1apiVersion: v1
2kind: Pod
3metadata:
4 annotations:
5 config.linkerd.io/proxy-cpu-limit: 160m
6 config.linkerd.io/proxy-cpu-request: 110m
7 config.linkerd.io/proxy-memory-limit: 150Mi
8 config.linkerd.io/proxy-memory-request: 100Mi
9 linkerd.io/created-by: linkerd/cli dev-undefined
10 linkerd.io/proxy-version: test-inject-proxy-version
11 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
12 labels:
13 app: vote-bot
14 linkerd.io/control-plane-ns: linkerd
15 linkerd.io/workload-ns: emojivoto
16 name: vote-bot
17 namespace: emojivoto
18spec:
19 containers:
20 - env:
21 - name: _pod_name
22 valueFrom:
23 fieldRef:
24 fieldPath: metadata.name
25 - name: _pod_ns
26 valueFrom:
27 fieldRef:
28 fieldPath: metadata.namespace
29 - name: _pod_nodeName
30 valueFrom:
31 fieldRef:
32 fieldPath: spec.nodeName
33 - name: LINKERD2_PROXY_LOG
34 value: warn,linkerd=info,trust_dns=error
35 - name: LINKERD2_PROXY_LOG_FORMAT
36 value: plain
37 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
38 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
39 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
40 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
41 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
42 value: linkerd-policy.linkerd.svc.cluster.local.:8090
43 - name: LINKERD2_PROXY_POLICY_WORKLOAD
44 value: |
45 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
46 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
47 value: all-unauthenticated
48 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
49 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
50 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
51 value: 3s
52 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
53 value: 5m
54 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
55 value: 1h
56 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
57 value: 100ms
58 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
59 value: 1000ms
60 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
61 value: 5s
62 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
63 value: 90s
64 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
65 value: '[::]:4190'
66 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
67 value: '[::]:4191'
68 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
69 value: 127.0.0.1:4140
70 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
71 value: 127.0.0.1:4140
72 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
73 value: '[::]:4143'
74 - name: LINKERD2_PROXY_INBOUND_IPS
75 valueFrom:
76 fieldRef:
77 fieldPath: status.podIPs
78 - name: LINKERD2_PROXY_INBOUND_PORTS
79 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
80 value: svc.cluster.local.
81 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
82 value: 10000ms
83 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
84 value: 10000ms
85 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
86 value: 10s
87 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
88 value: 3s
89 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
90 value: 10s
91 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
92 value: 3s
93 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
94 value: 25,587,3306,4444,5432,6379,9300,11211
95 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
96 value: |
97 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
98 - name: _pod_sa
99 valueFrom:
100 fieldRef:
101 fieldPath: spec.serviceAccountName
102 - name: _l5d_ns
103 value: linkerd
104 - name: _l5d_trustdomain
105 value: cluster.local
106 - name: LINKERD2_PROXY_IDENTITY_DIR
107 value: /var/run/linkerd/identity/end-entity
108 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
109 value: |
110 -----BEGIN CERTIFICATE-----
111 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
112 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
113 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
114 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
115 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
116 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
117 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
118 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
119 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
120 vgUC0d2/9FMueIVMb+46WTCOjsqr
121 -----END CERTIFICATE-----
122 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
123 value: /var/run/secrets/tokens/linkerd-identity-token
124 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
125 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
126 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
127 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
128 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
129 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
130 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
131 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
132 - name: LINKERD2_PROXY_POLICY_SVC_NAME
133 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
134 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
135 imagePullPolicy: IfNotPresent
136 lifecycle:
137 postStart:
138 exec:
139 command:
140 - /usr/lib/linkerd/linkerd-await
141 - --timeout=2m
142 - --port=4191
143 livenessProbe:
144 httpGet:
145 path: /live
146 port: 4191
147 initialDelaySeconds: 10
148 timeoutSeconds: 1
149 name: linkerd-proxy
150 ports:
151 - containerPort: 4143
152 name: linkerd-proxy
153 - containerPort: 4191
154 name: linkerd-admin
155 readinessProbe:
156 httpGet:
157 path: /ready
158 port: 4191
159 initialDelaySeconds: 2
160 timeoutSeconds: 1
161 resources:
162 limits:
163 cpu: 160m
164 memory: 150Mi
165 requests:
166 cpu: 110m
167 memory: 100Mi
168 securityContext:
169 allowPrivilegeEscalation: false
170 readOnlyRootFilesystem: true
171 runAsNonRoot: true
172 runAsUser: 2102
173 seccompProfile:
174 type: RuntimeDefault
175 terminationMessagePolicy: FallbackToLogsOnError
176 volumeMounts:
177 - mountPath: /var/run/linkerd/identity/end-entity
178 name: linkerd-identity-end-entity
179 - mountPath: /var/run/secrets/tokens
180 name: linkerd-identity-token
181 - command:
182 - emojivoto-vote-bot
183 env:
184 - name: WEB_HOST
185 value: web-svc.emojivoto:80
186 image: buoyantio/emojivoto-web:v10
187 name: vote-bot
188 initContainers:
189 - args:
190 - --ipv6=false
191 - --incoming-proxy-port
192 - "4143"
193 - --outgoing-proxy-port
194 - "4140"
195 - --proxy-uid
196 - "2102"
197 - --inbound-ports-to-ignore
198 - 4190,4191,4567,4568
199 - --outbound-ports-to-ignore
200 - 4567,4568
201 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
202 imagePullPolicy: IfNotPresent
203 name: linkerd-init
204 resources:
205 limits:
206 cpu: 100m
207 memory: 20Mi
208 requests:
209 cpu: 100m
210 memory: 20Mi
211 securityContext:
212 allowPrivilegeEscalation: false
213 capabilities:
214 add:
215 - NET_ADMIN
216 - NET_RAW
217 privileged: false
218 readOnlyRootFilesystem: true
219 runAsGroup: 65534
220 runAsNonRoot: true
221 runAsUser: 65534
222 seccompProfile:
223 type: RuntimeDefault
224 terminationMessagePolicy: FallbackToLogsOnError
225 volumeMounts:
226 - mountPath: /run
227 name: linkerd-proxy-init-xtables-lock
228 volumes:
229 - emptyDir: {}
230 name: linkerd-proxy-init-xtables-lock
231 - emptyDir:
232 medium: Memory
233 name: linkerd-identity-end-entity
234 - name: linkerd-identity-token
235 projected:
236 sources:
237 - serviceAccountToken:
238 audience: identity.l5d.io
239 expirationSeconds: 86400
240 path: linkerd-identity-token
241---
View as plain text