1apiVersion: apps/v1
2kind: Deployment
3metadata:
4 generation: 1
5 labels:
6 linkerd.io/control-plane-component: tap
7 linkerd.io/control-plane-ns: linkerd
8 name: linkerd-tap
9 namespace: linkerd
10 resourceVersion: "2387"
11 selfLink: /apis/extensions/v1beta1/namespaces/linkerd/deployments/linkerd-tap
12 uid: edb24475-9371-491a-b536-b084a91d9700
13spec:
14 progressDeadlineSeconds: 600
15 replicas: 1
16 revisionHistoryLimit: 10
17 selector:
18 matchLabels:
19 linkerd.io/control-plane-component: tap
20 linkerd.io/control-plane-ns: linkerd
21 linkerd.io/proxy-deployment: linkerd-tap
22 strategy:
23 rollingUpdate:
24 maxSurge: 25%
25 maxUnavailable: 25%
26 type: RollingUpdate
27 template:
28 metadata:
29 annotations:
30 config.linkerd.io/enable-debug-sidecar: "true"
31 linkerd.io/created-by: linkerd/cli dev-undefined
32 linkerd.io/proxy-version: test-inject-proxy-version
33 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
34 labels:
35 linkerd.io/control-plane-component: tap
36 linkerd.io/control-plane-ns: linkerd
37 linkerd.io/proxy-deployment: linkerd-tap
38 linkerd.io/workload-ns: linkerd
39 spec:
40 containers:
41 - env:
42 - name: _pod_name
43 valueFrom:
44 fieldRef:
45 fieldPath: metadata.name
46 - name: _pod_ns
47 valueFrom:
48 fieldRef:
49 fieldPath: metadata.namespace
50 - name: _pod_nodeName
51 valueFrom:
52 fieldRef:
53 fieldPath: spec.nodeName
54 - name: LINKERD2_PROXY_LOG
55 value: warn,linkerd=info,trust_dns=error
56 - name: LINKERD2_PROXY_LOG_FORMAT
57 value: plain
58 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
59 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
60 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
61 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
62 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
63 value: linkerd-policy.linkerd.svc.cluster.local.:8090
64 - name: LINKERD2_PROXY_POLICY_WORKLOAD
65 value: |
66 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
67 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
68 value: all-unauthenticated
69 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
70 value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
71 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
72 value: 3s
73 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
74 value: 5m
75 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
76 value: 1h
77 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
78 value: 100ms
79 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
80 value: 1000ms
81 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
82 value: 5s
83 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
84 value: 90s
85 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
86 value: '[::]:4190'
87 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
88 value: '[::]:4191'
89 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
90 value: 127.0.0.1:4140
91 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
92 value: 127.0.0.1:4140
93 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
94 value: '[::]:4143'
95 - name: LINKERD2_PROXY_INBOUND_IPS
96 valueFrom:
97 fieldRef:
98 fieldPath: status.podIPs
99 - name: LINKERD2_PROXY_INBOUND_PORTS
100 value: 8088,8089,9998
101 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
102 value: svc.cluster.local.
103 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
104 value: 10000ms
105 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
106 value: 10000ms
107 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
108 value: 10s
109 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
110 value: 3s
111 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
112 value: 10s
113 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
114 value: 3s
115 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
116 value: 25,587,3306,4444,5432,6379,9300,11211
117 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
118 value: |
119 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
120 - name: _pod_sa
121 valueFrom:
122 fieldRef:
123 fieldPath: spec.serviceAccountName
124 - name: _l5d_ns
125 value: linkerd
126 - name: _l5d_trustdomain
127 value: cluster.local
128 - name: LINKERD2_PROXY_IDENTITY_DIR
129 value: /var/run/linkerd/identity/end-entity
130 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
131 value: |
132 -----BEGIN CERTIFICATE-----
133 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
134 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
135 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
136 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
137 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
138 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
139 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
140 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
141 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
142 vgUC0d2/9FMueIVMb+46WTCOjsqr
143 -----END CERTIFICATE-----
144 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
145 value: /var/run/secrets/tokens/linkerd-identity-token
146 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
147 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
148 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
149 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
150 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
151 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
152 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
153 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
154 - name: LINKERD2_PROXY_POLICY_SVC_NAME
155 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
156 image: cr.l5d.io/linkerd/proxy:test-inject-proxy-version
157 imagePullPolicy: IfNotPresent
158 lifecycle:
159 postStart:
160 exec:
161 command:
162 - /usr/lib/linkerd/linkerd-await
163 - --timeout=2m
164 - --port=4191
165 livenessProbe:
166 httpGet:
167 path: /live
168 port: 4191
169 initialDelaySeconds: 10
170 timeoutSeconds: 1
171 name: linkerd-proxy
172 ports:
173 - containerPort: 4143
174 name: linkerd-proxy
175 - containerPort: 4191
176 name: linkerd-admin
177 readinessProbe:
178 httpGet:
179 path: /ready
180 port: 4191
181 initialDelaySeconds: 2
182 timeoutSeconds: 1
183 securityContext:
184 allowPrivilegeEscalation: false
185 readOnlyRootFilesystem: true
186 runAsNonRoot: true
187 runAsUser: 2102
188 seccompProfile:
189 type: RuntimeDefault
190 terminationMessagePolicy: FallbackToLogsOnError
191 volumeMounts:
192 - mountPath: /var/run/linkerd/identity/end-entity
193 name: linkerd-identity-end-entity
194 - mountPath: /var/run/secrets/tokens
195 name: linkerd-identity-token
196 - args:
197 - tap
198 - -controller-namespace=linkerd
199 - -log-level=info
200 image: cr.l5d.io/linkerd/controller:git-a94122bf
201 imagePullPolicy: IfNotPresent
202 livenessProbe:
203 failureThreshold: 3
204 httpGet:
205 path: /ping
206 port: 9998
207 scheme: HTTP
208 initialDelaySeconds: 10
209 periodSeconds: 10
210 successThreshold: 1
211 timeoutSeconds: 1
212 name: tap
213 ports:
214 - containerPort: 8088
215 name: grpc
216 protocol: TCP
217 - containerPort: 8089
218 name: apiserver
219 protocol: TCP
220 - containerPort: 9998
221 name: admin-http
222 protocol: TCP
223 readinessProbe:
224 failureThreshold: 7
225 httpGet:
226 path: /ready
227 port: 9998
228 scheme: HTTP
229 periodSeconds: 10
230 successThreshold: 1
231 timeoutSeconds: 1
232 securityContext:
233 runAsGroup: 2103
234 runAsUser: 2103
235 terminationMessagePath: /dev/termination-log
236 terminationMessagePolicy: File
237 volumeMounts:
238 - mountPath: /var/run/linkerd/tls
239 name: tls
240 readOnly: true
241 - mountPath: /var/run/linkerd/config
242 name: config
243 - image: cr.l5d.io/linkerd/debug:test-inject-debug-version
244 imagePullPolicy: IfNotPresent
245 livenessProbe:
246 exec:
247 command:
248 - "true"
249 name: linkerd-debug
250 readinessProbe:
251 exec:
252 command:
253 - "true"
254 terminationMessagePolicy: FallbackToLogsOnError
255 dnsPolicy: ClusterFirst
256 initContainers:
257 - args:
258 - --ipv6=false
259 - --incoming-proxy-port
260 - "4143"
261 - --outgoing-proxy-port
262 - "4140"
263 - --proxy-uid
264 - "2102"
265 - --inbound-ports-to-ignore
266 - 4190,4191,4567,4568
267 - --outbound-ports-to-ignore
268 - 4567,4568
269 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
270 imagePullPolicy: IfNotPresent
271 name: linkerd-init
272 resources:
273 limits:
274 cpu: 100m
275 memory: 20Mi
276 requests:
277 cpu: 100m
278 memory: 20Mi
279 securityContext:
280 allowPrivilegeEscalation: false
281 capabilities:
282 add:
283 - NET_ADMIN
284 - NET_RAW
285 privileged: false
286 readOnlyRootFilesystem: true
287 runAsGroup: 65534
288 runAsNonRoot: true
289 runAsUser: 65534
290 seccompProfile:
291 type: RuntimeDefault
292 terminationMessagePolicy: FallbackToLogsOnError
293 volumeMounts:
294 - mountPath: /run
295 name: linkerd-proxy-init-xtables-lock
296 restartPolicy: Always
297 schedulerName: default-scheduler
298 securityContext: {}
299 serviceAccount: linkerd-tap
300 serviceAccountName: linkerd-tap
301 terminationGracePeriodSeconds: 30
302 volumes:
303 - configMap:
304 defaultMode: 420
305 name: linkerd-config
306 name: config
307 - name: tls
308 secret:
309 defaultMode: 420
310 secretName: linkerd-tap-k8s-tls
311 - emptyDir: {}
312 name: linkerd-proxy-init-xtables-lock
313 - emptyDir:
314 medium: Memory
315 name: linkerd-identity-end-entity
316 - name: linkerd-identity-token
317 projected:
318 sources:
319 - serviceAccountToken:
320 audience: identity.l5d.io
321 expirationSeconds: 86400
322 path: linkerd-identity-token
323---
View as plain text