1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Ignore
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.0.0.0/8
497 cniEnabled: false
498 controlPlaneTracing: false
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: -1
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 1
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 25%
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources: null
528 disableHeartBeat: false
529 disableIPv6: true
530 enableEndpointSlices: true
531 enableH2Upgrade: true
532 enablePodAntiAffinity: false
533 enablePodDisruptionBudget: false
534 heartbeat: null
535 heartbeatResources: null
536 heartbeatSchedule: 1 2 3 4 5
537 highAvailability: false
538 identity:
539 additionalEnv: null
540 experimentalEnv: null
541 externalCA: false
542 issuer:
543 clockSkewAllowance: 20s
544 issuanceLifetime: 24h0m0s
545 scheme: linkerd.io/tls
546 tls:
547 crtPEM: |
548 -----BEGIN CERTIFICATE-----
549 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
550 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
551 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
552 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
553 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
554 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
555 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
556 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
557 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
558 51tdrmkHEZRr0qlLSJdHYgEfMzk=
559 -----END CERTIFICATE-----
560 kubeAPI:
561 clientBurst: 200
562 clientQPS: 100
563 serviceAccountTokenProjection: true
564 identityProxyResources: null
565 identityResources: null
566 identityTrustAnchorsPEM: |
567 -----BEGIN CERTIFICATE-----
568 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
569 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
570 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
571 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
572 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
573 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
574 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
575 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
576 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
577 vgUC0d2/9FMueIVMb+46WTCOjsqr
578 -----END CERTIFICATE-----
579 identityTrustDomain: cluster.local
580 imagePullPolicy: IfNotPresent
581 imagePullSecrets: []
582 linkerdVersion: install-control-plane-version
583 networkValidator:
584 connectAddr: 1.1.1.1:20001
585 enableSecurityContext: true
586 listenAddr: 0.0.0.0:4140
587 logFormat: plain
588 logLevel: debug
589 timeout: 10s
590 nodeAffinity: null
591 nodeSelector:
592 kubernetes.io/os: linux
593 podAnnotations: {}
594 podLabels: {}
595 podMonitor:
596 controller:
597 enabled: true
598 namespaceSelector: |
599 matchNames:
600 - {{ .Release.Namespace }}
601 - linkerd-viz
602 - linkerd-jaeger
603 enabled: false
604 proxy:
605 enabled: true
606 scrapeInterval: 10s
607 scrapeTimeout: 10s
608 serviceMirror:
609 enabled: true
610 policyController:
611 image:
612 name: cr.l5d.io/linkerd/policy-controller
613 pullPolicy: ""
614 version: ""
615 logLevel: info
616 probeNetworks:
617 - 0.0.0.0/0
618 - ::/0
619 resources:
620 cpu:
621 limit: ""
622 request: ""
623 ephemeral-storage:
624 limit: ""
625 request: ""
626 memory:
627 limit: ""
628 request: ""
629 policyValidator:
630 caBundle: policy validator CA bundle
631 crtPEM: ""
632 externalSecret: true
633 injectCaFrom: ""
634 injectCaFromSecret: ""
635 namespaceSelector:
636 matchExpressions:
637 - key: config.linkerd.io/admission-webhooks
638 operator: NotIn
639 values:
640 - disabled
641 priorityClassName: ""
642 profileValidator:
643 caBundle: profile validator CA bundle
644 crtPEM: ""
645 externalSecret: true
646 injectCaFrom: ""
647 injectCaFromSecret: ""
648 namespaceSelector:
649 matchExpressions:
650 - key: config.linkerd.io/admission-webhooks
651 operator: NotIn
652 values:
653 - disabled
654 prometheusUrl: ""
655 proxy:
656 accessLog: ""
657 additionalEnv: null
658 await: true
659 capabilities: null
660 control:
661 streams:
662 idleTimeout: 5m
663 initialTimeout: 3s
664 lifetime: 1h
665 defaultInboundPolicy: all-unauthenticated
666 disableInboundProtocolDetectTimeout: false
667 disableOutboundProtocolDetectTimeout: false
668 enableExternalProfiles: false
669 experimentalEnv: null
670 gid: -1
671 image:
672 name: cr.l5d.io/linkerd/proxy
673 pullPolicy: ""
674 version: install-proxy-version
675 inbound:
676 server:
677 http2:
678 keepAliveInterval: 10s
679 keepAliveTimeout: 3s
680 inboundConnectTimeout: 100ms
681 inboundDiscoveryCacheUnusedTimeout: 90s
682 isGateway: false
683 isIngress: false
684 livenessProbe:
685 initialDelaySeconds: 10
686 timeoutSeconds: 1
687 logFormat: plain
688 logLevel: warn,linkerd=info,trust_dns=error
689 nativeSidecar: false
690 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
691 outbound:
692 server:
693 http2:
694 keepAliveInterval: 10s
695 keepAliveTimeout: 3s
696 outboundConnectTimeout: 1000ms
697 outboundDiscoveryCacheUnusedTimeout: 5s
698 podInboundPorts: ""
699 ports:
700 admin: 4191
701 control: 4190
702 inbound: 4143
703 outbound: 4140
704 readinessProbe:
705 initialDelaySeconds: 2
706 timeoutSeconds: 1
707 requireIdentityOnInboundPorts: ""
708 resources:
709 cpu:
710 limit: ""
711 request: ""
712 ephemeral-storage:
713 limit: ""
714 request: ""
715 memory:
716 limit: ""
717 request: ""
718 saMountPath: null
719 shutdownGracePeriod: ""
720 startupProbe:
721 failureThreshold: 120
722 initialDelaySeconds: 0
723 periodSeconds: 1
724 uid: 2102
725 waitBeforeExitSeconds: 0
726 proxyContainerName: linkerd-proxy
727 proxyInit:
728 capabilities: null
729 closeWaitTimeoutSecs: 0
730 ignoreInboundPorts: 4567,4568
731 ignoreOutboundPorts: 4567,4568
732 image:
733 name: cr.l5d.io/linkerd/proxy-init
734 pullPolicy: ""
735 version: v2.4.0
736 iptablesMode: legacy
737 kubeAPIServerPorts: 443,6443
738 logFormat: ""
739 logLevel: ""
740 privileged: false
741 resources:
742 cpu:
743 limit: 100m
744 request: 100m
745 ephemeral-storage:
746 limit: ""
747 request: ""
748 memory:
749 limit: 20Mi
750 request: 20Mi
751 runAsGroup: 65534
752 runAsRoot: false
753 runAsUser: 65534
754 saMountPath: null
755 skipSubnets: ""
756 xtMountPath:
757 mountPath: /run
758 name: linkerd-proxy-init-xtables-lock
759 readOnly: false
760 proxyInjector:
761 additionalEnv: null
762 caBundle: proxy injector CA bundle
763 crtPEM: ""
764 experimentalEnv: null
765 externalSecret: true
766 injectCaFrom: ""
767 injectCaFromSecret: ""
768 namespaceSelector:
769 matchExpressions:
770 - key: config.linkerd.io/admission-webhooks
771 operator: NotIn
772 values:
773 - disabled
774 - key: kubernetes.io/metadata.name
775 operator: NotIn
776 values:
777 - kube-system
778 - cert-manager
779 proxyInjectorProxyResources: null
780 proxyInjectorResources: null
781 revisionHistoryLimit: 10
782 spValidator: null
783 tolerations: null
784 webhookFailurePolicy: Ignore
785---
786apiVersion: rbac.authorization.k8s.io/v1
787kind: Role
788metadata:
789 annotations:
790 linkerd.io/created-by: linkerd/cli dev-undefined
791 name: ext-namespace-metadata-linkerd-config
792 namespace: linkerd
793rules:
794- apiGroups: [""]
795 resources: ["configmaps"]
796 verbs: ["get"]
797 resourceNames: ["linkerd-config"]
798---
799###
800### Identity Controller Service
801###
802---
803kind: Secret
804apiVersion: v1
805metadata:
806 name: linkerd-identity-issuer
807 namespace: linkerd
808 labels:
809 linkerd.io/control-plane-component: identity
810 linkerd.io/control-plane-ns: linkerd
811 annotations:
812 linkerd.io/created-by: linkerd/cli dev-undefined
813data:
814 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
815 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
816---
817kind: ConfigMap
818apiVersion: v1
819metadata:
820 name: linkerd-identity-trust-roots
821 namespace: linkerd
822 labels:
823 linkerd.io/control-plane-component: identity
824 linkerd.io/control-plane-ns: linkerd
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827data:
828 ca-bundle.crt: |-
829 -----BEGIN CERTIFICATE-----
830 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
831 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
832 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
833 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
834 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
835 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
836 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
837 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
838 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
839 vgUC0d2/9FMueIVMb+46WTCOjsqr
840 -----END CERTIFICATE-----
841---
842kind: Service
843apiVersion: v1
844metadata:
845 name: linkerd-identity
846 namespace: linkerd
847 labels:
848 linkerd.io/control-plane-component: identity
849 linkerd.io/control-plane-ns: linkerd
850 annotations:
851 linkerd.io/created-by: linkerd/cli dev-undefined
852spec:
853 type: ClusterIP
854 selector:
855 linkerd.io/control-plane-component: identity
856 ports:
857 - name: grpc
858 port: 8080
859 targetPort: 8080
860---
861kind: Service
862apiVersion: v1
863metadata:
864 name: linkerd-identity-headless
865 namespace: linkerd
866 labels:
867 linkerd.io/control-plane-component: identity
868 linkerd.io/control-plane-ns: linkerd
869 annotations:
870 linkerd.io/created-by: linkerd/cli dev-undefined
871spec:
872 clusterIP: None
873 selector:
874 linkerd.io/control-plane-component: identity
875 ports:
876 - name: grpc
877 port: 8080
878 targetPort: 8080
879---
880apiVersion: apps/v1
881kind: Deployment
882metadata:
883 annotations:
884 linkerd.io/created-by: linkerd/cli dev-undefined
885 labels:
886 app.kubernetes.io/name: identity
887 app.kubernetes.io/part-of: Linkerd
888 app.kubernetes.io/version: install-control-plane-version
889 linkerd.io/control-plane-component: identity
890 linkerd.io/control-plane-ns: linkerd
891 name: linkerd-identity
892 namespace: linkerd
893spec:
894 replicas: 1
895 revisionHistoryLimit: 10
896 selector:
897 matchLabels:
898 linkerd.io/control-plane-component: identity
899 linkerd.io/control-plane-ns: linkerd
900 linkerd.io/proxy-deployment: linkerd-identity
901 strategy:
902 rollingUpdate:
903 maxSurge: 25%
904 maxUnavailable: 25%
905 template:
906 metadata:
907 annotations:
908 linkerd.io/created-by: linkerd/cli dev-undefined
909 linkerd.io/proxy-version: install-proxy-version
910 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
911 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
912 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
913 labels:
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd
916 linkerd.io/workload-ns: linkerd
917 linkerd.io/proxy-deployment: linkerd-identity
918 spec:
919 nodeSelector:
920 kubernetes.io/os: linux
921
922 containers:
923 - args:
924 - identity
925 - -log-level=info
926 - -log-format=plain
927 - -controller-namespace=linkerd
928 - -identity-trust-domain=cluster.local
929 - -identity-issuance-lifetime=24h0m0s
930 - -identity-clock-skew-allowance=20s
931 - -identity-scheme=linkerd.io/tls
932 - -enable-pprof=false
933 - -kube-apiclient-qps=100
934 - -kube-apiclient-burst=200
935 env:
936 - name: LINKERD_DISABLED
937 value: "linkerd-await cannot block the identity controller"
938 image: cr.l5d.io/linkerd/controller:install-control-plane-version
939 imagePullPolicy: IfNotPresent
940 livenessProbe:
941 httpGet:
942 path: /ping
943 port: 9990
944 initialDelaySeconds: 10
945 name: identity
946 ports:
947 - containerPort: 8080
948 name: grpc
949 - containerPort: 9990
950 name: admin-http
951 readinessProbe:
952 failureThreshold: 7
953 httpGet:
954 path: /ready
955 port: 9990
956 securityContext:
957 capabilities:
958 drop:
959 - ALL
960 readOnlyRootFilesystem: true
961 runAsNonRoot: true
962 runAsUser: 2103
963 allowPrivilegeEscalation: false
964 seccompProfile:
965 type: RuntimeDefault
966 volumeMounts:
967 - mountPath: /var/run/linkerd/identity/issuer
968 name: identity-issuer
969 - mountPath: /var/run/linkerd/identity/trust-roots/
970 name: trust-roots
971 - env:
972 - name: _pod_name
973 valueFrom:
974 fieldRef:
975 fieldPath: metadata.name
976 - name: _pod_ns
977 valueFrom:
978 fieldRef:
979 fieldPath: metadata.namespace
980 - name: _pod_nodeName
981 valueFrom:
982 fieldRef:
983 fieldPath: spec.nodeName
984 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
985 value: "8080"
986 - name: LINKERD2_PROXY_LOG
987 value: "warn,linkerd=info,trust_dns=error"
988 - name: LINKERD2_PROXY_LOG_FORMAT
989 value: "plain"
990 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
991 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
992 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
993 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
994 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
995 value: linkerd-policy.linkerd.svc.cluster.local.:8090
996 - name: LINKERD2_PROXY_POLICY_WORKLOAD
997 value: |
998 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
999 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1000 value: all-unauthenticated
1001 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1002 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
1003 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1004 value: "3s"
1005 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1006 value: "5m"
1007 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1008 value: "1h"
1009 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1010 value: "100ms"
1011 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1012 value: "1000ms"
1013 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1014 value: "5s"
1015 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1016 value: "90s"
1017 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1018 value: "[::]:4190"
1019 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1020 value: "[::]:4191"
1021 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1022 value: "127.0.0.1:4140"
1023 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1024 value: "127.0.0.1:4140"
1025 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1026 value: "[::]:4143"
1027 - name: LINKERD2_PROXY_INBOUND_IPS
1028 valueFrom:
1029 fieldRef:
1030 fieldPath: status.podIPs
1031 - name: LINKERD2_PROXY_INBOUND_PORTS
1032 value: "8080,9990"
1033 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1034 value: svc.cluster.local.
1035 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1036 value: 10000ms
1037 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1038 value: 10000ms
1039 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1040 value: "10s"
1041 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1042 value: "3s"
1043 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1044 value: "10s"
1045 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1046 value: "3s"
1047 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1048 value: "25,587,3306,4444,5432,6379,9300,11211"
1049 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1050 value: |
1051 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1052 - name: _pod_sa
1053 valueFrom:
1054 fieldRef:
1055 fieldPath: spec.serviceAccountName
1056 - name: _l5d_ns
1057 value: linkerd
1058 - name: _l5d_trustdomain
1059 value: cluster.local
1060 - name: LINKERD2_PROXY_IDENTITY_DIR
1061 value: /var/run/linkerd/identity/end-entity
1062 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1063 valueFrom:
1064 configMapKeyRef:
1065 name: linkerd-identity-trust-roots
1066 key: ca-bundle.crt
1067 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1068 value: /var/run/secrets/tokens/linkerd-identity-token
1069 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1070 value: localhost.:8080
1071 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1072 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1073 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1074 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1075 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1076 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1077 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1078 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1079 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1080 imagePullPolicy: IfNotPresent
1081 livenessProbe:
1082 httpGet:
1083 path: /live
1084 port: 4191
1085 initialDelaySeconds: 10
1086 timeoutSeconds: 1
1087 name: linkerd-proxy
1088 ports:
1089 - containerPort: 4143
1090 name: linkerd-proxy
1091 - containerPort: 4191
1092 name: linkerd-admin
1093 readinessProbe:
1094 httpGet:
1095 path: /ready
1096 port: 4191
1097 initialDelaySeconds: 2
1098 timeoutSeconds: 1
1099 resources:
1100 securityContext:
1101 allowPrivilegeEscalation: false
1102 capabilities:
1103 drop:
1104 - ALL
1105 readOnlyRootFilesystem: true
1106 runAsNonRoot: true
1107 runAsUser: 2102
1108 seccompProfile:
1109 type: RuntimeDefault
1110 terminationMessagePolicy: FallbackToLogsOnError
1111 volumeMounts:
1112 - mountPath: /var/run/linkerd/identity/end-entity
1113 name: linkerd-identity-end-entity
1114 - mountPath: /var/run/secrets/tokens
1115 name: linkerd-identity-token
1116 initContainers:
1117 - args:
1118 - --ipv6=false
1119 - --incoming-proxy-port
1120 - "4143"
1121 - --outgoing-proxy-port
1122 - "4140"
1123 - --proxy-uid
1124 - "2102"
1125 - --inbound-ports-to-ignore
1126 - "4190,4191,4567,4568"
1127 - --outbound-ports-to-ignore
1128 - "443,6443"
1129 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1130 imagePullPolicy: IfNotPresent
1131 name: linkerd-init
1132 resources:
1133 limits:
1134 cpu: "100m"
1135 memory: "20Mi"
1136 requests:
1137 cpu: "100m"
1138 memory: "20Mi"
1139 securityContext:
1140 allowPrivilegeEscalation: false
1141 capabilities:
1142 add:
1143 - NET_ADMIN
1144 - NET_RAW
1145 privileged: false
1146 runAsNonRoot: true
1147 runAsUser: 65534
1148 runAsGroup: 65534
1149 readOnlyRootFilesystem: true
1150 seccompProfile:
1151 type: RuntimeDefault
1152 terminationMessagePolicy: FallbackToLogsOnError
1153 volumeMounts:
1154 - mountPath: /run
1155 name: linkerd-proxy-init-xtables-lock
1156 securityContext:
1157 seccompProfile:
1158 type: RuntimeDefault
1159 serviceAccountName: linkerd-identity
1160 volumes:
1161 - name: identity-issuer
1162 secret:
1163 secretName: linkerd-identity-issuer
1164 - configMap:
1165 name: linkerd-identity-trust-roots
1166 name: trust-roots
1167 - emptyDir: {}
1168 name: linkerd-proxy-init-xtables-lock
1169 - name: linkerd-identity-token
1170 projected:
1171 sources:
1172 - serviceAccountToken:
1173 path: linkerd-identity-token
1174 expirationSeconds: 86400
1175 audience: identity.l5d.io
1176 - emptyDir:
1177 medium: Memory
1178 name: linkerd-identity-end-entity
1179---
1180###
1181### Destination Controller Service
1182###
1183kind: Service
1184apiVersion: v1
1185metadata:
1186 name: linkerd-dst
1187 namespace: linkerd
1188 labels:
1189 linkerd.io/control-plane-component: destination
1190 linkerd.io/control-plane-ns: linkerd
1191 annotations:
1192 linkerd.io/created-by: linkerd/cli dev-undefined
1193spec:
1194 type: ClusterIP
1195 selector:
1196 linkerd.io/control-plane-component: destination
1197 ports:
1198 - name: grpc
1199 port: 8086
1200 targetPort: 8086
1201---
1202kind: Service
1203apiVersion: v1
1204metadata:
1205 name: linkerd-dst-headless
1206 namespace: linkerd
1207 labels:
1208 linkerd.io/control-plane-component: destination
1209 linkerd.io/control-plane-ns: linkerd
1210 annotations:
1211 linkerd.io/created-by: linkerd/cli dev-undefined
1212spec:
1213 clusterIP: None
1214 selector:
1215 linkerd.io/control-plane-component: destination
1216 ports:
1217 - name: grpc
1218 port: 8086
1219 targetPort: 8086
1220---
1221kind: Service
1222apiVersion: v1
1223metadata:
1224 name: linkerd-sp-validator
1225 namespace: linkerd
1226 labels:
1227 linkerd.io/control-plane-component: destination
1228 linkerd.io/control-plane-ns: linkerd
1229 annotations:
1230 linkerd.io/created-by: linkerd/cli dev-undefined
1231spec:
1232 type: ClusterIP
1233 selector:
1234 linkerd.io/control-plane-component: destination
1235 ports:
1236 - name: sp-validator
1237 port: 443
1238 targetPort: sp-validator
1239---
1240kind: Service
1241apiVersion: v1
1242metadata:
1243 name: linkerd-policy
1244 namespace: linkerd
1245 labels:
1246 linkerd.io/control-plane-component: destination
1247 linkerd.io/control-plane-ns: linkerd
1248 annotations:
1249 linkerd.io/created-by: linkerd/cli dev-undefined
1250spec:
1251 clusterIP: None
1252 selector:
1253 linkerd.io/control-plane-component: destination
1254 ports:
1255 - name: grpc
1256 port: 8090
1257 targetPort: 8090
1258---
1259kind: Service
1260apiVersion: v1
1261metadata:
1262 name: linkerd-policy-validator
1263 namespace: linkerd
1264 labels:
1265 linkerd.io/control-plane-component: destination
1266 linkerd.io/control-plane-ns: linkerd
1267 annotations:
1268 linkerd.io/created-by: linkerd/cli dev-undefined
1269spec:
1270 type: ClusterIP
1271 selector:
1272 linkerd.io/control-plane-component: destination
1273 ports:
1274 - name: policy-https
1275 port: 443
1276 targetPort: policy-https
1277---
1278apiVersion: apps/v1
1279kind: Deployment
1280metadata:
1281 annotations:
1282 linkerd.io/created-by: linkerd/cli dev-undefined
1283 labels:
1284 app.kubernetes.io/name: destination
1285 app.kubernetes.io/part-of: Linkerd
1286 app.kubernetes.io/version: install-control-plane-version
1287 linkerd.io/control-plane-component: destination
1288 linkerd.io/control-plane-ns: linkerd
1289 name: linkerd-destination
1290 namespace: linkerd
1291spec:
1292 replicas: 1
1293 revisionHistoryLimit: 10
1294 selector:
1295 matchLabels:
1296 linkerd.io/control-plane-component: destination
1297 linkerd.io/control-plane-ns: linkerd
1298 linkerd.io/proxy-deployment: linkerd-destination
1299 strategy:
1300 rollingUpdate:
1301 maxSurge: 25%
1302 maxUnavailable: 25%
1303 template:
1304 metadata:
1305 annotations:
1306 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1307 linkerd.io/created-by: linkerd/cli dev-undefined
1308 linkerd.io/proxy-version: install-proxy-version
1309 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1310 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1311 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1312 labels:
1313 linkerd.io/control-plane-component: destination
1314 linkerd.io/control-plane-ns: linkerd
1315 linkerd.io/workload-ns: linkerd
1316 linkerd.io/proxy-deployment: linkerd-destination
1317 spec:
1318 nodeSelector:
1319 kubernetes.io/os: linux
1320
1321 containers:
1322 - env:
1323 - name: _pod_name
1324 valueFrom:
1325 fieldRef:
1326 fieldPath: metadata.name
1327 - name: _pod_ns
1328 valueFrom:
1329 fieldRef:
1330 fieldPath: metadata.namespace
1331 - name: _pod_nodeName
1332 valueFrom:
1333 fieldRef:
1334 fieldPath: spec.nodeName
1335 - name: LINKERD2_PROXY_LOG
1336 value: "warn,linkerd=info,trust_dns=error"
1337 - name: LINKERD2_PROXY_LOG_FORMAT
1338 value: "plain"
1339 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1340 value: localhost.:8086
1341 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1342 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
1343 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1344 value: localhost.:8090
1345 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1346 value: |
1347 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1348 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1349 value: all-unauthenticated
1350 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1351 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
1352 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1353 value: "3s"
1354 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1355 value: "5m"
1356 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1357 value: "1h"
1358 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1359 value: "100ms"
1360 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1361 value: "1000ms"
1362 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1363 value: "5s"
1364 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1365 value: "90s"
1366 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1367 value: "[::]:4190"
1368 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1369 value: "[::]:4191"
1370 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1371 value: "127.0.0.1:4140"
1372 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1373 value: "127.0.0.1:4140"
1374 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1375 value: "[::]:4143"
1376 - name: LINKERD2_PROXY_INBOUND_IPS
1377 valueFrom:
1378 fieldRef:
1379 fieldPath: status.podIPs
1380 - name: LINKERD2_PROXY_INBOUND_PORTS
1381 value: "8086,8090,8443,9443,9990,9996,9997"
1382 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1383 value: svc.cluster.local.
1384 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1385 value: 10000ms
1386 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1387 value: 10000ms
1388 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1389 value: "10s"
1390 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1391 value: "3s"
1392 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1393 value: "10s"
1394 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1395 value: "3s"
1396 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1397 value: "25,587,3306,4444,5432,6379,9300,11211"
1398 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1399 value: |
1400 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1401 - name: _pod_sa
1402 valueFrom:
1403 fieldRef:
1404 fieldPath: spec.serviceAccountName
1405 - name: _l5d_ns
1406 value: linkerd
1407 - name: _l5d_trustdomain
1408 value: cluster.local
1409 - name: LINKERD2_PROXY_IDENTITY_DIR
1410 value: /var/run/linkerd/identity/end-entity
1411 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1412 valueFrom:
1413 configMapKeyRef:
1414 name: linkerd-identity-trust-roots
1415 key: ca-bundle.crt
1416 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1417 value: /var/run/secrets/tokens/linkerd-identity-token
1418 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1419 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1420 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1421 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1422 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1423 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1424 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1425 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1426 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1427 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1428 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1429 imagePullPolicy: IfNotPresent
1430 livenessProbe:
1431 httpGet:
1432 path: /live
1433 port: 4191
1434 initialDelaySeconds: 10
1435 timeoutSeconds: 1
1436 name: linkerd-proxy
1437 ports:
1438 - containerPort: 4143
1439 name: linkerd-proxy
1440 - containerPort: 4191
1441 name: linkerd-admin
1442 readinessProbe:
1443 httpGet:
1444 path: /ready
1445 port: 4191
1446 initialDelaySeconds: 2
1447 timeoutSeconds: 1
1448 resources:
1449 securityContext:
1450 allowPrivilegeEscalation: false
1451 capabilities:
1452 drop:
1453 - ALL
1454 readOnlyRootFilesystem: true
1455 runAsNonRoot: true
1456 runAsUser: 2102
1457 seccompProfile:
1458 type: RuntimeDefault
1459 terminationMessagePolicy: FallbackToLogsOnError
1460 lifecycle:
1461 postStart:
1462 exec:
1463 command:
1464 - /usr/lib/linkerd/linkerd-await
1465 - --timeout=2m
1466 - --port=4191
1467 volumeMounts:
1468 - mountPath: /var/run/linkerd/identity/end-entity
1469 name: linkerd-identity-end-entity
1470 - mountPath: /var/run/secrets/tokens
1471 name: linkerd-identity-token
1472 - args:
1473 - destination
1474 - -addr=:8086
1475 - -controller-namespace=linkerd
1476 - -enable-h2-upgrade=true
1477 - -log-level=info
1478 - -log-format=plain
1479 - -enable-endpoint-slices=true
1480 - -cluster-domain=cluster.local
1481 - -identity-trust-domain=cluster.local
1482 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1483 - -enable-ipv6=false
1484 - -enable-pprof=false
1485 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1486 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1487 imagePullPolicy: IfNotPresent
1488 livenessProbe:
1489 httpGet:
1490 path: /ping
1491 port: 9996
1492 initialDelaySeconds: 10
1493 name: destination
1494 ports:
1495 - containerPort: 8086
1496 name: grpc
1497 - containerPort: 9996
1498 name: admin-http
1499 readinessProbe:
1500 failureThreshold: 7
1501 httpGet:
1502 path: /ready
1503 port: 9996
1504 securityContext:
1505 capabilities:
1506 drop:
1507 - ALL
1508 readOnlyRootFilesystem: true
1509 runAsNonRoot: true
1510 runAsUser: 2103
1511 allowPrivilegeEscalation: false
1512 seccompProfile:
1513 type: RuntimeDefault
1514 - args:
1515 - sp-validator
1516 - -log-level=info
1517 - -log-format=plain
1518 - -enable-pprof=false
1519 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1520 imagePullPolicy: IfNotPresent
1521 livenessProbe:
1522 httpGet:
1523 path: /ping
1524 port: 9997
1525 initialDelaySeconds: 10
1526 name: sp-validator
1527 ports:
1528 - containerPort: 8443
1529 name: sp-validator
1530 - containerPort: 9997
1531 name: admin-http
1532 readinessProbe:
1533 failureThreshold: 7
1534 httpGet:
1535 path: /ready
1536 port: 9997
1537 securityContext:
1538 capabilities:
1539 drop:
1540 - ALL
1541 readOnlyRootFilesystem: true
1542 runAsNonRoot: true
1543 runAsUser: 2103
1544 allowPrivilegeEscalation: false
1545 seccompProfile:
1546 type: RuntimeDefault
1547 volumeMounts:
1548 - mountPath: /var/run/linkerd/tls
1549 name: sp-tls
1550 readOnly: true
1551 - args:
1552 - --admin-addr=[::]:9990
1553 - --control-plane-namespace=linkerd
1554 - --grpc-addr=[::]:8090
1555 - --server-addr=[::]:9443
1556 - --server-tls-key=/var/run/linkerd/tls/tls.key
1557 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1558 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.0.0.0/8
1559 - --identity-domain=cluster.local
1560 - --cluster-domain=cluster.local
1561 - --default-policy=all-unauthenticated
1562 - --log-level=info
1563 - --log-format=plain
1564 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1565 - --probe-networks=0.0.0.0/0,::/0
1566 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1567 imagePullPolicy: IfNotPresent
1568 livenessProbe:
1569 httpGet:
1570 path: /live
1571 port: admin-http
1572 name: policy
1573 ports:
1574 - containerPort: 8090
1575 name: grpc
1576 - containerPort: 9990
1577 name: admin-http
1578 - containerPort: 9443
1579 name: policy-https
1580 readinessProbe:
1581 failureThreshold: 7
1582 httpGet:
1583 path: /ready
1584 port: admin-http
1585 initialDelaySeconds: 10
1586 resources:
1587 securityContext:
1588 capabilities:
1589 drop:
1590 - ALL
1591 readOnlyRootFilesystem: true
1592 runAsNonRoot: true
1593 runAsUser: 2103
1594 allowPrivilegeEscalation: false
1595 seccompProfile:
1596 type: RuntimeDefault
1597 volumeMounts:
1598 - mountPath: /var/run/linkerd/tls
1599 name: policy-tls
1600 readOnly: true
1601 initContainers:
1602 - args:
1603 - --ipv6=false
1604 - --incoming-proxy-port
1605 - "4143"
1606 - --outgoing-proxy-port
1607 - "4140"
1608 - --proxy-uid
1609 - "2102"
1610 - --inbound-ports-to-ignore
1611 - "4190,4191,4567,4568"
1612 - --outbound-ports-to-ignore
1613 - "443,6443"
1614 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1615 imagePullPolicy: IfNotPresent
1616 name: linkerd-init
1617 resources:
1618 limits:
1619 cpu: "100m"
1620 memory: "20Mi"
1621 requests:
1622 cpu: "100m"
1623 memory: "20Mi"
1624 securityContext:
1625 allowPrivilegeEscalation: false
1626 capabilities:
1627 add:
1628 - NET_ADMIN
1629 - NET_RAW
1630 privileged: false
1631 runAsNonRoot: true
1632 runAsUser: 65534
1633 runAsGroup: 65534
1634 readOnlyRootFilesystem: true
1635 seccompProfile:
1636 type: RuntimeDefault
1637 terminationMessagePolicy: FallbackToLogsOnError
1638 volumeMounts:
1639 - mountPath: /run
1640 name: linkerd-proxy-init-xtables-lock
1641 securityContext:
1642 seccompProfile:
1643 type: RuntimeDefault
1644 serviceAccountName: linkerd-destination
1645 volumes:
1646 - name: sp-tls
1647 secret:
1648 secretName: linkerd-sp-validator-k8s-tls
1649 - name: policy-tls
1650 secret:
1651 secretName: linkerd-policy-validator-k8s-tls
1652 - emptyDir: {}
1653 name: linkerd-proxy-init-xtables-lock
1654 - name: linkerd-identity-token
1655 projected:
1656 sources:
1657 - serviceAccountToken:
1658 path: linkerd-identity-token
1659 expirationSeconds: 86400
1660 audience: identity.l5d.io
1661 - emptyDir:
1662 medium: Memory
1663 name: linkerd-identity-end-entity
1664---
1665###
1666### Heartbeat
1667###
1668apiVersion: batch/v1
1669kind: CronJob
1670metadata:
1671 name: linkerd-heartbeat
1672 namespace: linkerd
1673 labels:
1674 app.kubernetes.io/name: heartbeat
1675 app.kubernetes.io/part-of: Linkerd
1676 app.kubernetes.io/version: install-control-plane-version
1677 linkerd.io/control-plane-component: heartbeat
1678 linkerd.io/control-plane-ns: linkerd
1679 annotations:
1680 linkerd.io/created-by: linkerd/cli dev-undefined
1681spec:
1682 concurrencyPolicy: Replace
1683 schedule: "1 2 3 4 5"
1684 successfulJobsHistoryLimit: 0
1685 jobTemplate:
1686 spec:
1687 template:
1688 metadata:
1689 labels:
1690 linkerd.io/control-plane-component: heartbeat
1691 linkerd.io/workload-ns: linkerd
1692 annotations:
1693 linkerd.io/created-by: linkerd/cli dev-undefined
1694 spec:
1695 nodeSelector:
1696 kubernetes.io/os: linux
1697 securityContext:
1698 seccompProfile:
1699 type: RuntimeDefault
1700 serviceAccountName: linkerd-heartbeat
1701 restartPolicy: Never
1702 containers:
1703 - name: heartbeat
1704 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1705 imagePullPolicy: IfNotPresent
1706 env:
1707 - name: LINKERD_DISABLED
1708 value: "the heartbeat controller does not use the proxy"
1709 args:
1710 - "heartbeat"
1711 - "-controller-namespace=linkerd"
1712 - "-log-level=info"
1713 - "-log-format=plain"
1714 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1715 securityContext:
1716 capabilities:
1717 drop:
1718 - ALL
1719 readOnlyRootFilesystem: true
1720 runAsNonRoot: true
1721 runAsUser: 2103
1722 allowPrivilegeEscalation: false
1723 seccompProfile:
1724 type: RuntimeDefault
1725---
1726###
1727### Proxy Injector
1728###
1729apiVersion: apps/v1
1730kind: Deployment
1731metadata:
1732 annotations:
1733 linkerd.io/created-by: linkerd/cli dev-undefined
1734 labels:
1735 app.kubernetes.io/name: proxy-injector
1736 app.kubernetes.io/part-of: Linkerd
1737 app.kubernetes.io/version: install-control-plane-version
1738 linkerd.io/control-plane-component: proxy-injector
1739 linkerd.io/control-plane-ns: linkerd
1740 name: linkerd-proxy-injector
1741 namespace: linkerd
1742spec:
1743 replicas: 1
1744 revisionHistoryLimit: 10
1745 selector:
1746 matchLabels:
1747 linkerd.io/control-plane-component: proxy-injector
1748 strategy:
1749 rollingUpdate:
1750 maxSurge: 25%
1751 maxUnavailable: 25%
1752 template:
1753 metadata:
1754 annotations:
1755 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1756 linkerd.io/created-by: linkerd/cli dev-undefined
1757 linkerd.io/proxy-version: install-proxy-version
1758 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1759 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1760 config.linkerd.io/opaque-ports: "8443"
1761 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1762 labels:
1763 linkerd.io/control-plane-component: proxy-injector
1764 linkerd.io/control-plane-ns: linkerd
1765 linkerd.io/workload-ns: linkerd
1766 linkerd.io/proxy-deployment: linkerd-proxy-injector
1767 spec:
1768 nodeSelector:
1769 kubernetes.io/os: linux
1770
1771 containers:
1772 - env:
1773 - name: _pod_name
1774 valueFrom:
1775 fieldRef:
1776 fieldPath: metadata.name
1777 - name: _pod_ns
1778 valueFrom:
1779 fieldRef:
1780 fieldPath: metadata.namespace
1781 - name: _pod_nodeName
1782 valueFrom:
1783 fieldRef:
1784 fieldPath: spec.nodeName
1785 - name: LINKERD2_PROXY_LOG
1786 value: "warn,linkerd=info,trust_dns=error"
1787 - name: LINKERD2_PROXY_LOG_FORMAT
1788 value: "plain"
1789 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1790 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1791 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1792 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
1793 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1794 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1795 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1796 value: |
1797 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1798 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1799 value: all-unauthenticated
1800 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1801 value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
1802 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1803 value: "3s"
1804 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1805 value: "5m"
1806 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1807 value: "1h"
1808 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1809 value: "100ms"
1810 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1811 value: "1000ms"
1812 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1813 value: "5s"
1814 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1815 value: "90s"
1816 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1817 value: "[::]:4190"
1818 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1819 value: "[::]:4191"
1820 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1821 value: "127.0.0.1:4140"
1822 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1823 value: "127.0.0.1:4140"
1824 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1825 value: "[::]:4143"
1826 - name: LINKERD2_PROXY_INBOUND_IPS
1827 valueFrom:
1828 fieldRef:
1829 fieldPath: status.podIPs
1830 - name: LINKERD2_PROXY_INBOUND_PORTS
1831 value: "8443,9995"
1832 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1833 value: svc.cluster.local.
1834 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1835 value: 10000ms
1836 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1837 value: 10000ms
1838 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1839 value: "10s"
1840 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1841 value: "3s"
1842 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1843 value: "10s"
1844 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1845 value: "3s"
1846 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1847 value: "25,587,3306,4444,5432,6379,9300,11211"
1848 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1849 value: |
1850 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1851 - name: _pod_sa
1852 valueFrom:
1853 fieldRef:
1854 fieldPath: spec.serviceAccountName
1855 - name: _l5d_ns
1856 value: linkerd
1857 - name: _l5d_trustdomain
1858 value: cluster.local
1859 - name: LINKERD2_PROXY_IDENTITY_DIR
1860 value: /var/run/linkerd/identity/end-entity
1861 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1862 valueFrom:
1863 configMapKeyRef:
1864 name: linkerd-identity-trust-roots
1865 key: ca-bundle.crt
1866 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1867 value: /var/run/secrets/tokens/linkerd-identity-token
1868 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1869 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1870 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1871 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1872 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1873 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1874 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1875 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1876 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1877 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1878 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1879 imagePullPolicy: IfNotPresent
1880 livenessProbe:
1881 httpGet:
1882 path: /live
1883 port: 4191
1884 initialDelaySeconds: 10
1885 timeoutSeconds: 1
1886 name: linkerd-proxy
1887 ports:
1888 - containerPort: 4143
1889 name: linkerd-proxy
1890 - containerPort: 4191
1891 name: linkerd-admin
1892 readinessProbe:
1893 httpGet:
1894 path: /ready
1895 port: 4191
1896 initialDelaySeconds: 2
1897 timeoutSeconds: 1
1898 resources:
1899 securityContext:
1900 allowPrivilegeEscalation: false
1901 capabilities:
1902 drop:
1903 - ALL
1904 readOnlyRootFilesystem: true
1905 runAsNonRoot: true
1906 runAsUser: 2102
1907 seccompProfile:
1908 type: RuntimeDefault
1909 terminationMessagePolicy: FallbackToLogsOnError
1910 lifecycle:
1911 postStart:
1912 exec:
1913 command:
1914 - /usr/lib/linkerd/linkerd-await
1915 - --timeout=2m
1916 - --port=4191
1917 volumeMounts:
1918 - mountPath: /var/run/linkerd/identity/end-entity
1919 name: linkerd-identity-end-entity
1920 - mountPath: /var/run/secrets/tokens
1921 name: linkerd-identity-token
1922 - args:
1923 - proxy-injector
1924 - -log-level=info
1925 - -log-format=plain
1926 - -linkerd-namespace=linkerd
1927 - -enable-pprof=false
1928 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1929 imagePullPolicy: IfNotPresent
1930 livenessProbe:
1931 httpGet:
1932 path: /ping
1933 port: 9995
1934 initialDelaySeconds: 10
1935 name: proxy-injector
1936 ports:
1937 - containerPort: 8443
1938 name: proxy-injector
1939 - containerPort: 9995
1940 name: admin-http
1941 readinessProbe:
1942 failureThreshold: 7
1943 httpGet:
1944 path: /ready
1945 port: 9995
1946 securityContext:
1947 capabilities:
1948 drop:
1949 - ALL
1950 readOnlyRootFilesystem: true
1951 runAsNonRoot: true
1952 runAsUser: 2103
1953 allowPrivilegeEscalation: false
1954 seccompProfile:
1955 type: RuntimeDefault
1956 volumeMounts:
1957 - mountPath: /var/run/linkerd/config
1958 name: config
1959 - mountPath: /var/run/linkerd/identity/trust-roots
1960 name: trust-roots
1961 - mountPath: /var/run/linkerd/tls
1962 name: tls
1963 readOnly: true
1964 initContainers:
1965 - args:
1966 - --ipv6=false
1967 - --incoming-proxy-port
1968 - "4143"
1969 - --outgoing-proxy-port
1970 - "4140"
1971 - --proxy-uid
1972 - "2102"
1973 - --inbound-ports-to-ignore
1974 - "4190,4191,4567,4568"
1975 - --outbound-ports-to-ignore
1976 - "443,6443"
1977 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1978 imagePullPolicy: IfNotPresent
1979 name: linkerd-init
1980 resources:
1981 limits:
1982 cpu: "100m"
1983 memory: "20Mi"
1984 requests:
1985 cpu: "100m"
1986 memory: "20Mi"
1987 securityContext:
1988 allowPrivilegeEscalation: false
1989 capabilities:
1990 add:
1991 - NET_ADMIN
1992 - NET_RAW
1993 privileged: false
1994 runAsNonRoot: true
1995 runAsUser: 65534
1996 runAsGroup: 65534
1997 readOnlyRootFilesystem: true
1998 seccompProfile:
1999 type: RuntimeDefault
2000 terminationMessagePolicy: FallbackToLogsOnError
2001 volumeMounts:
2002 - mountPath: /run
2003 name: linkerd-proxy-init-xtables-lock
2004 securityContext:
2005 seccompProfile:
2006 type: RuntimeDefault
2007 serviceAccountName: linkerd-proxy-injector
2008 volumes:
2009 - configMap:
2010 name: linkerd-config
2011 name: config
2012 - configMap:
2013 name: linkerd-identity-trust-roots
2014 name: trust-roots
2015 - name: tls
2016 secret:
2017 secretName: linkerd-proxy-injector-k8s-tls
2018 - emptyDir: {}
2019 name: linkerd-proxy-init-xtables-lock
2020 - name: linkerd-identity-token
2021 projected:
2022 sources:
2023 - serviceAccountToken:
2024 path: linkerd-identity-token
2025 expirationSeconds: 86400
2026 audience: identity.l5d.io
2027 - emptyDir:
2028 medium: Memory
2029 name: linkerd-identity-end-entity
2030---
2031kind: Service
2032apiVersion: v1
2033metadata:
2034 name: linkerd-proxy-injector
2035 namespace: linkerd
2036 labels:
2037 linkerd.io/control-plane-component: proxy-injector
2038 linkerd.io/control-plane-ns: linkerd
2039 annotations:
2040 linkerd.io/created-by: linkerd/cli dev-undefined
2041 config.linkerd.io/opaque-ports: "443"
2042spec:
2043 type: ClusterIP
2044 selector:
2045 linkerd.io/control-plane-component: proxy-injector
2046 ports:
2047 - name: proxy-injector
2048 port: 443
2049 targetPort: proxy-injector
2050---
2051apiVersion: v1
2052data:
2053 linkerd-config-overrides: Y2x1c3Rlck5ldHdvcmtzOiAxMC4wLjAuMC84LDEwMC42NC4wLjAvMTAsMTcyLjAuMC4wLzgKZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCmxpbmtlcmRWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgpwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHk6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUK
2054kind: Secret
2055metadata:
2056 creationTimestamp: null
2057 labels:
2058 linkerd.io/control-plane-ns: linkerd
2059 name: linkerd-config-overrides
2060 namespace: linkerd
View as plain text