1---
2# Source: linkerd2-cni/templates/cni-plugin.yaml
3apiVersion: v1
4kind: ServiceAccount
5metadata:
6 name: linkerd-cni
7 namespace: linkerd-test
8 labels:
9 linkerd.io/cni-resource: "true"
10---
11kind: ClusterRole
12apiVersion: rbac.authorization.k8s.io/v1
13metadata:
14 name: linkerd-cni
15 labels:
16 linkerd.io/cni-resource: "true"
17rules:
18- apiGroups: [""]
19 resources: ["pods", "nodes", "namespaces", "services"]
20 verbs: ["list", "get", "watch"]
21---
22apiVersion: rbac.authorization.k8s.io/v1
23kind: ClusterRoleBinding
24metadata:
25 name: linkerd-cni
26 labels:
27 linkerd.io/cni-resource: "true"
28roleRef:
29 apiGroup: rbac.authorization.k8s.io
30 kind: ClusterRole
31 name: linkerd-cni
32subjects:
33- kind: ServiceAccount
34 name: linkerd-cni
35 namespace: linkerd-test
36---
37kind: ConfigMap
38apiVersion: v1
39metadata:
40 name: linkerd-cni-config
41 namespace: linkerd-test
42 labels:
43 linkerd.io/cni-resource: "true"
44data:
45 dest_cni_net_dir: "/etc/cni/net.d"
46 dest_cni_bin_dir: "/opt/cni/bin"
47 # The CNI network configuration to install on each node. The special
48 # values in this config will be automatically populated.
49 # iptables-mode and ipv6 flags are only considered as of linkerd-cni v1.4.0
50 cni_network_config: |-
51 {
52 "name": "linkerd-cni",
53 "type": "linkerd-cni",
54 "log_level": "info",
55 "policy": {
56 "type": "k8s",
57 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
58 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
59 },
60 "kubernetes": {
61 "kubeconfig": "__KUBECONFIG_FILEPATH__"
62 },
63 "linkerd": {
64 "incoming-proxy-port": 4143,
65 "outgoing-proxy-port": 4140,
66 "proxy-uid": 2102,
67 "ports-to-redirect": [],
68 "inbound-ports-to-ignore": ["4191","4190"],
69 "simulate": false,
70 "use-wait-flag": false,
71 "iptables-mode": "legacy",
72 "ipv6": false
73 }
74 }
75---
76kind: DaemonSet
77apiVersion: apps/v1
78metadata:
79 name: linkerd-cni
80 namespace: linkerd-test
81 labels:
82 k8s-app: linkerd-cni
83 linkerd.io/cni-resource: "true"
84 annotations:
85 linkerd.io/created-by: linkerd/cli dev-undefined
86spec:
87 revisionHistoryLimit: 10
88 selector:
89 matchLabels:
90 k8s-app: linkerd-cni
91 updateStrategy:
92 type: RollingUpdate
93 rollingUpdate:
94 maxUnavailable: 1
95 template:
96 metadata:
97 labels:
98 k8s-app: linkerd-cni
99 linkerd.io/cni-resource: "true"
100 annotations:
101 linkerd.io/created-by: linkerd/cli dev-undefined
102 linkerd.io/inject: disabled
103 spec:
104 tolerations:
105 - operator: Exists
106 nodeSelector:
107 kubernetes.io/os: linux
108 securityContext:
109 seccompProfile:
110 type: RuntimeDefault
111 serviceAccountName: linkerd-cni
112 containers:
113 # This container installs the linkerd CNI binaries
114 # and CNI network config file on each node. The install
115 # script copies the files into place and then sleeps so
116 # that Kubernetes doesn't keep trying to restart it.
117 - name: install-cni
118 image: cr.l5d.io/linkerd/cni-plugin:v1.5.0
119 imagePullPolicy: IfNotPresent
120 env:
121 - name: DEST_CNI_NET_DIR
122 valueFrom:
123 configMapKeyRef:
124 name: linkerd-cni-config
125 key: dest_cni_net_dir
126 - name: DEST_CNI_BIN_DIR
127 valueFrom:
128 configMapKeyRef:
129 name: linkerd-cni-config
130 key: dest_cni_bin_dir
131 - name: CNI_NETWORK_CONFIG
132 valueFrom:
133 configMapKeyRef:
134 name: linkerd-cni-config
135 key: cni_network_config
136 - name: SLEEP
137 value: "true"
138 lifecycle:
139 # In some edge-cases this helps ensure that cleanup() is called in the container's script
140 # https://github.com/linkerd/linkerd2/issues/2355
141 preStop:
142 exec:
143 command:
144 - /bin/sh
145 - -c
146 - kill -15 1; sleep 15s
147 volumeMounts:
148 - mountPath: /host/opt/cni/bin
149 name: cni-bin-dir
150 - mountPath: /host/etc/cni/net.d
151 name: cni-net-dir
152 - mountPath: /tmp
153 name: linkerd-tmp-dir
154 securityContext:
155 readOnlyRootFilesystem: true
156 privileged: false
157 resources:
158 volumes:
159 - name: cni-bin-dir
160 hostPath:
161 path: /opt/cni/bin
162 - name: cni-net-dir
163 hostPath:
164 path: /etc/cni/net.d
165 - name: linkerd-tmp-dir
166 emptyDir: {}
View as plain text