1apiVersion: v1
2kind: Pod
3metadata:
4 annotations:
5 linkerd.io/created-by: linkerd/cli dev-undefined
6 linkerd.io/proxy-version: test-inject-proxy-version
7 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
8 labels:
9 app: vote-bot
10 linkerd.io/control-plane-ns: linkerd
11 linkerd.io/workload-ns: emojivoto
12 name: vote-bot
13 namespace: emojivoto
14spec:
15 containers:
16 - env:
17 - name: _pod_name
18 valueFrom:
19 fieldRef:
20 fieldPath: metadata.name
21 - name: _pod_ns
22 valueFrom:
23 fieldRef:
24 fieldPath: metadata.namespace
25 - name: _pod_nodeName
26 valueFrom:
27 fieldRef:
28 fieldPath: spec.nodeName
29 - name: LINKERD2_PROXY_LOG
30 value: warn,linkerd=info,trust_dns=error
31 - name: LINKERD2_PROXY_LOG_FORMAT
32 value: plain
33 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
34 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
35 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
36 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
37 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
38 value: linkerd-policy.linkerd.svc.cluster.local.:8090
39 - name: LINKERD2_PROXY_POLICY_WORKLOAD
40 value: |
41 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
42 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
43 value: all-unauthenticated
44 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
45 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
46 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
47 value: 3s
48 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
49 value: 5m
50 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
51 value: 1h
52 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
53 value: 100ms
54 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
55 value: 1000ms
56 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
57 value: 5s
58 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
59 value: 90s
60 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
61 value: '[::]:4190'
62 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
63 value: '[::]:4191'
64 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
65 value: 127.0.0.1:4140
66 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
67 value: 127.0.0.1:4140
68 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
69 value: '[::]:4143'
70 - name: LINKERD2_PROXY_INBOUND_IPS
71 valueFrom:
72 fieldRef:
73 fieldPath: status.podIPs
74 - name: LINKERD2_PROXY_INBOUND_PORTS
75 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
76 value: svc.cluster.local.
77 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
78 value: 10000ms
79 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
80 value: 10000ms
81 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
82 value: 10s
83 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
84 value: 3s
85 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
86 value: 10s
87 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
88 value: 3s
89 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
90 value: 25,587,3306,4444,5432,6379,9300,11211
91 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
92 value: |
93 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
94 - name: _pod_sa
95 valueFrom:
96 fieldRef:
97 fieldPath: spec.serviceAccountName
98 - name: _l5d_ns
99 value: linkerd
100 - name: _l5d_trustdomain
101 value: cluster.local
102 - name: LINKERD2_PROXY_IDENTITY_DIR
103 value: /var/run/linkerd/identity/end-entity
104 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
105 value: |
106 -----BEGIN CERTIFICATE-----
107 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
108 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
109 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
110 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
111 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
112 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
113 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
114 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
115 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
116 vgUC0d2/9FMueIVMb+46WTCOjsqr
117 -----END CERTIFICATE-----
118 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
119 value: /var/run/secrets/tokens/linkerd-identity-token
120 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
121 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
122 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
123 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
124 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
125 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
126 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
127 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
128 - name: LINKERD2_PROXY_POLICY_SVC_NAME
129 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
130 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
131 imagePullPolicy: IfNotPresent
132 lifecycle:
133 postStart:
134 exec:
135 command:
136 - /usr/lib/linkerd/linkerd-await
137 - --timeout=2m
138 - --port=4191
139 livenessProbe:
140 httpGet:
141 path: /live
142 port: 4191
143 initialDelaySeconds: 10
144 timeoutSeconds: 1
145 name: linkerd-proxy
146 ports:
147 - containerPort: 4143
148 name: linkerd-proxy
149 - containerPort: 4191
150 name: linkerd-admin
151 readinessProbe:
152 httpGet:
153 path: /ready
154 port: 4191
155 initialDelaySeconds: 2
156 timeoutSeconds: 1
157 securityContext:
158 allowPrivilegeEscalation: false
159 readOnlyRootFilesystem: true
160 runAsNonRoot: true
161 runAsUser: 2102
162 seccompProfile:
163 type: RuntimeDefault
164 terminationMessagePolicy: FallbackToLogsOnError
165 volumeMounts:
166 - mountPath: /var/run/linkerd/identity/end-entity
167 name: linkerd-identity-end-entity
168 - mountPath: /var/run/secrets/tokens
169 name: linkerd-identity-token
170 - command:
171 - emojivoto-vote-bot
172 env:
173 - name: WEB_HOST
174 value: web-svc.emojivoto:80
175 image: buoyantio/emojivoto-web:v10
176 name: vote-bot
177 initContainers:
178 - args:
179 - --ipv6=false
180 - --incoming-proxy-port
181 - "4143"
182 - --outgoing-proxy-port
183 - "4140"
184 - --proxy-uid
185 - "2102"
186 - --inbound-ports-to-ignore
187 - 4190,4191,4567,4568
188 - --outbound-ports-to-ignore
189 - 4567,4568
190 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
191 imagePullPolicy: IfNotPresent
192 name: linkerd-init
193 resources:
194 limits:
195 cpu: 100m
196 memory: 20Mi
197 requests:
198 cpu: 100m
199 memory: 20Mi
200 securityContext:
201 allowPrivilegeEscalation: false
202 capabilities:
203 add:
204 - NET_ADMIN
205 - NET_RAW
206 privileged: false
207 readOnlyRootFilesystem: true
208 runAsGroup: 65534
209 runAsNonRoot: true
210 runAsUser: 65534
211 seccompProfile:
212 type: RuntimeDefault
213 terminationMessagePolicy: FallbackToLogsOnError
214 volumeMounts:
215 - mountPath: /run
216 name: linkerd-proxy-init-xtables-lock
217 volumes:
218 - emptyDir: {}
219 name: linkerd-proxy-init-xtables-lock
220 - emptyDir:
221 medium: Memory
222 name: linkerd-identity-end-entity
223 - name: linkerd-identity-token
224 projected:
225 sources:
226 - serviceAccountToken:
227 audience: identity.l5d.io
228 expirationSeconds: 86400
229 path: linkerd-identity-token
230---
View as plain text