1apiVersion: v1
2kind: Pod
3metadata:
4 annotations:
5 config.linkerd.io/skip-inbound-ports: 22,8100-8102
6 config.linkerd.io/skip-outbound-ports: "5432"
7 linkerd.io/created-by: linkerd/cli dev-undefined
8 linkerd.io/proxy-version: test-inject-proxy-version
9 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
10 labels:
11 app: vote-bot
12 linkerd.io/control-plane-ns: linkerd
13 linkerd.io/workload-ns: emojivoto
14 name: vote-bot
15 namespace: emojivoto
16spec:
17 containers:
18 - env:
19 - name: _pod_name
20 valueFrom:
21 fieldRef:
22 fieldPath: metadata.name
23 - name: _pod_ns
24 valueFrom:
25 fieldRef:
26 fieldPath: metadata.namespace
27 - name: _pod_nodeName
28 valueFrom:
29 fieldRef:
30 fieldPath: spec.nodeName
31 - name: LINKERD2_PROXY_LOG
32 value: warn,linkerd=info,trust_dns=error
33 - name: LINKERD2_PROXY_LOG_FORMAT
34 value: plain
35 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
36 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
37 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
38 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
39 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
40 value: linkerd-policy.linkerd.svc.cluster.local.:8090
41 - name: LINKERD2_PROXY_POLICY_WORKLOAD
42 value: |
43 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
44 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
45 value: all-unauthenticated
46 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
47 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
48 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
49 value: 3s
50 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
51 value: 5m
52 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
53 value: 1h
54 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
55 value: 100ms
56 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
57 value: 1000ms
58 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
59 value: 5s
60 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
61 value: 90s
62 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
63 value: '[::]:4190'
64 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
65 value: '[::]:4191'
66 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
67 value: 127.0.0.1:4140
68 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
69 value: 127.0.0.1:4140
70 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
71 value: '[::]:4143'
72 - name: LINKERD2_PROXY_INBOUND_IPS
73 valueFrom:
74 fieldRef:
75 fieldPath: status.podIPs
76 - name: LINKERD2_PROXY_INBOUND_PORTS
77 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
78 value: svc.cluster.local.
79 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
80 value: 10000ms
81 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
82 value: 10000ms
83 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
84 value: 10s
85 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
86 value: 3s
87 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
88 value: 10s
89 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
90 value: 3s
91 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
92 value: 25,587,3306,4444,5432,6379,9300,11211
93 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
94 value: |
95 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
96 - name: _pod_sa
97 valueFrom:
98 fieldRef:
99 fieldPath: spec.serviceAccountName
100 - name: _l5d_ns
101 value: linkerd
102 - name: _l5d_trustdomain
103 value: cluster.local
104 - name: LINKERD2_PROXY_IDENTITY_DIR
105 value: /var/run/linkerd/identity/end-entity
106 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
107 value: |
108 -----BEGIN CERTIFICATE-----
109 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
110 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
111 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
112 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
113 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
114 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
115 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
116 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
117 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
118 vgUC0d2/9FMueIVMb+46WTCOjsqr
119 -----END CERTIFICATE-----
120 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
121 value: /var/run/secrets/tokens/linkerd-identity-token
122 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
123 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
124 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
125 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
126 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
127 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
128 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
129 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
130 - name: LINKERD2_PROXY_POLICY_SVC_NAME
131 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
132 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
133 imagePullPolicy: IfNotPresent
134 lifecycle:
135 postStart:
136 exec:
137 command:
138 - /usr/lib/linkerd/linkerd-await
139 - --timeout=2m
140 - --port=4191
141 livenessProbe:
142 httpGet:
143 path: /live
144 port: 4191
145 initialDelaySeconds: 10
146 timeoutSeconds: 1
147 name: linkerd-proxy
148 ports:
149 - containerPort: 4143
150 name: linkerd-proxy
151 - containerPort: 4191
152 name: linkerd-admin
153 readinessProbe:
154 httpGet:
155 path: /ready
156 port: 4191
157 initialDelaySeconds: 2
158 timeoutSeconds: 1
159 securityContext:
160 allowPrivilegeEscalation: false
161 readOnlyRootFilesystem: true
162 runAsNonRoot: true
163 runAsUser: 2102
164 seccompProfile:
165 type: RuntimeDefault
166 terminationMessagePolicy: FallbackToLogsOnError
167 volumeMounts:
168 - mountPath: /var/run/linkerd/identity/end-entity
169 name: linkerd-identity-end-entity
170 - mountPath: /var/run/secrets/tokens
171 name: linkerd-identity-token
172 - command:
173 - emojivoto-vote-bot
174 env:
175 - name: WEB_HOST
176 value: web-svc.emojivoto:80
177 image: buoyantio/emojivoto-web:v10
178 name: vote-bot
179 initContainers:
180 - args:
181 - --ipv6=false
182 - --incoming-proxy-port
183 - "4143"
184 - --outgoing-proxy-port
185 - "4140"
186 - --proxy-uid
187 - "2102"
188 - --inbound-ports-to-ignore
189 - 4190,4191,22,8100-8102
190 - --outbound-ports-to-ignore
191 - "5432"
192 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
193 imagePullPolicy: IfNotPresent
194 name: linkerd-init
195 resources:
196 limits:
197 cpu: 100m
198 memory: 20Mi
199 requests:
200 cpu: 100m
201 memory: 20Mi
202 securityContext:
203 allowPrivilegeEscalation: false
204 capabilities:
205 add:
206 - NET_ADMIN
207 - NET_RAW
208 privileged: false
209 readOnlyRootFilesystem: true
210 runAsGroup: 65534
211 runAsNonRoot: true
212 runAsUser: 65534
213 seccompProfile:
214 type: RuntimeDefault
215 terminationMessagePolicy: FallbackToLogsOnError
216 volumeMounts:
217 - mountPath: /run
218 name: linkerd-proxy-init-xtables-lock
219 volumes:
220 - emptyDir: {}
221 name: linkerd-proxy-init-xtables-lock
222 - emptyDir:
223 medium: Memory
224 name: linkerd-identity-end-entity
225 - name: linkerd-identity-token
226 projected:
227 sources:
228 - serviceAccountToken:
229 audience: identity.l5d.io
230 expirationSeconds: 86400
231 path: linkerd-identity-token
232---
View as plain text