---
###
### Linkerd Namespace
###
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
linkerd.io/inject: disabled
labels:
linkerd.io/is-control-plane: "true"
config.linkerd.io/admission-webhooks: disabled
linkerd.io/control-plane-ns: linkerd
pod-security.kubernetes.io/enforce: privileged
---
###
### Identity Controller Service RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# TODO(ver) Restrict this to the Linkerd namespace. See
# https://github.com/linkerd/linkerd2/issues/9367
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
---
###
### Destination Controller Service
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["workload.linkerd.io"]
resources: ["externalworkloads"]
verbs: ["list", "get", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "get", "update", "patch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-policy-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-policy-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-policy-validator
namespace: linkerd
path: "/"
caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["policy.linkerd.io"]
apiVersions: ["*"]
resources:
- authorizationpolicies
- httproutes
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
- operations: ["CREATE", "UPDATE"]
apiGroups: ["gateway.networking.k8s.io"]
apiVersions: ["*"]
resources:
- httproutes
sideEffects: None
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- httproutes
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
- get
- list
- watch
- apiGroups:
- policy.linkerd.io
resources:
- httproutes/status
verbs:
- patch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
verbs:
- patch
- apiGroups:
- workload.linkerd.io
resources:
- externalworkloads
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-destination-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-policy
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-destination-remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: remote-discovery
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
###
### Heartbeat RBAC
###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: ClusterRole
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
objectSelector:
null
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods", "services"]
scope: "Namespaced"
sideEffects: None
timeoutSeconds: 10
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
values: |
cliVersion: linkerd/cli dev-undefined
clusterDomain: cluster.local
clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
cniEnabled: false
controlPlaneTracing: false
controlPlaneTracingNamespace: linkerd-jaeger
controller:
podDisruptionBudget:
maxUnavailable: 1
controllerGID: -1
controllerImage: cr.l5d.io/linkerd/controller
controllerLogFormat: plain
controllerLogLevel: info
controllerReplicas: 1
controllerUID: 2103
debugContainer:
image:
name: cr.l5d.io/linkerd/debug
pullPolicy: ""
version: install-debug-version
deploymentStrategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
destinationController:
meshedHttp2ClientProtobuf:
keep_alive:
interval:
seconds: 10
timeout:
seconds: 3
while_idle: true
destinationProxyResources: null
destinationResources: null
disableHeartBeat: false
disableIPv6: true
enableEndpointSlices: true
enableH2Upgrade: true
enablePodAntiAffinity: false
enablePodDisruptionBudget: false
heartbeat: null
heartbeatResources: null
heartbeatSchedule: 1 2 3 4 5
highAvailability: false
identity:
additionalEnv: null
experimentalEnv: null
externalCA: false
issuer:
clockSkewAllowance: 20s
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
51tdrmkHEZRr0qlLSJdHYgEfMzk=
-----END CERTIFICATE-----
kubeAPI:
clientBurst: 200
clientQPS: 100
serviceAccountTokenProjection: true
identityProxyResources: null
identityResources: null
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: IfNotPresent
imagePullSecrets: []
linkerdVersion: install-control-plane-version
networkValidator:
connectAddr: 1.1.1.1:20001
enableSecurityContext: true
listenAddr: 0.0.0.0:4140
logFormat: plain
logLevel: debug
timeout: 10s
nodeAffinity: null
nodeSelector:
kubernetes.io/os: linux
podAnnotations: {}
podLabels: {}
podMonitor:
controller:
enabled: true
namespaceSelector: |
matchNames:
- {{ .Release.Namespace }}
- linkerd-viz
- linkerd-jaeger
enabled: false
proxy:
enabled: true
scrapeInterval: 10s
scrapeTimeout: 10s
serviceMirror:
enabled: true
policyController:
image:
name: cr.l5d.io/linkerd/policy-controller
pullPolicy: ""
version: ""
logLevel: info
probeNetworks:
- 0.0.0.0/0
- ::/0
resources:
cpu:
limit: ""
request: ""
ephemeral-storage:
limit: ""
request: ""
memory:
limit: ""
request: ""
policyValidator:
caBundle: policy validator CA bundle
crtPEM: ""
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
priorityClassName: ""
profileValidator:
caBundle: profile validator CA bundle
crtPEM: ""
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
prometheusUrl: ""
proxy:
accessLog: ""
additionalEnv: null
await: true
capabilities: null
control:
streams:
idleTimeout: 5m
initialTimeout: 3s
lifetime: 1h
defaultInboundPolicy: all-unauthenticated
disableInboundProtocolDetectTimeout: false
disableOutboundProtocolDetectTimeout: false
enableExternalProfiles: false
experimentalEnv: null
gid: -1
image:
name: cr.l5d.io/linkerd/proxy
pullPolicy: ""
version: install-proxy-version
inbound:
server:
http2:
keepAliveInterval: 10s
keepAliveTimeout: 3s
inboundConnectTimeout: 100ms
inboundDiscoveryCacheUnusedTimeout: 90s
isGateway: false
isIngress: false
livenessProbe:
initialDelaySeconds: 10
timeoutSeconds: 1
logFormat: plain
logLevel: warn,linkerd=info,trust_dns=error
nativeSidecar: false
opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
outbound:
server:
http2:
keepAliveInterval: 10s
keepAliveTimeout: 3s
outboundConnectTimeout: 1000ms
outboundDiscoveryCacheUnusedTimeout: 5s
podInboundPorts: ""
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
readinessProbe:
initialDelaySeconds: 2
timeoutSeconds: 1
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: ""
request: ""
ephemeral-storage:
limit: ""
request: ""
memory:
limit: ""
request: ""
saMountPath: null
shutdownGracePeriod: ""
startupProbe:
failureThreshold: 120
initialDelaySeconds: 0
periodSeconds: 1
uid: 2102
waitBeforeExitSeconds: 0
proxyContainerName: linkerd-proxy
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: 4567,4568
ignoreOutboundPorts: 4567,4568
image:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v2.4.0
iptablesMode: legacy
kubeAPIServerPorts: 443,6443
logFormat: ""
logLevel: ""
privileged: false
resources:
cpu:
limit: 100m
request: 100m
ephemeral-storage:
limit: ""
request: ""
memory:
limit: 20Mi
request: 20Mi
runAsGroup: 65534
runAsRoot: false
runAsUser: 65534
saMountPath: null
skipSubnets: ""
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjector:
additionalEnv: null
caBundle: proxy injector CA bundle
crtPEM: ""
experimentalEnv: null
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
proxyInjectorProxyResources: null
proxyInjectorResources: null
revisionHistoryLimit: 10
spValidator: null
tolerations: null
webhookFailurePolicy: Ignore
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
name: ext-namespace-metadata-linkerd-config
namespace: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
###
### Identity Controller Service
###
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-identity-trust-roots
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
ca-bundle.crt: |-
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/proxy-version: install-proxy-version
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
- -log-level=info
- -log-format=plain
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-scheme=linkerd.io/tls
- -enable-pprof=false
- -kube-apiclient-qps=100
- -kube-apiclient-burst=200
env:
- name: LINKERD_DISABLED
value: "linkerd-await cannot block the identity controller"
image: cr.l5d.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- mountPath: /var/run/linkerd/identity/trust-roots/
name: trust-roots
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
value: "8080"
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,trust_dns=error"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "[::]:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "[::]:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "[::]:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8080,9990"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "20Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8090
targetPort: 8090
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: policy-https
port: 443
targetPort: policy-https
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/proxy-version: install-proxy-version
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,trust_dns=error"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "[::]:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "[::]:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "[::]:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8086,8090,8443,9443,9990,9996,9997"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=info
- -log-format=plain
- -enable-endpoint-slices=true
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
- -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
- -enable-ipv6=false
- -enable-pprof=false
- --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
image: cr.l5d.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- args:
- sp-validator
- -log-level=info
- -log-format=plain
- -enable-pprof=false
image: cr.l5d.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: sp-tls
readOnly: true
- args:
- --admin-addr=[::]:9990
- --control-plane-namespace=linkerd
- --grpc-addr=[::]:8090
- --server-addr=[::]:9443
- --server-tls-key=/var/run/linkerd/tls/tls.key
- --server-tls-certs=/var/run/linkerd/tls/tls.crt
- --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
- --identity-domain=cluster.local
- --cluster-domain=cluster.local
- --default-policy=all-unauthenticated
- --log-level=info
- --log-format=plain
- --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
- --probe-networks=0.0.0.0/0,::/0
image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: admin-http
name: policy
ports:
- containerPort: 8090
name: grpc
- containerPort: 9990
name: admin-http
- containerPort: 9443
name: policy-https
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: admin-http
initialDelaySeconds: 10
resources:
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: policy-tls
readOnly: true
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "20Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-destination
volumes:
- name: sp-tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- name: policy-tls
secret:
secretName: linkerd-policy-validator-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
apiVersion: batch/v1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
concurrencyPolicy: Replace
schedule: "1 2 3 4 5"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/workload-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
nodeSelector:
kubernetes.io/os: linux
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
containers:
- name: heartbeat
image: cr.l5d.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
env:
- name: LINKERD_DISABLED
value: "the heartbeat controller does not use the proxy"
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=info"
- "-log-format=plain"
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
---
###
### Proxy Injector
###
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/proxy-version: install-proxy-version
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/opaque-ports: "8443"
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,trust_dns=error"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "[::]:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "[::]:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "[::]:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8443,9995"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- proxy-injector
- -log-level=info
- -log-format=plain
- -linkerd-namespace=linkerd
- -enable-pprof=false
image: cr.l5d.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/trust-roots
name: trust-roots
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.0
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "20Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
apiVersion: v1
data:
linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCmxpbmtlcmRWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgpwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHk6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUK
kind: Secret
metadata:
creationTimestamp: null
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-config-overrides
namespace: linkerd