1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Ignore
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
497 cniEnabled: false
498 controlPlaneTracing: true
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: -1
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 1
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 25%
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources: null
528 disableHeartBeat: false
529 disableIPv6: true
530 enableEndpointSlices: true
531 enableH2Upgrade: true
532 enablePodAntiAffinity: false
533 enablePodDisruptionBudget: false
534 heartbeat: null
535 heartbeatResources: null
536 heartbeatSchedule: 1 2 3 4 5
537 highAvailability: false
538 identity:
539 additionalEnv: null
540 experimentalEnv: null
541 externalCA: false
542 issuer:
543 clockSkewAllowance: 20s
544 issuanceLifetime: 24h0m0s
545 scheme: linkerd.io/tls
546 tls:
547 crtPEM: |
548 -----BEGIN CERTIFICATE-----
549 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
550 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
551 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
552 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
553 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
554 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
555 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
556 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
557 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
558 51tdrmkHEZRr0qlLSJdHYgEfMzk=
559 -----END CERTIFICATE-----
560 kubeAPI:
561 clientBurst: 200
562 clientQPS: 100
563 serviceAccountTokenProjection: true
564 identityProxyResources: null
565 identityResources: null
566 identityTrustAnchorsPEM: |
567 -----BEGIN CERTIFICATE-----
568 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
569 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
570 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
571 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
572 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
573 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
574 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
575 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
576 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
577 vgUC0d2/9FMueIVMb+46WTCOjsqr
578 -----END CERTIFICATE-----
579 identityTrustDomain: cluster.local
580 imagePullPolicy: IfNotPresent
581 imagePullSecrets: []
582 linkerdVersion: install-control-plane-version
583 networkValidator:
584 connectAddr: 1.1.1.1:20001
585 enableSecurityContext: true
586 listenAddr: 0.0.0.0:4140
587 logFormat: plain
588 logLevel: debug
589 timeout: 10s
590 nodeAffinity: null
591 nodeSelector:
592 kubernetes.io/os: linux
593 podAnnotations: {}
594 podLabels: {}
595 podMonitor:
596 controller:
597 enabled: true
598 namespaceSelector: |
599 matchNames:
600 - {{ .Release.Namespace }}
601 - linkerd-viz
602 - linkerd-jaeger
603 enabled: false
604 proxy:
605 enabled: true
606 scrapeInterval: 10s
607 scrapeTimeout: 10s
608 serviceMirror:
609 enabled: true
610 policyController:
611 image:
612 name: cr.l5d.io/linkerd/policy-controller
613 pullPolicy: ""
614 version: ""
615 logLevel: info
616 probeNetworks:
617 - 0.0.0.0/0
618 - ::/0
619 resources:
620 cpu:
621 limit: ""
622 request: ""
623 ephemeral-storage:
624 limit: ""
625 request: ""
626 memory:
627 limit: ""
628 request: ""
629 policyValidator:
630 caBundle: policy validator CA bundle
631 crtPEM: ""
632 externalSecret: true
633 injectCaFrom: ""
634 injectCaFromSecret: ""
635 namespaceSelector:
636 matchExpressions:
637 - key: config.linkerd.io/admission-webhooks
638 operator: NotIn
639 values:
640 - disabled
641 priorityClassName: ""
642 profileValidator:
643 caBundle: profile validator CA bundle
644 crtPEM: ""
645 externalSecret: true
646 injectCaFrom: ""
647 injectCaFromSecret: ""
648 namespaceSelector:
649 matchExpressions:
650 - key: config.linkerd.io/admission-webhooks
651 operator: NotIn
652 values:
653 - disabled
654 prometheusUrl: ""
655 proxy:
656 accessLog: ""
657 additionalEnv: null
658 await: true
659 capabilities: null
660 control:
661 streams:
662 idleTimeout: 5m
663 initialTimeout: 3s
664 lifetime: 1h
665 defaultInboundPolicy: all-unauthenticated
666 disableInboundProtocolDetectTimeout: false
667 disableOutboundProtocolDetectTimeout: false
668 enableExternalProfiles: false
669 experimentalEnv: null
670 gid: -1
671 image:
672 name: cr.l5d.io/linkerd/proxy
673 pullPolicy: ""
674 version: install-proxy-version
675 inbound:
676 server:
677 http2:
678 keepAliveInterval: 10s
679 keepAliveTimeout: 3s
680 inboundConnectTimeout: 100ms
681 inboundDiscoveryCacheUnusedTimeout: 90s
682 isGateway: false
683 isIngress: false
684 livenessProbe:
685 initialDelaySeconds: 10
686 timeoutSeconds: 1
687 logFormat: plain
688 logLevel: warn,linkerd=info,trust_dns=error
689 nativeSidecar: false
690 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
691 outbound:
692 server:
693 http2:
694 keepAliveInterval: 10s
695 keepAliveTimeout: 3s
696 outboundConnectTimeout: 1000ms
697 outboundDiscoveryCacheUnusedTimeout: 5s
698 podInboundPorts: ""
699 ports:
700 admin: 4191
701 control: 4190
702 inbound: 4143
703 outbound: 4140
704 readinessProbe:
705 initialDelaySeconds: 2
706 timeoutSeconds: 1
707 requireIdentityOnInboundPorts: ""
708 resources:
709 cpu:
710 limit: ""
711 request: ""
712 ephemeral-storage:
713 limit: ""
714 request: ""
715 memory:
716 limit: ""
717 request: ""
718 saMountPath: null
719 shutdownGracePeriod: ""
720 startupProbe:
721 failureThreshold: 120
722 initialDelaySeconds: 0
723 periodSeconds: 1
724 uid: 2102
725 waitBeforeExitSeconds: 0
726 proxyContainerName: linkerd-proxy
727 proxyInit:
728 capabilities: null
729 closeWaitTimeoutSecs: 0
730 ignoreInboundPorts: 4567,4568
731 ignoreOutboundPorts: 4567,4568
732 image:
733 name: cr.l5d.io/linkerd/proxy-init
734 pullPolicy: ""
735 version: v2.4.0
736 iptablesMode: legacy
737 kubeAPIServerPorts: 443,6443
738 logFormat: ""
739 logLevel: ""
740 privileged: false
741 resources:
742 cpu:
743 limit: 100m
744 request: 100m
745 ephemeral-storage:
746 limit: ""
747 request: ""
748 memory:
749 limit: 20Mi
750 request: 20Mi
751 runAsGroup: 65534
752 runAsRoot: false
753 runAsUser: 65534
754 saMountPath: null
755 skipSubnets: ""
756 xtMountPath:
757 mountPath: /run
758 name: linkerd-proxy-init-xtables-lock
759 readOnly: false
760 proxyInjector:
761 additionalEnv: null
762 caBundle: proxy injector CA bundle
763 crtPEM: ""
764 experimentalEnv: null
765 externalSecret: true
766 injectCaFrom: ""
767 injectCaFromSecret: ""
768 namespaceSelector:
769 matchExpressions:
770 - key: config.linkerd.io/admission-webhooks
771 operator: NotIn
772 values:
773 - disabled
774 - key: kubernetes.io/metadata.name
775 operator: NotIn
776 values:
777 - kube-system
778 - cert-manager
779 proxyInjectorProxyResources: null
780 proxyInjectorResources: null
781 revisionHistoryLimit: 10
782 spValidator: null
783 tolerations: null
784 webhookFailurePolicy: Ignore
785---
786apiVersion: rbac.authorization.k8s.io/v1
787kind: Role
788metadata:
789 annotations:
790 linkerd.io/created-by: linkerd/cli dev-undefined
791 name: ext-namespace-metadata-linkerd-config
792 namespace: linkerd
793rules:
794- apiGroups: [""]
795 resources: ["configmaps"]
796 verbs: ["get"]
797 resourceNames: ["linkerd-config"]
798---
799###
800### Identity Controller Service
801###
802---
803kind: Secret
804apiVersion: v1
805metadata:
806 name: linkerd-identity-issuer
807 namespace: linkerd
808 labels:
809 linkerd.io/control-plane-component: identity
810 linkerd.io/control-plane-ns: linkerd
811 annotations:
812 linkerd.io/created-by: linkerd/cli dev-undefined
813data:
814 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
815 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
816---
817kind: ConfigMap
818apiVersion: v1
819metadata:
820 name: linkerd-identity-trust-roots
821 namespace: linkerd
822 labels:
823 linkerd.io/control-plane-component: identity
824 linkerd.io/control-plane-ns: linkerd
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827data:
828 ca-bundle.crt: |-
829 -----BEGIN CERTIFICATE-----
830 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
831 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
832 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
833 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
834 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
835 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
836 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
837 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
838 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
839 vgUC0d2/9FMueIVMb+46WTCOjsqr
840 -----END CERTIFICATE-----
841---
842kind: Service
843apiVersion: v1
844metadata:
845 name: linkerd-identity
846 namespace: linkerd
847 labels:
848 linkerd.io/control-plane-component: identity
849 linkerd.io/control-plane-ns: linkerd
850 annotations:
851 linkerd.io/created-by: linkerd/cli dev-undefined
852spec:
853 type: ClusterIP
854 selector:
855 linkerd.io/control-plane-component: identity
856 ports:
857 - name: grpc
858 port: 8080
859 targetPort: 8080
860---
861kind: Service
862apiVersion: v1
863metadata:
864 name: linkerd-identity-headless
865 namespace: linkerd
866 labels:
867 linkerd.io/control-plane-component: identity
868 linkerd.io/control-plane-ns: linkerd
869 annotations:
870 linkerd.io/created-by: linkerd/cli dev-undefined
871spec:
872 clusterIP: None
873 selector:
874 linkerd.io/control-plane-component: identity
875 ports:
876 - name: grpc
877 port: 8080
878 targetPort: 8080
879---
880apiVersion: apps/v1
881kind: Deployment
882metadata:
883 annotations:
884 linkerd.io/created-by: linkerd/cli dev-undefined
885 labels:
886 app.kubernetes.io/name: identity
887 app.kubernetes.io/part-of: Linkerd
888 app.kubernetes.io/version: install-control-plane-version
889 linkerd.io/control-plane-component: identity
890 linkerd.io/control-plane-ns: linkerd
891 name: linkerd-identity
892 namespace: linkerd
893spec:
894 replicas: 1
895 revisionHistoryLimit: 10
896 selector:
897 matchLabels:
898 linkerd.io/control-plane-component: identity
899 linkerd.io/control-plane-ns: linkerd
900 linkerd.io/proxy-deployment: linkerd-identity
901 strategy:
902 rollingUpdate:
903 maxSurge: 25%
904 maxUnavailable: 25%
905 template:
906 metadata:
907 annotations:
908 linkerd.io/created-by: linkerd/cli dev-undefined
909 linkerd.io/proxy-version: install-proxy-version
910 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
911 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
912 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
913 labels:
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd
916 linkerd.io/workload-ns: linkerd
917 linkerd.io/proxy-deployment: linkerd-identity
918 spec:
919 nodeSelector:
920 kubernetes.io/os: linux
921
922 containers:
923 - args:
924 - identity
925 - -log-level=info
926 - -log-format=plain
927 - -controller-namespace=linkerd
928 - -identity-trust-domain=cluster.local
929 - -identity-issuance-lifetime=24h0m0s
930 - -identity-clock-skew-allowance=20s
931 - -identity-scheme=linkerd.io/tls
932 - -enable-pprof=false
933 - -kube-apiclient-qps=100
934 - -kube-apiclient-burst=200
935 - -trace-collector=collector.linkerd-jaeger.svc.cluster.local:55678
936 env:
937 - name: LINKERD_DISABLED
938 value: "linkerd-await cannot block the identity controller"
939 image: cr.l5d.io/linkerd/controller:install-control-plane-version
940 imagePullPolicy: IfNotPresent
941 livenessProbe:
942 httpGet:
943 path: /ping
944 port: 9990
945 initialDelaySeconds: 10
946 name: identity
947 ports:
948 - containerPort: 8080
949 name: grpc
950 - containerPort: 9990
951 name: admin-http
952 readinessProbe:
953 failureThreshold: 7
954 httpGet:
955 path: /ready
956 port: 9990
957 securityContext:
958 capabilities:
959 drop:
960 - ALL
961 readOnlyRootFilesystem: true
962 runAsNonRoot: true
963 runAsUser: 2103
964 allowPrivilegeEscalation: false
965 seccompProfile:
966 type: RuntimeDefault
967 volumeMounts:
968 - mountPath: /var/run/linkerd/identity/issuer
969 name: identity-issuer
970 - mountPath: /var/run/linkerd/identity/trust-roots/
971 name: trust-roots
972 - env:
973 - name: _pod_name
974 valueFrom:
975 fieldRef:
976 fieldPath: metadata.name
977 - name: _pod_ns
978 valueFrom:
979 fieldRef:
980 fieldPath: metadata.namespace
981 - name: _pod_nodeName
982 valueFrom:
983 fieldRef:
984 fieldPath: spec.nodeName
985 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
986 value: "8080"
987 - name: LINKERD2_PROXY_LOG
988 value: "warn,linkerd=info,trust_dns=error"
989 - name: LINKERD2_PROXY_LOG_FORMAT
990 value: "plain"
991 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
992 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
993 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
994 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
995 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
996 value: linkerd-policy.linkerd.svc.cluster.local.:8090
997 - name: LINKERD2_PROXY_POLICY_WORKLOAD
998 value: |
999 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1000 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1001 value: all-unauthenticated
1002 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1003 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1004 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1005 value: "3s"
1006 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1007 value: "5m"
1008 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1009 value: "1h"
1010 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1011 value: "100ms"
1012 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1013 value: "1000ms"
1014 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1015 value: "5s"
1016 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1017 value: "90s"
1018 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1019 value: "[::]:4190"
1020 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1021 value: "[::]:4191"
1022 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1023 value: "127.0.0.1:4140"
1024 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1025 value: "127.0.0.1:4140"
1026 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1027 value: "[::]:4143"
1028 - name: LINKERD2_PROXY_INBOUND_IPS
1029 valueFrom:
1030 fieldRef:
1031 fieldPath: status.podIPs
1032 - name: LINKERD2_PROXY_INBOUND_PORTS
1033 value: "8080,9990"
1034 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1035 value: svc.cluster.local.
1036 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1037 value: 10000ms
1038 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1039 value: 10000ms
1040 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1041 value: "10s"
1042 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1043 value: "3s"
1044 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1045 value: "10s"
1046 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1047 value: "3s"
1048 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1049 value: "25,587,3306,4444,5432,6379,9300,11211"
1050 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1051 value: |
1052 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1053 - name: _pod_sa
1054 valueFrom:
1055 fieldRef:
1056 fieldPath: spec.serviceAccountName
1057 - name: _l5d_ns
1058 value: linkerd
1059 - name: _l5d_trustdomain
1060 value: cluster.local
1061 - name: LINKERD2_PROXY_IDENTITY_DIR
1062 value: /var/run/linkerd/identity/end-entity
1063 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1064 valueFrom:
1065 configMapKeyRef:
1066 name: linkerd-identity-trust-roots
1067 key: ca-bundle.crt
1068 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1069 value: /var/run/secrets/tokens/linkerd-identity-token
1070 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1071 value: localhost.:8080
1072 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1073 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1074 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1075 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1076 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1077 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1078 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1079 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1080 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1081 imagePullPolicy: IfNotPresent
1082 livenessProbe:
1083 httpGet:
1084 path: /live
1085 port: 4191
1086 initialDelaySeconds: 10
1087 timeoutSeconds: 1
1088 name: linkerd-proxy
1089 ports:
1090 - containerPort: 4143
1091 name: linkerd-proxy
1092 - containerPort: 4191
1093 name: linkerd-admin
1094 readinessProbe:
1095 httpGet:
1096 path: /ready
1097 port: 4191
1098 initialDelaySeconds: 2
1099 timeoutSeconds: 1
1100 resources:
1101 securityContext:
1102 allowPrivilegeEscalation: false
1103 capabilities:
1104 drop:
1105 - ALL
1106 readOnlyRootFilesystem: true
1107 runAsNonRoot: true
1108 runAsUser: 2102
1109 seccompProfile:
1110 type: RuntimeDefault
1111 terminationMessagePolicy: FallbackToLogsOnError
1112 volumeMounts:
1113 - mountPath: /var/run/linkerd/identity/end-entity
1114 name: linkerd-identity-end-entity
1115 - mountPath: /var/run/secrets/tokens
1116 name: linkerd-identity-token
1117 initContainers:
1118 - args:
1119 - --ipv6=false
1120 - --incoming-proxy-port
1121 - "4143"
1122 - --outgoing-proxy-port
1123 - "4140"
1124 - --proxy-uid
1125 - "2102"
1126 - --inbound-ports-to-ignore
1127 - "4190,4191,4567,4568"
1128 - --outbound-ports-to-ignore
1129 - "443,6443"
1130 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1131 imagePullPolicy: IfNotPresent
1132 name: linkerd-init
1133 resources:
1134 limits:
1135 cpu: "100m"
1136 memory: "20Mi"
1137 requests:
1138 cpu: "100m"
1139 memory: "20Mi"
1140 securityContext:
1141 allowPrivilegeEscalation: false
1142 capabilities:
1143 add:
1144 - NET_ADMIN
1145 - NET_RAW
1146 privileged: false
1147 runAsNonRoot: true
1148 runAsUser: 65534
1149 runAsGroup: 65534
1150 readOnlyRootFilesystem: true
1151 seccompProfile:
1152 type: RuntimeDefault
1153 terminationMessagePolicy: FallbackToLogsOnError
1154 volumeMounts:
1155 - mountPath: /run
1156 name: linkerd-proxy-init-xtables-lock
1157 securityContext:
1158 seccompProfile:
1159 type: RuntimeDefault
1160 serviceAccountName: linkerd-identity
1161 volumes:
1162 - name: identity-issuer
1163 secret:
1164 secretName: linkerd-identity-issuer
1165 - configMap:
1166 name: linkerd-identity-trust-roots
1167 name: trust-roots
1168 - emptyDir: {}
1169 name: linkerd-proxy-init-xtables-lock
1170 - name: linkerd-identity-token
1171 projected:
1172 sources:
1173 - serviceAccountToken:
1174 path: linkerd-identity-token
1175 expirationSeconds: 86400
1176 audience: identity.l5d.io
1177 - emptyDir:
1178 medium: Memory
1179 name: linkerd-identity-end-entity
1180---
1181###
1182### Destination Controller Service
1183###
1184kind: Service
1185apiVersion: v1
1186metadata:
1187 name: linkerd-dst
1188 namespace: linkerd
1189 labels:
1190 linkerd.io/control-plane-component: destination
1191 linkerd.io/control-plane-ns: linkerd
1192 annotations:
1193 linkerd.io/created-by: linkerd/cli dev-undefined
1194spec:
1195 type: ClusterIP
1196 selector:
1197 linkerd.io/control-plane-component: destination
1198 ports:
1199 - name: grpc
1200 port: 8086
1201 targetPort: 8086
1202---
1203kind: Service
1204apiVersion: v1
1205metadata:
1206 name: linkerd-dst-headless
1207 namespace: linkerd
1208 labels:
1209 linkerd.io/control-plane-component: destination
1210 linkerd.io/control-plane-ns: linkerd
1211 annotations:
1212 linkerd.io/created-by: linkerd/cli dev-undefined
1213spec:
1214 clusterIP: None
1215 selector:
1216 linkerd.io/control-plane-component: destination
1217 ports:
1218 - name: grpc
1219 port: 8086
1220 targetPort: 8086
1221---
1222kind: Service
1223apiVersion: v1
1224metadata:
1225 name: linkerd-sp-validator
1226 namespace: linkerd
1227 labels:
1228 linkerd.io/control-plane-component: destination
1229 linkerd.io/control-plane-ns: linkerd
1230 annotations:
1231 linkerd.io/created-by: linkerd/cli dev-undefined
1232spec:
1233 type: ClusterIP
1234 selector:
1235 linkerd.io/control-plane-component: destination
1236 ports:
1237 - name: sp-validator
1238 port: 443
1239 targetPort: sp-validator
1240---
1241kind: Service
1242apiVersion: v1
1243metadata:
1244 name: linkerd-policy
1245 namespace: linkerd
1246 labels:
1247 linkerd.io/control-plane-component: destination
1248 linkerd.io/control-plane-ns: linkerd
1249 annotations:
1250 linkerd.io/created-by: linkerd/cli dev-undefined
1251spec:
1252 clusterIP: None
1253 selector:
1254 linkerd.io/control-plane-component: destination
1255 ports:
1256 - name: grpc
1257 port: 8090
1258 targetPort: 8090
1259---
1260kind: Service
1261apiVersion: v1
1262metadata:
1263 name: linkerd-policy-validator
1264 namespace: linkerd
1265 labels:
1266 linkerd.io/control-plane-component: destination
1267 linkerd.io/control-plane-ns: linkerd
1268 annotations:
1269 linkerd.io/created-by: linkerd/cli dev-undefined
1270spec:
1271 type: ClusterIP
1272 selector:
1273 linkerd.io/control-plane-component: destination
1274 ports:
1275 - name: policy-https
1276 port: 443
1277 targetPort: policy-https
1278---
1279apiVersion: apps/v1
1280kind: Deployment
1281metadata:
1282 annotations:
1283 linkerd.io/created-by: linkerd/cli dev-undefined
1284 labels:
1285 app.kubernetes.io/name: destination
1286 app.kubernetes.io/part-of: Linkerd
1287 app.kubernetes.io/version: install-control-plane-version
1288 linkerd.io/control-plane-component: destination
1289 linkerd.io/control-plane-ns: linkerd
1290 name: linkerd-destination
1291 namespace: linkerd
1292spec:
1293 replicas: 1
1294 revisionHistoryLimit: 10
1295 selector:
1296 matchLabels:
1297 linkerd.io/control-plane-component: destination
1298 linkerd.io/control-plane-ns: linkerd
1299 linkerd.io/proxy-deployment: linkerd-destination
1300 strategy:
1301 rollingUpdate:
1302 maxSurge: 25%
1303 maxUnavailable: 25%
1304 template:
1305 metadata:
1306 annotations:
1307 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1308 linkerd.io/created-by: linkerd/cli dev-undefined
1309 linkerd.io/proxy-version: install-proxy-version
1310 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1311 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1312 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1313 labels:
1314 linkerd.io/control-plane-component: destination
1315 linkerd.io/control-plane-ns: linkerd
1316 linkerd.io/workload-ns: linkerd
1317 linkerd.io/proxy-deployment: linkerd-destination
1318 spec:
1319 nodeSelector:
1320 kubernetes.io/os: linux
1321
1322 containers:
1323 - env:
1324 - name: _pod_name
1325 valueFrom:
1326 fieldRef:
1327 fieldPath: metadata.name
1328 - name: _pod_ns
1329 valueFrom:
1330 fieldRef:
1331 fieldPath: metadata.namespace
1332 - name: _pod_nodeName
1333 valueFrom:
1334 fieldRef:
1335 fieldPath: spec.nodeName
1336 - name: LINKERD2_PROXY_LOG
1337 value: "warn,linkerd=info,trust_dns=error"
1338 - name: LINKERD2_PROXY_LOG_FORMAT
1339 value: "plain"
1340 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1341 value: localhost.:8086
1342 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1343 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1344 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1345 value: localhost.:8090
1346 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1347 value: |
1348 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1349 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1350 value: all-unauthenticated
1351 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1352 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1353 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1354 value: "3s"
1355 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1356 value: "5m"
1357 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1358 value: "1h"
1359 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1360 value: "100ms"
1361 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1362 value: "1000ms"
1363 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1364 value: "5s"
1365 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1366 value: "90s"
1367 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1368 value: "[::]:4190"
1369 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1370 value: "[::]:4191"
1371 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1372 value: "127.0.0.1:4140"
1373 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1374 value: "127.0.0.1:4140"
1375 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1376 value: "[::]:4143"
1377 - name: LINKERD2_PROXY_INBOUND_IPS
1378 valueFrom:
1379 fieldRef:
1380 fieldPath: status.podIPs
1381 - name: LINKERD2_PROXY_INBOUND_PORTS
1382 value: "8086,8090,8443,9443,9990,9996,9997"
1383 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1384 value: svc.cluster.local.
1385 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1386 value: 10000ms
1387 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1388 value: 10000ms
1389 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1390 value: "10s"
1391 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1392 value: "3s"
1393 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1394 value: "10s"
1395 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1396 value: "3s"
1397 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1398 value: "25,587,3306,4444,5432,6379,9300,11211"
1399 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1400 value: |
1401 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1402 - name: _pod_sa
1403 valueFrom:
1404 fieldRef:
1405 fieldPath: spec.serviceAccountName
1406 - name: _l5d_ns
1407 value: linkerd
1408 - name: _l5d_trustdomain
1409 value: cluster.local
1410 - name: LINKERD2_PROXY_IDENTITY_DIR
1411 value: /var/run/linkerd/identity/end-entity
1412 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1413 valueFrom:
1414 configMapKeyRef:
1415 name: linkerd-identity-trust-roots
1416 key: ca-bundle.crt
1417 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1418 value: /var/run/secrets/tokens/linkerd-identity-token
1419 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1420 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1421 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1422 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1423 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1424 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1425 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1426 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1427 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1428 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1429 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1430 imagePullPolicy: IfNotPresent
1431 livenessProbe:
1432 httpGet:
1433 path: /live
1434 port: 4191
1435 initialDelaySeconds: 10
1436 timeoutSeconds: 1
1437 name: linkerd-proxy
1438 ports:
1439 - containerPort: 4143
1440 name: linkerd-proxy
1441 - containerPort: 4191
1442 name: linkerd-admin
1443 readinessProbe:
1444 httpGet:
1445 path: /ready
1446 port: 4191
1447 initialDelaySeconds: 2
1448 timeoutSeconds: 1
1449 resources:
1450 securityContext:
1451 allowPrivilegeEscalation: false
1452 capabilities:
1453 drop:
1454 - ALL
1455 readOnlyRootFilesystem: true
1456 runAsNonRoot: true
1457 runAsUser: 2102
1458 seccompProfile:
1459 type: RuntimeDefault
1460 terminationMessagePolicy: FallbackToLogsOnError
1461 lifecycle:
1462 postStart:
1463 exec:
1464 command:
1465 - /usr/lib/linkerd/linkerd-await
1466 - --timeout=2m
1467 - --port=4191
1468 volumeMounts:
1469 - mountPath: /var/run/linkerd/identity/end-entity
1470 name: linkerd-identity-end-entity
1471 - mountPath: /var/run/secrets/tokens
1472 name: linkerd-identity-token
1473 - args:
1474 - destination
1475 - -addr=:8086
1476 - -controller-namespace=linkerd
1477 - -enable-h2-upgrade=true
1478 - -log-level=info
1479 - -log-format=plain
1480 - -enable-endpoint-slices=true
1481 - -cluster-domain=cluster.local
1482 - -identity-trust-domain=cluster.local
1483 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1484 - -enable-ipv6=false
1485 - -enable-pprof=false
1486 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1487 - -trace-collector=collector.linkerd-jaeger.svc.cluster.local:55678
1488 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1489 imagePullPolicy: IfNotPresent
1490 livenessProbe:
1491 httpGet:
1492 path: /ping
1493 port: 9996
1494 initialDelaySeconds: 10
1495 name: destination
1496 ports:
1497 - containerPort: 8086
1498 name: grpc
1499 - containerPort: 9996
1500 name: admin-http
1501 readinessProbe:
1502 failureThreshold: 7
1503 httpGet:
1504 path: /ready
1505 port: 9996
1506 securityContext:
1507 capabilities:
1508 drop:
1509 - ALL
1510 readOnlyRootFilesystem: true
1511 runAsNonRoot: true
1512 runAsUser: 2103
1513 allowPrivilegeEscalation: false
1514 seccompProfile:
1515 type: RuntimeDefault
1516 - args:
1517 - sp-validator
1518 - -log-level=info
1519 - -log-format=plain
1520 - -enable-pprof=false
1521 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1522 imagePullPolicy: IfNotPresent
1523 livenessProbe:
1524 httpGet:
1525 path: /ping
1526 port: 9997
1527 initialDelaySeconds: 10
1528 name: sp-validator
1529 ports:
1530 - containerPort: 8443
1531 name: sp-validator
1532 - containerPort: 9997
1533 name: admin-http
1534 readinessProbe:
1535 failureThreshold: 7
1536 httpGet:
1537 path: /ready
1538 port: 9997
1539 securityContext:
1540 capabilities:
1541 drop:
1542 - ALL
1543 readOnlyRootFilesystem: true
1544 runAsNonRoot: true
1545 runAsUser: 2103
1546 allowPrivilegeEscalation: false
1547 seccompProfile:
1548 type: RuntimeDefault
1549 volumeMounts:
1550 - mountPath: /var/run/linkerd/tls
1551 name: sp-tls
1552 readOnly: true
1553 - args:
1554 - --admin-addr=[::]:9990
1555 - --control-plane-namespace=linkerd
1556 - --grpc-addr=[::]:8090
1557 - --server-addr=[::]:9443
1558 - --server-tls-key=/var/run/linkerd/tls/tls.key
1559 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1560 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1561 - --identity-domain=cluster.local
1562 - --cluster-domain=cluster.local
1563 - --default-policy=all-unauthenticated
1564 - --log-level=info
1565 - --log-format=plain
1566 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1567 - --probe-networks=0.0.0.0/0,::/0
1568 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1569 imagePullPolicy: IfNotPresent
1570 livenessProbe:
1571 httpGet:
1572 path: /live
1573 port: admin-http
1574 name: policy
1575 ports:
1576 - containerPort: 8090
1577 name: grpc
1578 - containerPort: 9990
1579 name: admin-http
1580 - containerPort: 9443
1581 name: policy-https
1582 readinessProbe:
1583 failureThreshold: 7
1584 httpGet:
1585 path: /ready
1586 port: admin-http
1587 initialDelaySeconds: 10
1588 resources:
1589 securityContext:
1590 capabilities:
1591 drop:
1592 - ALL
1593 readOnlyRootFilesystem: true
1594 runAsNonRoot: true
1595 runAsUser: 2103
1596 allowPrivilegeEscalation: false
1597 seccompProfile:
1598 type: RuntimeDefault
1599 volumeMounts:
1600 - mountPath: /var/run/linkerd/tls
1601 name: policy-tls
1602 readOnly: true
1603 initContainers:
1604 - args:
1605 - --ipv6=false
1606 - --incoming-proxy-port
1607 - "4143"
1608 - --outgoing-proxy-port
1609 - "4140"
1610 - --proxy-uid
1611 - "2102"
1612 - --inbound-ports-to-ignore
1613 - "4190,4191,4567,4568"
1614 - --outbound-ports-to-ignore
1615 - "443,6443"
1616 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1617 imagePullPolicy: IfNotPresent
1618 name: linkerd-init
1619 resources:
1620 limits:
1621 cpu: "100m"
1622 memory: "20Mi"
1623 requests:
1624 cpu: "100m"
1625 memory: "20Mi"
1626 securityContext:
1627 allowPrivilegeEscalation: false
1628 capabilities:
1629 add:
1630 - NET_ADMIN
1631 - NET_RAW
1632 privileged: false
1633 runAsNonRoot: true
1634 runAsUser: 65534
1635 runAsGroup: 65534
1636 readOnlyRootFilesystem: true
1637 seccompProfile:
1638 type: RuntimeDefault
1639 terminationMessagePolicy: FallbackToLogsOnError
1640 volumeMounts:
1641 - mountPath: /run
1642 name: linkerd-proxy-init-xtables-lock
1643 securityContext:
1644 seccompProfile:
1645 type: RuntimeDefault
1646 serviceAccountName: linkerd-destination
1647 volumes:
1648 - name: sp-tls
1649 secret:
1650 secretName: linkerd-sp-validator-k8s-tls
1651 - name: policy-tls
1652 secret:
1653 secretName: linkerd-policy-validator-k8s-tls
1654 - emptyDir: {}
1655 name: linkerd-proxy-init-xtables-lock
1656 - name: linkerd-identity-token
1657 projected:
1658 sources:
1659 - serviceAccountToken:
1660 path: linkerd-identity-token
1661 expirationSeconds: 86400
1662 audience: identity.l5d.io
1663 - emptyDir:
1664 medium: Memory
1665 name: linkerd-identity-end-entity
1666---
1667###
1668### Heartbeat
1669###
1670apiVersion: batch/v1
1671kind: CronJob
1672metadata:
1673 name: linkerd-heartbeat
1674 namespace: linkerd
1675 labels:
1676 app.kubernetes.io/name: heartbeat
1677 app.kubernetes.io/part-of: Linkerd
1678 app.kubernetes.io/version: install-control-plane-version
1679 linkerd.io/control-plane-component: heartbeat
1680 linkerd.io/control-plane-ns: linkerd
1681 annotations:
1682 linkerd.io/created-by: linkerd/cli dev-undefined
1683spec:
1684 concurrencyPolicy: Replace
1685 schedule: "1 2 3 4 5"
1686 successfulJobsHistoryLimit: 0
1687 jobTemplate:
1688 spec:
1689 template:
1690 metadata:
1691 labels:
1692 linkerd.io/control-plane-component: heartbeat
1693 linkerd.io/workload-ns: linkerd
1694 annotations:
1695 linkerd.io/created-by: linkerd/cli dev-undefined
1696 spec:
1697 nodeSelector:
1698 kubernetes.io/os: linux
1699 securityContext:
1700 seccompProfile:
1701 type: RuntimeDefault
1702 serviceAccountName: linkerd-heartbeat
1703 restartPolicy: Never
1704 containers:
1705 - name: heartbeat
1706 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1707 imagePullPolicy: IfNotPresent
1708 env:
1709 - name: LINKERD_DISABLED
1710 value: "the heartbeat controller does not use the proxy"
1711 args:
1712 - "heartbeat"
1713 - "-controller-namespace=linkerd"
1714 - "-log-level=info"
1715 - "-log-format=plain"
1716 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1717 securityContext:
1718 capabilities:
1719 drop:
1720 - ALL
1721 readOnlyRootFilesystem: true
1722 runAsNonRoot: true
1723 runAsUser: 2103
1724 allowPrivilegeEscalation: false
1725 seccompProfile:
1726 type: RuntimeDefault
1727---
1728###
1729### Proxy Injector
1730###
1731apiVersion: apps/v1
1732kind: Deployment
1733metadata:
1734 annotations:
1735 linkerd.io/created-by: linkerd/cli dev-undefined
1736 labels:
1737 app.kubernetes.io/name: proxy-injector
1738 app.kubernetes.io/part-of: Linkerd
1739 app.kubernetes.io/version: install-control-plane-version
1740 linkerd.io/control-plane-component: proxy-injector
1741 linkerd.io/control-plane-ns: linkerd
1742 name: linkerd-proxy-injector
1743 namespace: linkerd
1744spec:
1745 replicas: 1
1746 revisionHistoryLimit: 10
1747 selector:
1748 matchLabels:
1749 linkerd.io/control-plane-component: proxy-injector
1750 strategy:
1751 rollingUpdate:
1752 maxSurge: 25%
1753 maxUnavailable: 25%
1754 template:
1755 metadata:
1756 annotations:
1757 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1758 linkerd.io/created-by: linkerd/cli dev-undefined
1759 linkerd.io/proxy-version: install-proxy-version
1760 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1761 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1762 config.linkerd.io/opaque-ports: "8443"
1763 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1764 labels:
1765 linkerd.io/control-plane-component: proxy-injector
1766 linkerd.io/control-plane-ns: linkerd
1767 linkerd.io/workload-ns: linkerd
1768 linkerd.io/proxy-deployment: linkerd-proxy-injector
1769 spec:
1770 nodeSelector:
1771 kubernetes.io/os: linux
1772
1773 containers:
1774 - env:
1775 - name: _pod_name
1776 valueFrom:
1777 fieldRef:
1778 fieldPath: metadata.name
1779 - name: _pod_ns
1780 valueFrom:
1781 fieldRef:
1782 fieldPath: metadata.namespace
1783 - name: _pod_nodeName
1784 valueFrom:
1785 fieldRef:
1786 fieldPath: spec.nodeName
1787 - name: LINKERD2_PROXY_LOG
1788 value: "warn,linkerd=info,trust_dns=error"
1789 - name: LINKERD2_PROXY_LOG_FORMAT
1790 value: "plain"
1791 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1792 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1793 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1794 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1795 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1796 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1797 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1798 value: |
1799 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1800 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1801 value: all-unauthenticated
1802 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1803 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1804 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1805 value: "3s"
1806 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1807 value: "5m"
1808 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1809 value: "1h"
1810 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1811 value: "100ms"
1812 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1813 value: "1000ms"
1814 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1815 value: "5s"
1816 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1817 value: "90s"
1818 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1819 value: "[::]:4190"
1820 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1821 value: "[::]:4191"
1822 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1823 value: "127.0.0.1:4140"
1824 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1825 value: "127.0.0.1:4140"
1826 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1827 value: "[::]:4143"
1828 - name: LINKERD2_PROXY_INBOUND_IPS
1829 valueFrom:
1830 fieldRef:
1831 fieldPath: status.podIPs
1832 - name: LINKERD2_PROXY_INBOUND_PORTS
1833 value: "8443,9995"
1834 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1835 value: svc.cluster.local.
1836 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1837 value: 10000ms
1838 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1839 value: 10000ms
1840 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1841 value: "10s"
1842 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1843 value: "3s"
1844 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1845 value: "10s"
1846 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1847 value: "3s"
1848 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1849 value: "25,587,3306,4444,5432,6379,9300,11211"
1850 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1851 value: |
1852 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1853 - name: _pod_sa
1854 valueFrom:
1855 fieldRef:
1856 fieldPath: spec.serviceAccountName
1857 - name: _l5d_ns
1858 value: linkerd
1859 - name: _l5d_trustdomain
1860 value: cluster.local
1861 - name: LINKERD2_PROXY_IDENTITY_DIR
1862 value: /var/run/linkerd/identity/end-entity
1863 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1864 valueFrom:
1865 configMapKeyRef:
1866 name: linkerd-identity-trust-roots
1867 key: ca-bundle.crt
1868 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1869 value: /var/run/secrets/tokens/linkerd-identity-token
1870 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1871 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1872 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1873 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1874 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1875 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1876 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1877 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1878 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1879 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1880 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1881 imagePullPolicy: IfNotPresent
1882 livenessProbe:
1883 httpGet:
1884 path: /live
1885 port: 4191
1886 initialDelaySeconds: 10
1887 timeoutSeconds: 1
1888 name: linkerd-proxy
1889 ports:
1890 - containerPort: 4143
1891 name: linkerd-proxy
1892 - containerPort: 4191
1893 name: linkerd-admin
1894 readinessProbe:
1895 httpGet:
1896 path: /ready
1897 port: 4191
1898 initialDelaySeconds: 2
1899 timeoutSeconds: 1
1900 resources:
1901 securityContext:
1902 allowPrivilegeEscalation: false
1903 capabilities:
1904 drop:
1905 - ALL
1906 readOnlyRootFilesystem: true
1907 runAsNonRoot: true
1908 runAsUser: 2102
1909 seccompProfile:
1910 type: RuntimeDefault
1911 terminationMessagePolicy: FallbackToLogsOnError
1912 lifecycle:
1913 postStart:
1914 exec:
1915 command:
1916 - /usr/lib/linkerd/linkerd-await
1917 - --timeout=2m
1918 - --port=4191
1919 volumeMounts:
1920 - mountPath: /var/run/linkerd/identity/end-entity
1921 name: linkerd-identity-end-entity
1922 - mountPath: /var/run/secrets/tokens
1923 name: linkerd-identity-token
1924 - args:
1925 - proxy-injector
1926 - -log-level=info
1927 - -log-format=plain
1928 - -linkerd-namespace=linkerd
1929 - -enable-pprof=false
1930 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1931 imagePullPolicy: IfNotPresent
1932 livenessProbe:
1933 httpGet:
1934 path: /ping
1935 port: 9995
1936 initialDelaySeconds: 10
1937 name: proxy-injector
1938 ports:
1939 - containerPort: 8443
1940 name: proxy-injector
1941 - containerPort: 9995
1942 name: admin-http
1943 readinessProbe:
1944 failureThreshold: 7
1945 httpGet:
1946 path: /ready
1947 port: 9995
1948 securityContext:
1949 capabilities:
1950 drop:
1951 - ALL
1952 readOnlyRootFilesystem: true
1953 runAsNonRoot: true
1954 runAsUser: 2103
1955 allowPrivilegeEscalation: false
1956 seccompProfile:
1957 type: RuntimeDefault
1958 volumeMounts:
1959 - mountPath: /var/run/linkerd/config
1960 name: config
1961 - mountPath: /var/run/linkerd/identity/trust-roots
1962 name: trust-roots
1963 - mountPath: /var/run/linkerd/tls
1964 name: tls
1965 readOnly: true
1966 initContainers:
1967 - args:
1968 - --ipv6=false
1969 - --incoming-proxy-port
1970 - "4143"
1971 - --outgoing-proxy-port
1972 - "4140"
1973 - --proxy-uid
1974 - "2102"
1975 - --inbound-ports-to-ignore
1976 - "4190,4191,4567,4568"
1977 - --outbound-ports-to-ignore
1978 - "443,6443"
1979 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1980 imagePullPolicy: IfNotPresent
1981 name: linkerd-init
1982 resources:
1983 limits:
1984 cpu: "100m"
1985 memory: "20Mi"
1986 requests:
1987 cpu: "100m"
1988 memory: "20Mi"
1989 securityContext:
1990 allowPrivilegeEscalation: false
1991 capabilities:
1992 add:
1993 - NET_ADMIN
1994 - NET_RAW
1995 privileged: false
1996 runAsNonRoot: true
1997 runAsUser: 65534
1998 runAsGroup: 65534
1999 readOnlyRootFilesystem: true
2000 seccompProfile:
2001 type: RuntimeDefault
2002 terminationMessagePolicy: FallbackToLogsOnError
2003 volumeMounts:
2004 - mountPath: /run
2005 name: linkerd-proxy-init-xtables-lock
2006 securityContext:
2007 seccompProfile:
2008 type: RuntimeDefault
2009 serviceAccountName: linkerd-proxy-injector
2010 volumes:
2011 - configMap:
2012 name: linkerd-config
2013 name: config
2014 - configMap:
2015 name: linkerd-identity-trust-roots
2016 name: trust-roots
2017 - name: tls
2018 secret:
2019 secretName: linkerd-proxy-injector-k8s-tls
2020 - emptyDir: {}
2021 name: linkerd-proxy-init-xtables-lock
2022 - name: linkerd-identity-token
2023 projected:
2024 sources:
2025 - serviceAccountToken:
2026 path: linkerd-identity-token
2027 expirationSeconds: 86400
2028 audience: identity.l5d.io
2029 - emptyDir:
2030 medium: Memory
2031 name: linkerd-identity-end-entity
2032---
2033kind: Service
2034apiVersion: v1
2035metadata:
2036 name: linkerd-proxy-injector
2037 namespace: linkerd
2038 labels:
2039 linkerd.io/control-plane-component: proxy-injector
2040 linkerd.io/control-plane-ns: linkerd
2041 annotations:
2042 linkerd.io/created-by: linkerd/cli dev-undefined
2043 config.linkerd.io/opaque-ports: "443"
2044spec:
2045 type: ClusterIP
2046 selector:
2047 linkerd.io/control-plane-component: proxy-injector
2048 ports:
2049 - name: proxy-injector
2050 port: 443
2051 targetPort: proxy-injector
2052---
2053apiVersion: v1
2054data:
2055 linkerd-config-overrides: Y29udHJvbFBsYW5lVHJhY2luZzogdHJ1ZQpkZWJ1Z0NvbnRhaW5lcjoKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtZGVidWctdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KbGlua2VyZFZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQo=
2056kind: Secret
2057metadata:
2058 creationTimestamp: null
2059 labels:
2060 linkerd.io/control-plane-ns: linkerd
2061 name: linkerd-config-overrides
2062 namespace: linkerd
View as plain text