120 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
121 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
122 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
123 vgUC0d2/9FMueIVMb+46WTCOjsqr
124 -----END CERTIFICATE-----
125 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
126 value: /var/run/secrets/tokens/linkerd-identity-token
127 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
128 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
129 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
130 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
131 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
132 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
133 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
134 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
135 - name: LINKERD2_PROXY_POLICY_SVC_NAME
136 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
137 image: cr.l5d.io/linkerd/proxy:install-proxy-version
138 imagePullPolicy: IfNotPresent
139 lifecycle:
140 postStart:
141 exec:
142 command:
143 - /usr/lib/linkerd/linkerd-await
144 - --timeout=2m
145 - --port=4191
146 livenessProbe:
147 httpGet:
148 path: /live
149 port: 4191
150 initialDelaySeconds: 10
151 timeoutSeconds: 1
152 name: linkerd-proxy
153 ports:
154 - containerPort: 4143
155 name: linkerd-proxy
156 - containerPort: 4191
157 name: linkerd-admin
158 readinessProbe:
159 httpGet:
160 path: /ready
161 port: 4191
162 initialDelaySeconds: 2
163 timeoutSeconds: 1
164 securityContext:
165 allowPrivilegeEscalation: false
166 readOnlyRootFilesystem: true
167 runAsNonRoot: true
168 runAsUser: 2102
169 seccompProfile:
170 type: RuntimeDefault
171 terminationMessagePolicy: FallbackToLogsOnError
172 volumeMounts:
173 - mountPath: /var/run/linkerd/identity/end-entity
174 name: linkerd-identity-end-entity
175 - mountPath: /var/run/secrets/tokens
176 name: linkerd-identity-token
177 - image: redis
178 name: redis
179 ports:
180 - containerPort: 6379
181 name: server
182 initContainers:
183 - args:
184 - --ipv6=false
185 - --incoming-proxy-port
186 - "4143"
187 - --outgoing-proxy-port
188 - "4140"
189 - --proxy-uid
190 - "2102"
191 - --inbound-ports-to-ignore
192 - 4190,4191,4567,4568
193 - --outbound-ports-to-ignore
194 - 4567,4568
195 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
196 imagePullPolicy: IfNotPresent
197 name: linkerd-init
198 resources:
199 limits:
200 cpu: 100m
201 memory: 20Mi
202 requests:
203 cpu: 100m
204 memory: 20Mi
205 securityContext:
206 allowPrivilegeEscalation: false
207 capabilities:
208 add:
209 - NET_ADMIN
210 - NET_RAW
211 privileged: false
212 readOnlyRootFilesystem: true
213 runAsGroup: 65534
214 runAsNonRoot: true
215 runAsUser: 65534
216 seccompProfile:
217 type: RuntimeDefault
218 terminationMessagePolicy: FallbackToLogsOnError
219 volumeMounts:
220 - mountPath: /run
221 name: linkerd-proxy-init-xtables-lock
222 volumes:
223 - emptyDir: {}
224 name: linkerd-proxy-init-xtables-lock
225 - emptyDir:
226 medium: Memory
227 name: linkerd-identity-end-entity
228 - name: linkerd-identity-token
229 projected:
230 sources:
231 - serviceAccountToken:
232 audience: identity.l5d.io
233 expirationSeconds: 86400
234 path: linkerd-identity-token
235---
236apiVersion: apps/v1
237kind: Deployment
238metadata:
239 name: nginx
240spec:
241 selector:
242 matchLabels:
243 app: nginx
244 template:
245 metadata:
246 annotations:
247 linkerd.io/created-by: linkerd/cli dev-undefined
248 linkerd.io/proxy-version: install-proxy-version
249 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
250 labels:
251 app: nginx
252 linkerd.io/control-plane-ns: linkerd
253 linkerd.io/proxy-deployment: nginx
254 linkerd.io/workload-ns: ""
255 spec:
256 containers:
257 - env:
258 - name: _pod_name
259 valueFrom:
260 fieldRef:
261 fieldPath: metadata.name
262 - name: _pod_ns
263 valueFrom:
264 fieldRef:
265 fieldPath: metadata.namespace
266 - name: _pod_nodeName
267 valueFrom:
268 fieldRef:
269 fieldPath: spec.nodeName
270 - name: LINKERD2_PROXY_LOG
271 value: warn,linkerd=info,trust_dns=error
272 - name: LINKERD2_PROXY_LOG_FORMAT
273 value: plain
274 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
275 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
276 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
277 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
278 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
279 value: linkerd-policy.linkerd.svc.cluster.local.:8090
280 - name: LINKERD2_PROXY_POLICY_WORKLOAD
281 value: |
282 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
283 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
284 value: all-unauthenticated
285 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
286 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
287 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
288 value: 3s
289 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
290 value: 5m
291 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
292 value: 1h
293 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
294 value: 100ms
295 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
296 value: 1000ms
297 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
298 value: 5s
299 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
300 value: 90s
301 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
302 value: '[::]:4190'
303 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
304 value: '[::]:4191'
305 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
306 value: 127.0.0.1:4140
307 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
308 value: 127.0.0.1:4140
309 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
310 value: '[::]:4143'
311 - name: LINKERD2_PROXY_INBOUND_IPS
312 valueFrom:
313 fieldRef:
314 fieldPath: status.podIPs
315 - name: LINKERD2_PROXY_INBOUND_PORTS
316 value: "80"
317 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
318 value: svc.cluster.local.
319 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
320 value: 10000ms
321 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
322 value: 10000ms
323 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
324 value: 10s
325 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
326 value: 3s
327 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
328 value: 10s
329 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
330 value: 3s
331 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
332 value: 25,587,3306,4444,5432,6379,9300,11211
333 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
334 value: |
335 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
336 - name: _pod_sa
337 valueFrom:
338 fieldRef:
339 fieldPath: spec.serviceAccountName
340 - name: _l5d_ns
341 value: linkerd
342 - name: _l5d_trustdomain
343 value: cluster.local
344 - name: LINKERD2_PROXY_IDENTITY_DIR
345 value: /var/run/linkerd/identity/end-entity
346 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
347 value: |
348 -----BEGIN CERTIFICATE-----
349 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
350 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
351 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
352 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
353 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
354 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
355 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
356 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
357 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
358 vgUC0d2/9FMueIVMb+46WTCOjsqr
359 -----END CERTIFICATE-----
360 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
361 value: /var/run/secrets/tokens/linkerd-identity-token
362 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
363 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
364 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
365 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
366 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
367 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
368 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
369 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
370 - name: LINKERD2_PROXY_POLICY_SVC_NAME
371 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
372 image: cr.l5d.io/linkerd/proxy:install-proxy-version
373 imagePullPolicy: IfNotPresent
374 lifecycle:
375 postStart:
376 exec:
377 command:
378 - /usr/lib/linkerd/linkerd-await
379 - --timeout=2m
380 - --port=4191
381 livenessProbe:
382 httpGet:
383 path: /live
384 port: 4191
385 initialDelaySeconds: 10
386 timeoutSeconds: 1
387 name: linkerd-proxy
388 ports:
389 - containerPort: 4143
390 name: linkerd-proxy
391 - containerPort: 4191
392 name: linkerd-admin
393 readinessProbe:
394 httpGet:
395 path: /ready
396 port: 4191
397 initialDelaySeconds: 2
398 timeoutSeconds: 1
399 securityContext:
400 allowPrivilegeEscalation: false
401 readOnlyRootFilesystem: true
402 runAsNonRoot: true
403 runAsUser: 2102
404 seccompProfile:
405 type: RuntimeDefault
406 terminationMessagePolicy: FallbackToLogsOnError
407 volumeMounts:
408 - mountPath: /var/run/linkerd/identity/end-entity
409 name: linkerd-identity-end-entity
410 - mountPath: /var/run/secrets/tokens
411 name: linkerd-identity-token
412 - image: nginx
413 name: nginx
414 ports:
415 - containerPort: 80
416 name: http
417 initContainers:
418 - args:
419 - --ipv6=false
420 - --incoming-proxy-port
421 - "4143"
422 - --outgoing-proxy-port
423 - "4140"
424 - --proxy-uid
425 - "2102"
426 - --inbound-ports-to-ignore
427 - 4190,4191,4567,4568
428 - --outbound-ports-to-ignore
429 - 4567,4568
430 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
431 imagePullPolicy: IfNotPresent
432 name: linkerd-init
433 resources:
434 limits:
435 cpu: 100m
436 memory: 20Mi
437 requests:
438 cpu: 100m
439 memory: 20Mi
440 securityContext:
441 allowPrivilegeEscalation: false
442 capabilities:
443 add:
444 - NET_ADMIN
445 - NET_RAW
446 privileged: false
447 readOnlyRootFilesystem: true
448 runAsGroup: 65534
449 runAsNonRoot: true
450 runAsUser: 65534
451 seccompProfile:
452 type: RuntimeDefault
453 terminationMessagePolicy: FallbackToLogsOnError
454 volumeMounts:
455 - mountPath: /run
456 name: linkerd-proxy-init-xtables-lock
457 volumes:
458 - emptyDir: {}
459 name: linkerd-proxy-init-xtables-lock
460 - emptyDir:
461 medium: Memory
462 name: linkerd-identity-end-entity
463 - name: linkerd-identity-token
464 projected:
465 sources:
466 - serviceAccountToken:
467 audience: identity.l5d.io
468 expirationSeconds: 86400
469 path: linkerd-identity-token
470---
View as plain text