1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Ignore
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
497 cniEnabled: false
498 controlPlaneTracing: false
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: -1
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 1
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 25%
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources: null
528 disableHeartBeat: false
529 disableIPv6: true
530 enableEndpointSlices: true
531 enableH2Upgrade: true
532 enablePodAntiAffinity: false
533 enablePodDisruptionBudget: false
534 heartbeat: null
535 heartbeatResources: null
536 heartbeatSchedule: 1 2 3 4 5
537 highAvailability: false
538 identity:
539 additionalEnv: null
540 experimentalEnv: null
541 externalCA: false
542 issuer:
543 clockSkewAllowance: 20s
544 issuanceLifetime: 24h0m0s
545 scheme: linkerd.io/tls
546 tls:
547 crtPEM: |
548 -----BEGIN CERTIFICATE-----
549 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
550 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
551 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
552 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
553 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
554 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
555 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
556 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
557 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
558 51tdrmkHEZRr0qlLSJdHYgEfMzk=
559 -----END CERTIFICATE-----
560 kubeAPI:
561 clientBurst: 200
562 clientQPS: 100
563 serviceAccountTokenProjection: false
564 identityProxyResources: null
565 identityResources: null
566 identityTrustAnchorsPEM: |
567 -----BEGIN CERTIFICATE-----
568 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
569 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
570 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
571 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
572 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
573 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
574 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
575 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
576 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
577 vgUC0d2/9FMueIVMb+46WTCOjsqr
578 -----END CERTIFICATE-----
579 identityTrustDomain: cluster.local
580 imagePullPolicy: IfNotPresent
581 imagePullSecrets: []
582 linkerdVersion: install-control-plane-version
583 networkValidator:
584 connectAddr: 1.1.1.1:20001
585 enableSecurityContext: true
586 listenAddr: 0.0.0.0:4140
587 logFormat: plain
588 logLevel: debug
589 timeout: 10s
590 nodeAffinity: null
591 nodeSelector:
592 kubernetes.io/os: linux
593 podAnnotations: {}
594 podLabels: {}
595 podMonitor:
596 controller:
597 enabled: true
598 namespaceSelector: |
599 matchNames:
600 - {{ .Release.Namespace }}
601 - linkerd-viz
602 - linkerd-jaeger
603 enabled: false
604 proxy:
605 enabled: true
606 scrapeInterval: 10s
607 scrapeTimeout: 10s
608 serviceMirror:
609 enabled: true
610 policyController:
611 image:
612 name: cr.l5d.io/linkerd/policy-controller
613 pullPolicy: ""
614 version: ""
615 logLevel: info
616 probeNetworks:
617 - 0.0.0.0/0
618 - ::/0
619 resources:
620 cpu:
621 limit: ""
622 request: ""
623 ephemeral-storage:
624 limit: ""
625 request: ""
626 memory:
627 limit: ""
628 request: ""
629 policyValidator:
630 caBundle: policy validator CA bundle
631 crtPEM: ""
632 externalSecret: true
633 injectCaFrom: ""
634 injectCaFromSecret: ""
635 namespaceSelector:
636 matchExpressions:
637 - key: config.linkerd.io/admission-webhooks
638 operator: NotIn
639 values:
640 - disabled
641 priorityClassName: ""
642 profileValidator:
643 caBundle: profile validator CA bundle
644 crtPEM: ""
645 externalSecret: true
646 injectCaFrom: ""
647 injectCaFromSecret: ""
648 namespaceSelector:
649 matchExpressions:
650 - key: config.linkerd.io/admission-webhooks
651 operator: NotIn
652 values:
653 - disabled
654 prometheusUrl: ""
655 proxy:
656 accessLog: ""
657 additionalEnv: null
658 await: true
659 capabilities: null
660 control:
661 streams:
662 idleTimeout: 5m
663 initialTimeout: 3s
664 lifetime: 1h
665 defaultInboundPolicy: all-unauthenticated
666 disableInboundProtocolDetectTimeout: false
667 disableOutboundProtocolDetectTimeout: false
668 enableExternalProfiles: false
669 experimentalEnv: null
670 gid: -1
671 image:
672 name: cr.l5d.io/linkerd/proxy
673 pullPolicy: ""
674 version: install-proxy-version
675 inbound:
676 server:
677 http2:
678 keepAliveInterval: 10s
679 keepAliveTimeout: 3s
680 inboundConnectTimeout: 100ms
681 inboundDiscoveryCacheUnusedTimeout: 90s
682 isGateway: false
683 isIngress: false
684 livenessProbe:
685 initialDelaySeconds: 10
686 timeoutSeconds: 1
687 logFormat: plain
688 logLevel: warn,linkerd=info,trust_dns=error
689 nativeSidecar: false
690 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
691 outbound:
692 server:
693 http2:
694 keepAliveInterval: 10s
695 keepAliveTimeout: 3s
696 outboundConnectTimeout: 1000ms
697 outboundDiscoveryCacheUnusedTimeout: 5s
698 podInboundPorts: ""
699 ports:
700 admin: 4191
701 control: 4190
702 inbound: 4143
703 outbound: 4140
704 readinessProbe:
705 initialDelaySeconds: 2
706 timeoutSeconds: 1
707 requireIdentityOnInboundPorts: ""
708 resources:
709 cpu:
710 limit: ""
711 request: ""
712 ephemeral-storage:
713 limit: ""
714 request: ""
715 memory:
716 limit: ""
717 request: ""
718 saMountPath: null
719 shutdownGracePeriod: ""
720 startupProbe:
721 failureThreshold: 120
722 initialDelaySeconds: 0
723 periodSeconds: 1
724 uid: 2102
725 waitBeforeExitSeconds: 0
726 proxyContainerName: linkerd-proxy
727 proxyInit:
728 capabilities: null
729 closeWaitTimeoutSecs: 0
730 ignoreInboundPorts: 4567,4568
731 ignoreOutboundPorts: 4567,4568
732 image:
733 name: cr.l5d.io/linkerd/proxy-init
734 pullPolicy: ""
735 version: v2.4.0
736 iptablesMode: legacy
737 kubeAPIServerPorts: 443,6443
738 logFormat: ""
739 logLevel: ""
740 privileged: false
741 resources:
742 cpu:
743 limit: 100m
744 request: 100m
745 ephemeral-storage:
746 limit: ""
747 request: ""
748 memory:
749 limit: 20Mi
750 request: 20Mi
751 runAsGroup: 65534
752 runAsRoot: false
753 runAsUser: 65534
754 saMountPath: null
755 skipSubnets: ""
756 xtMountPath:
757 mountPath: /run
758 name: linkerd-proxy-init-xtables-lock
759 readOnly: false
760 proxyInjector:
761 additionalEnv: null
762 caBundle: proxy injector CA bundle
763 crtPEM: ""
764 experimentalEnv: null
765 externalSecret: true
766 injectCaFrom: ""
767 injectCaFromSecret: ""
768 namespaceSelector:
769 matchExpressions:
770 - key: config.linkerd.io/admission-webhooks
771 operator: NotIn
772 values:
773 - disabled
774 - key: kubernetes.io/metadata.name
775 operator: NotIn
776 values:
777 - kube-system
778 - cert-manager
779 proxyInjectorProxyResources: null
780 proxyInjectorResources: null
781 revisionHistoryLimit: 10
782 spValidator: null
783 tolerations: null
784 webhookFailurePolicy: Ignore
785---
786apiVersion: rbac.authorization.k8s.io/v1
787kind: Role
788metadata:
789 annotations:
790 linkerd.io/created-by: linkerd/cli dev-undefined
791 name: ext-namespace-metadata-linkerd-config
792 namespace: linkerd
793rules:
794- apiGroups: [""]
795 resources: ["configmaps"]
796 verbs: ["get"]
797 resourceNames: ["linkerd-config"]
798---
799###
800### Identity Controller Service
801###
802---
803kind: Secret
804apiVersion: v1
805metadata:
806 name: linkerd-identity-issuer
807 namespace: linkerd
808 labels:
809 linkerd.io/control-plane-component: identity
810 linkerd.io/control-plane-ns: linkerd
811 annotations:
812 linkerd.io/created-by: linkerd/cli dev-undefined
813data:
814 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
815 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
816---
817kind: ConfigMap
818apiVersion: v1
819metadata:
820 name: linkerd-identity-trust-roots
821 namespace: linkerd
822 labels:
823 linkerd.io/control-plane-component: identity
824 linkerd.io/control-plane-ns: linkerd
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827data:
828 ca-bundle.crt: |-
829 -----BEGIN CERTIFICATE-----
830 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
831 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
832 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
833 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
834 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
835 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
836 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
837 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
838 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
839 vgUC0d2/9FMueIVMb+46WTCOjsqr
840 -----END CERTIFICATE-----
841---
842kind: Service
843apiVersion: v1
844metadata:
845 name: linkerd-identity
846 namespace: linkerd
847 labels:
848 linkerd.io/control-plane-component: identity
849 linkerd.io/control-plane-ns: linkerd
850 annotations:
851 linkerd.io/created-by: linkerd/cli dev-undefined
852spec:
853 type: ClusterIP
854 selector:
855 linkerd.io/control-plane-component: identity
856 ports:
857 - name: grpc
858 port: 8080
859 targetPort: 8080
860---
861kind: Service
862apiVersion: v1
863metadata:
864 name: linkerd-identity-headless
865 namespace: linkerd
866 labels:
867 linkerd.io/control-plane-component: identity
868 linkerd.io/control-plane-ns: linkerd
869 annotations:
870 linkerd.io/created-by: linkerd/cli dev-undefined
871spec:
872 clusterIP: None
873 selector:
874 linkerd.io/control-plane-component: identity
875 ports:
876 - name: grpc
877 port: 8080
878 targetPort: 8080
879---
880apiVersion: apps/v1
881kind: Deployment
882metadata:
883 annotations:
884 linkerd.io/created-by: linkerd/cli dev-undefined
885 labels:
886 app.kubernetes.io/name: identity
887 app.kubernetes.io/part-of: Linkerd
888 app.kubernetes.io/version: install-control-plane-version
889 linkerd.io/control-plane-component: identity
890 linkerd.io/control-plane-ns: linkerd
891 name: linkerd-identity
892 namespace: linkerd
893spec:
894 replicas: 1
895 revisionHistoryLimit: 10
896 selector:
897 matchLabels:
898 linkerd.io/control-plane-component: identity
899 linkerd.io/control-plane-ns: linkerd
900 linkerd.io/proxy-deployment: linkerd-identity
901 strategy:
902 rollingUpdate:
903 maxSurge: 25%
904 maxUnavailable: 25%
905 template:
906 metadata:
907 annotations:
908 linkerd.io/created-by: linkerd/cli dev-undefined
909 linkerd.io/proxy-version: install-proxy-version
910 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
911 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
912 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
913 labels:
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd
916 linkerd.io/workload-ns: linkerd
917 linkerd.io/proxy-deployment: linkerd-identity
918 spec:
919 nodeSelector:
920 kubernetes.io/os: linux
921
922 containers:
923 - args:
924 - identity
925 - -log-level=info
926 - -log-format=plain
927 - -controller-namespace=linkerd
928 - -identity-trust-domain=cluster.local
929 - -identity-issuance-lifetime=24h0m0s
930 - -identity-clock-skew-allowance=20s
931 - -identity-scheme=linkerd.io/tls
932 - -enable-pprof=false
933 - -kube-apiclient-qps=100
934 - -kube-apiclient-burst=200
935 env:
936 - name: LINKERD_DISABLED
937 value: "linkerd-await cannot block the identity controller"
938 image: cr.l5d.io/linkerd/controller:install-control-plane-version
939 imagePullPolicy: IfNotPresent
940 livenessProbe:
941 httpGet:
942 path: /ping
943 port: 9990
944 initialDelaySeconds: 10
945 name: identity
946 ports:
947 - containerPort: 8080
948 name: grpc
949 - containerPort: 9990
950 name: admin-http
951 readinessProbe:
952 failureThreshold: 7
953 httpGet:
954 path: /ready
955 port: 9990
956 securityContext:
957 capabilities:
958 drop:
959 - ALL
960 readOnlyRootFilesystem: true
961 runAsNonRoot: true
962 runAsUser: 2103
963 allowPrivilegeEscalation: false
964 seccompProfile:
965 type: RuntimeDefault
966 volumeMounts:
967 - mountPath: /var/run/linkerd/identity/issuer
968 name: identity-issuer
969 - mountPath: /var/run/linkerd/identity/trust-roots/
970 name: trust-roots
971 - env:
972 - name: _pod_name
973 valueFrom:
974 fieldRef:
975 fieldPath: metadata.name
976 - name: _pod_ns
977 valueFrom:
978 fieldRef:
979 fieldPath: metadata.namespace
980 - name: _pod_nodeName
981 valueFrom:
982 fieldRef:
983 fieldPath: spec.nodeName
984 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
985 value: "8080"
986 - name: LINKERD2_PROXY_LOG
987 value: "warn,linkerd=info,trust_dns=error"
988 - name: LINKERD2_PROXY_LOG_FORMAT
989 value: "plain"
990 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
991 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
992 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
993 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
994 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
995 value: linkerd-policy.linkerd.svc.cluster.local.:8090
996 - name: LINKERD2_PROXY_POLICY_WORKLOAD
997 value: |
998 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
999 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1000 value: all-unauthenticated
1001 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1002 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1003 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1004 value: "3s"
1005 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1006 value: "5m"
1007 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1008 value: "1h"
1009 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1010 value: "100ms"
1011 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1012 value: "1000ms"
1013 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1014 value: "5s"
1015 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1016 value: "90s"
1017 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1018 value: "[::]:4190"
1019 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1020 value: "[::]:4191"
1021 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1022 value: "127.0.0.1:4140"
1023 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1024 value: "127.0.0.1:4140"
1025 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1026 value: "[::]:4143"
1027 - name: LINKERD2_PROXY_INBOUND_IPS
1028 valueFrom:
1029 fieldRef:
1030 fieldPath: status.podIPs
1031 - name: LINKERD2_PROXY_INBOUND_PORTS
1032 value: "8080,9990"
1033 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1034 value: svc.cluster.local.
1035 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1036 value: 10000ms
1037 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1038 value: 10000ms
1039 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1040 value: "10s"
1041 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1042 value: "3s"
1043 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1044 value: "10s"
1045 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1046 value: "3s"
1047 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1048 value: "25,587,3306,4444,5432,6379,9300,11211"
1049 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1050 value: |
1051 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1052 - name: _pod_sa
1053 valueFrom:
1054 fieldRef:
1055 fieldPath: spec.serviceAccountName
1056 - name: _l5d_ns
1057 value: linkerd
1058 - name: _l5d_trustdomain
1059 value: cluster.local
1060 - name: LINKERD2_PROXY_IDENTITY_DIR
1061 value: /var/run/linkerd/identity/end-entity
1062 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1063 valueFrom:
1064 configMapKeyRef:
1065 name: linkerd-identity-trust-roots
1066 key: ca-bundle.crt
1067 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1068 value: /var/run/secrets/kubernetes.io/serviceaccount/token
1069 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1070 value: localhost.:8080
1071 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1072 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1073 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1074 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1075 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1076 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1077 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1078 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1079 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1080 imagePullPolicy: IfNotPresent
1081 livenessProbe:
1082 httpGet:
1083 path: /live
1084 port: 4191
1085 initialDelaySeconds: 10
1086 timeoutSeconds: 1
1087 name: linkerd-proxy
1088 ports:
1089 - containerPort: 4143
1090 name: linkerd-proxy
1091 - containerPort: 4191
1092 name: linkerd-admin
1093 readinessProbe:
1094 httpGet:
1095 path: /ready
1096 port: 4191
1097 initialDelaySeconds: 2
1098 timeoutSeconds: 1
1099 resources:
1100 securityContext:
1101 allowPrivilegeEscalation: false
1102 capabilities:
1103 drop:
1104 - ALL
1105 readOnlyRootFilesystem: true
1106 runAsNonRoot: true
1107 runAsUser: 2102
1108 seccompProfile:
1109 type: RuntimeDefault
1110 terminationMessagePolicy: FallbackToLogsOnError
1111 volumeMounts:
1112 - mountPath: /var/run/linkerd/identity/end-entity
1113 name: linkerd-identity-end-entity
1114 initContainers:
1115 - args:
1116 - --ipv6=false
1117 - --incoming-proxy-port
1118 - "4143"
1119 - --outgoing-proxy-port
1120 - "4140"
1121 - --proxy-uid
1122 - "2102"
1123 - --inbound-ports-to-ignore
1124 - "4190,4191,4567,4568"
1125 - --outbound-ports-to-ignore
1126 - "443,6443"
1127 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1128 imagePullPolicy: IfNotPresent
1129 name: linkerd-init
1130 resources:
1131 limits:
1132 cpu: "100m"
1133 memory: "20Mi"
1134 requests:
1135 cpu: "100m"
1136 memory: "20Mi"
1137 securityContext:
1138 allowPrivilegeEscalation: false
1139 capabilities:
1140 add:
1141 - NET_ADMIN
1142 - NET_RAW
1143 privileged: false
1144 runAsNonRoot: true
1145 runAsUser: 65534
1146 runAsGroup: 65534
1147 readOnlyRootFilesystem: true
1148 seccompProfile:
1149 type: RuntimeDefault
1150 terminationMessagePolicy: FallbackToLogsOnError
1151 volumeMounts:
1152 - mountPath: /run
1153 name: linkerd-proxy-init-xtables-lock
1154 securityContext:
1155 seccompProfile:
1156 type: RuntimeDefault
1157 serviceAccountName: linkerd-identity
1158 volumes:
1159 - name: identity-issuer
1160 secret:
1161 secretName: linkerd-identity-issuer
1162 - configMap:
1163 name: linkerd-identity-trust-roots
1164 name: trust-roots
1165 - emptyDir: {}
1166 name: linkerd-proxy-init-xtables-lock
1167 - emptyDir:
1168 medium: Memory
1169 name: linkerd-identity-end-entity
1170---
1171###
1172### Destination Controller Service
1173###
1174kind: Service
1175apiVersion: v1
1176metadata:
1177 name: linkerd-dst
1178 namespace: linkerd
1179 labels:
1180 linkerd.io/control-plane-component: destination
1181 linkerd.io/control-plane-ns: linkerd
1182 annotations:
1183 linkerd.io/created-by: linkerd/cli dev-undefined
1184spec:
1185 type: ClusterIP
1186 selector:
1187 linkerd.io/control-plane-component: destination
1188 ports:
1189 - name: grpc
1190 port: 8086
1191 targetPort: 8086
1192---
1193kind: Service
1194apiVersion: v1
1195metadata:
1196 name: linkerd-dst-headless
1197 namespace: linkerd
1198 labels:
1199 linkerd.io/control-plane-component: destination
1200 linkerd.io/control-plane-ns: linkerd
1201 annotations:
1202 linkerd.io/created-by: linkerd/cli dev-undefined
1203spec:
1204 clusterIP: None
1205 selector:
1206 linkerd.io/control-plane-component: destination
1207 ports:
1208 - name: grpc
1209 port: 8086
1210 targetPort: 8086
1211---
1212kind: Service
1213apiVersion: v1
1214metadata:
1215 name: linkerd-sp-validator
1216 namespace: linkerd
1217 labels:
1218 linkerd.io/control-plane-component: destination
1219 linkerd.io/control-plane-ns: linkerd
1220 annotations:
1221 linkerd.io/created-by: linkerd/cli dev-undefined
1222spec:
1223 type: ClusterIP
1224 selector:
1225 linkerd.io/control-plane-component: destination
1226 ports:
1227 - name: sp-validator
1228 port: 443
1229 targetPort: sp-validator
1230---
1231kind: Service
1232apiVersion: v1
1233metadata:
1234 name: linkerd-policy
1235 namespace: linkerd
1236 labels:
1237 linkerd.io/control-plane-component: destination
1238 linkerd.io/control-plane-ns: linkerd
1239 annotations:
1240 linkerd.io/created-by: linkerd/cli dev-undefined
1241spec:
1242 clusterIP: None
1243 selector:
1244 linkerd.io/control-plane-component: destination
1245 ports:
1246 - name: grpc
1247 port: 8090
1248 targetPort: 8090
1249---
1250kind: Service
1251apiVersion: v1
1252metadata:
1253 name: linkerd-policy-validator
1254 namespace: linkerd
1255 labels:
1256 linkerd.io/control-plane-component: destination
1257 linkerd.io/control-plane-ns: linkerd
1258 annotations:
1259 linkerd.io/created-by: linkerd/cli dev-undefined
1260spec:
1261 type: ClusterIP
1262 selector:
1263 linkerd.io/control-plane-component: destination
1264 ports:
1265 - name: policy-https
1266 port: 443
1267 targetPort: policy-https
1268---
1269apiVersion: apps/v1
1270kind: Deployment
1271metadata:
1272 annotations:
1273 linkerd.io/created-by: linkerd/cli dev-undefined
1274 labels:
1275 app.kubernetes.io/name: destination
1276 app.kubernetes.io/part-of: Linkerd
1277 app.kubernetes.io/version: install-control-plane-version
1278 linkerd.io/control-plane-component: destination
1279 linkerd.io/control-plane-ns: linkerd
1280 name: linkerd-destination
1281 namespace: linkerd
1282spec:
1283 replicas: 1
1284 revisionHistoryLimit: 10
1285 selector:
1286 matchLabels:
1287 linkerd.io/control-plane-component: destination
1288 linkerd.io/control-plane-ns: linkerd
1289 linkerd.io/proxy-deployment: linkerd-destination
1290 strategy:
1291 rollingUpdate:
1292 maxSurge: 25%
1293 maxUnavailable: 25%
1294 template:
1295 metadata:
1296 annotations:
1297 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1298 linkerd.io/created-by: linkerd/cli dev-undefined
1299 linkerd.io/proxy-version: install-proxy-version
1300 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1301 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1302 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1303 labels:
1304 linkerd.io/control-plane-component: destination
1305 linkerd.io/control-plane-ns: linkerd
1306 linkerd.io/workload-ns: linkerd
1307 linkerd.io/proxy-deployment: linkerd-destination
1308 spec:
1309 nodeSelector:
1310 kubernetes.io/os: linux
1311
1312 containers:
1313 - env:
1314 - name: _pod_name
1315 valueFrom:
1316 fieldRef:
1317 fieldPath: metadata.name
1318 - name: _pod_ns
1319 valueFrom:
1320 fieldRef:
1321 fieldPath: metadata.namespace
1322 - name: _pod_nodeName
1323 valueFrom:
1324 fieldRef:
1325 fieldPath: spec.nodeName
1326 - name: LINKERD2_PROXY_LOG
1327 value: "warn,linkerd=info,trust_dns=error"
1328 - name: LINKERD2_PROXY_LOG_FORMAT
1329 value: "plain"
1330 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1331 value: localhost.:8086
1332 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1333 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1334 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1335 value: localhost.:8090
1336 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1337 value: |
1338 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1339 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1340 value: all-unauthenticated
1341 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1342 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1343 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1344 value: "3s"
1345 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1346 value: "5m"
1347 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1348 value: "1h"
1349 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1350 value: "100ms"
1351 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1352 value: "1000ms"
1353 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1354 value: "5s"
1355 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1356 value: "90s"
1357 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1358 value: "[::]:4190"
1359 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1360 value: "[::]:4191"
1361 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1362 value: "127.0.0.1:4140"
1363 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1364 value: "127.0.0.1:4140"
1365 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1366 value: "[::]:4143"
1367 - name: LINKERD2_PROXY_INBOUND_IPS
1368 valueFrom:
1369 fieldRef:
1370 fieldPath: status.podIPs
1371 - name: LINKERD2_PROXY_INBOUND_PORTS
1372 value: "8086,8090,8443,9443,9990,9996,9997"
1373 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1374 value: svc.cluster.local.
1375 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1376 value: 10000ms
1377 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1378 value: 10000ms
1379 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1380 value: "10s"
1381 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1382 value: "3s"
1383 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1384 value: "10s"
1385 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1386 value: "3s"
1387 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1388 value: "25,587,3306,4444,5432,6379,9300,11211"
1389 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1390 value: |
1391 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1392 - name: _pod_sa
1393 valueFrom:
1394 fieldRef:
1395 fieldPath: spec.serviceAccountName
1396 - name: _l5d_ns
1397 value: linkerd
1398 - name: _l5d_trustdomain
1399 value: cluster.local
1400 - name: LINKERD2_PROXY_IDENTITY_DIR
1401 value: /var/run/linkerd/identity/end-entity
1402 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1403 valueFrom:
1404 configMapKeyRef:
1405 name: linkerd-identity-trust-roots
1406 key: ca-bundle.crt
1407 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1408 value: /var/run/secrets/kubernetes.io/serviceaccount/token
1409 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1410 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1411 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1412 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1413 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1414 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1415 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1416 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1417 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1418 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1419 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1420 imagePullPolicy: IfNotPresent
1421 livenessProbe:
1422 httpGet:
1423 path: /live
1424 port: 4191
1425 initialDelaySeconds: 10
1426 timeoutSeconds: 1
1427 name: linkerd-proxy
1428 ports:
1429 - containerPort: 4143
1430 name: linkerd-proxy
1431 - containerPort: 4191
1432 name: linkerd-admin
1433 readinessProbe:
1434 httpGet:
1435 path: /ready
1436 port: 4191
1437 initialDelaySeconds: 2
1438 timeoutSeconds: 1
1439 resources:
1440 securityContext:
1441 allowPrivilegeEscalation: false
1442 capabilities:
1443 drop:
1444 - ALL
1445 readOnlyRootFilesystem: true
1446 runAsNonRoot: true
1447 runAsUser: 2102
1448 seccompProfile:
1449 type: RuntimeDefault
1450 terminationMessagePolicy: FallbackToLogsOnError
1451 lifecycle:
1452 postStart:
1453 exec:
1454 command:
1455 - /usr/lib/linkerd/linkerd-await
1456 - --timeout=2m
1457 - --port=4191
1458 volumeMounts:
1459 - mountPath: /var/run/linkerd/identity/end-entity
1460 name: linkerd-identity-end-entity
1461 - args:
1462 - destination
1463 - -addr=:8086
1464 - -controller-namespace=linkerd
1465 - -enable-h2-upgrade=true
1466 - -log-level=info
1467 - -log-format=plain
1468 - -enable-endpoint-slices=true
1469 - -cluster-domain=cluster.local
1470 - -identity-trust-domain=cluster.local
1471 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1472 - -enable-ipv6=false
1473 - -enable-pprof=false
1474 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1475 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1476 imagePullPolicy: IfNotPresent
1477 livenessProbe:
1478 httpGet:
1479 path: /ping
1480 port: 9996
1481 initialDelaySeconds: 10
1482 name: destination
1483 ports:
1484 - containerPort: 8086
1485 name: grpc
1486 - containerPort: 9996
1487 name: admin-http
1488 readinessProbe:
1489 failureThreshold: 7
1490 httpGet:
1491 path: /ready
1492 port: 9996
1493 securityContext:
1494 capabilities:
1495 drop:
1496 - ALL
1497 readOnlyRootFilesystem: true
1498 runAsNonRoot: true
1499 runAsUser: 2103
1500 allowPrivilegeEscalation: false
1501 seccompProfile:
1502 type: RuntimeDefault
1503 - args:
1504 - sp-validator
1505 - -log-level=info
1506 - -log-format=plain
1507 - -enable-pprof=false
1508 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1509 imagePullPolicy: IfNotPresent
1510 livenessProbe:
1511 httpGet:
1512 path: /ping
1513 port: 9997
1514 initialDelaySeconds: 10
1515 name: sp-validator
1516 ports:
1517 - containerPort: 8443
1518 name: sp-validator
1519 - containerPort: 9997
1520 name: admin-http
1521 readinessProbe:
1522 failureThreshold: 7
1523 httpGet:
1524 path: /ready
1525 port: 9997
1526 securityContext:
1527 capabilities:
1528 drop:
1529 - ALL
1530 readOnlyRootFilesystem: true
1531 runAsNonRoot: true
1532 runAsUser: 2103
1533 allowPrivilegeEscalation: false
1534 seccompProfile:
1535 type: RuntimeDefault
1536 volumeMounts:
1537 - mountPath: /var/run/linkerd/tls
1538 name: sp-tls
1539 readOnly: true
1540 - args:
1541 - --admin-addr=[::]:9990
1542 - --control-plane-namespace=linkerd
1543 - --grpc-addr=[::]:8090
1544 - --server-addr=[::]:9443
1545 - --server-tls-key=/var/run/linkerd/tls/tls.key
1546 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1547 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1548 - --identity-domain=cluster.local
1549 - --cluster-domain=cluster.local
1550 - --default-policy=all-unauthenticated
1551 - --log-level=info
1552 - --log-format=plain
1553 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1554 - --probe-networks=0.0.0.0/0,::/0
1555 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1556 imagePullPolicy: IfNotPresent
1557 livenessProbe:
1558 httpGet:
1559 path: /live
1560 port: admin-http
1561 name: policy
1562 ports:
1563 - containerPort: 8090
1564 name: grpc
1565 - containerPort: 9990
1566 name: admin-http
1567 - containerPort: 9443
1568 name: policy-https
1569 readinessProbe:
1570 failureThreshold: 7
1571 httpGet:
1572 path: /ready
1573 port: admin-http
1574 initialDelaySeconds: 10
1575 resources:
1576 securityContext:
1577 capabilities:
1578 drop:
1579 - ALL
1580 readOnlyRootFilesystem: true
1581 runAsNonRoot: true
1582 runAsUser: 2103
1583 allowPrivilegeEscalation: false
1584 seccompProfile:
1585 type: RuntimeDefault
1586 volumeMounts:
1587 - mountPath: /var/run/linkerd/tls
1588 name: policy-tls
1589 readOnly: true
1590 initContainers:
1591 - args:
1592 - --ipv6=false
1593 - --incoming-proxy-port
1594 - "4143"
1595 - --outgoing-proxy-port
1596 - "4140"
1597 - --proxy-uid
1598 - "2102"
1599 - --inbound-ports-to-ignore
1600 - "4190,4191,4567,4568"
1601 - --outbound-ports-to-ignore
1602 - "443,6443"
1603 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1604 imagePullPolicy: IfNotPresent
1605 name: linkerd-init
1606 resources:
1607 limits:
1608 cpu: "100m"
1609 memory: "20Mi"
1610 requests:
1611 cpu: "100m"
1612 memory: "20Mi"
1613 securityContext:
1614 allowPrivilegeEscalation: false
1615 capabilities:
1616 add:
1617 - NET_ADMIN
1618 - NET_RAW
1619 privileged: false
1620 runAsNonRoot: true
1621 runAsUser: 65534
1622 runAsGroup: 65534
1623 readOnlyRootFilesystem: true
1624 seccompProfile:
1625 type: RuntimeDefault
1626 terminationMessagePolicy: FallbackToLogsOnError
1627 volumeMounts:
1628 - mountPath: /run
1629 name: linkerd-proxy-init-xtables-lock
1630 securityContext:
1631 seccompProfile:
1632 type: RuntimeDefault
1633 serviceAccountName: linkerd-destination
1634 volumes:
1635 - name: sp-tls
1636 secret:
1637 secretName: linkerd-sp-validator-k8s-tls
1638 - name: policy-tls
1639 secret:
1640 secretName: linkerd-policy-validator-k8s-tls
1641 - emptyDir: {}
1642 name: linkerd-proxy-init-xtables-lock
1643 - emptyDir:
1644 medium: Memory
1645 name: linkerd-identity-end-entity
1646---
1647###
1648### Heartbeat
1649###
1650apiVersion: batch/v1
1651kind: CronJob
1652metadata:
1653 name: linkerd-heartbeat
1654 namespace: linkerd
1655 labels:
1656 app.kubernetes.io/name: heartbeat
1657 app.kubernetes.io/part-of: Linkerd
1658 app.kubernetes.io/version: install-control-plane-version
1659 linkerd.io/control-plane-component: heartbeat
1660 linkerd.io/control-plane-ns: linkerd
1661 annotations:
1662 linkerd.io/created-by: linkerd/cli dev-undefined
1663spec:
1664 concurrencyPolicy: Replace
1665 schedule: "1 2 3 4 5"
1666 successfulJobsHistoryLimit: 0
1667 jobTemplate:
1668 spec:
1669 template:
1670 metadata:
1671 labels:
1672 linkerd.io/control-plane-component: heartbeat
1673 linkerd.io/workload-ns: linkerd
1674 annotations:
1675 linkerd.io/created-by: linkerd/cli dev-undefined
1676 spec:
1677 nodeSelector:
1678 kubernetes.io/os: linux
1679 securityContext:
1680 seccompProfile:
1681 type: RuntimeDefault
1682 serviceAccountName: linkerd-heartbeat
1683 restartPolicy: Never
1684 containers:
1685 - name: heartbeat
1686 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1687 imagePullPolicy: IfNotPresent
1688 env:
1689 - name: LINKERD_DISABLED
1690 value: "the heartbeat controller does not use the proxy"
1691 args:
1692 - "heartbeat"
1693 - "-controller-namespace=linkerd"
1694 - "-log-level=info"
1695 - "-log-format=plain"
1696 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1697 securityContext:
1698 capabilities:
1699 drop:
1700 - ALL
1701 readOnlyRootFilesystem: true
1702 runAsNonRoot: true
1703 runAsUser: 2103
1704 allowPrivilegeEscalation: false
1705 seccompProfile:
1706 type: RuntimeDefault
1707---
1708###
1709### Proxy Injector
1710###
1711apiVersion: apps/v1
1712kind: Deployment
1713metadata:
1714 annotations:
1715 linkerd.io/created-by: linkerd/cli dev-undefined
1716 labels:
1717 app.kubernetes.io/name: proxy-injector
1718 app.kubernetes.io/part-of: Linkerd
1719 app.kubernetes.io/version: install-control-plane-version
1720 linkerd.io/control-plane-component: proxy-injector
1721 linkerd.io/control-plane-ns: linkerd
1722 name: linkerd-proxy-injector
1723 namespace: linkerd
1724spec:
1725 replicas: 1
1726 revisionHistoryLimit: 10
1727 selector:
1728 matchLabels:
1729 linkerd.io/control-plane-component: proxy-injector
1730 strategy:
1731 rollingUpdate:
1732 maxSurge: 25%
1733 maxUnavailable: 25%
1734 template:
1735 metadata:
1736 annotations:
1737 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1738 linkerd.io/created-by: linkerd/cli dev-undefined
1739 linkerd.io/proxy-version: install-proxy-version
1740 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1741 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1742 config.linkerd.io/opaque-ports: "8443"
1743 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1744 labels:
1745 linkerd.io/control-plane-component: proxy-injector
1746 linkerd.io/control-plane-ns: linkerd
1747 linkerd.io/workload-ns: linkerd
1748 linkerd.io/proxy-deployment: linkerd-proxy-injector
1749 spec:
1750 nodeSelector:
1751 kubernetes.io/os: linux
1752
1753 containers:
1754 - env:
1755 - name: _pod_name
1756 valueFrom:
1757 fieldRef:
1758 fieldPath: metadata.name
1759 - name: _pod_ns
1760 valueFrom:
1761 fieldRef:
1762 fieldPath: metadata.namespace
1763 - name: _pod_nodeName
1764 valueFrom:
1765 fieldRef:
1766 fieldPath: spec.nodeName
1767 - name: LINKERD2_PROXY_LOG
1768 value: "warn,linkerd=info,trust_dns=error"
1769 - name: LINKERD2_PROXY_LOG_FORMAT
1770 value: "plain"
1771 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1772 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1773 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1774 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1775 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1776 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1777 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1778 value: |
1779 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1780 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1781 value: all-unauthenticated
1782 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1783 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1784 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1785 value: "3s"
1786 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1787 value: "5m"
1788 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1789 value: "1h"
1790 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1791 value: "100ms"
1792 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1793 value: "1000ms"
1794 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1795 value: "5s"
1796 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1797 value: "90s"
1798 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1799 value: "[::]:4190"
1800 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1801 value: "[::]:4191"
1802 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1803 value: "127.0.0.1:4140"
1804 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1805 value: "127.0.0.1:4140"
1806 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1807 value: "[::]:4143"
1808 - name: LINKERD2_PROXY_INBOUND_IPS
1809 valueFrom:
1810 fieldRef:
1811 fieldPath: status.podIPs
1812 - name: LINKERD2_PROXY_INBOUND_PORTS
1813 value: "8443,9995"
1814 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1815 value: svc.cluster.local.
1816 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1817 value: 10000ms
1818 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1819 value: 10000ms
1820 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1821 value: "10s"
1822 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1823 value: "3s"
1824 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1825 value: "10s"
1826 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1827 value: "3s"
1828 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1829 value: "25,587,3306,4444,5432,6379,9300,11211"
1830 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1831 value: |
1832 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1833 - name: _pod_sa
1834 valueFrom:
1835 fieldRef:
1836 fieldPath: spec.serviceAccountName
1837 - name: _l5d_ns
1838 value: linkerd
1839 - name: _l5d_trustdomain
1840 value: cluster.local
1841 - name: LINKERD2_PROXY_IDENTITY_DIR
1842 value: /var/run/linkerd/identity/end-entity
1843 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1844 valueFrom:
1845 configMapKeyRef:
1846 name: linkerd-identity-trust-roots
1847 key: ca-bundle.crt
1848 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1849 value: /var/run/secrets/kubernetes.io/serviceaccount/token
1850 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1851 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1852 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1853 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1854 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1855 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1856 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1857 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1858 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1859 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1860 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1861 imagePullPolicy: IfNotPresent
1862 livenessProbe:
1863 httpGet:
1864 path: /live
1865 port: 4191
1866 initialDelaySeconds: 10
1867 timeoutSeconds: 1
1868 name: linkerd-proxy
1869 ports:
1870 - containerPort: 4143
1871 name: linkerd-proxy
1872 - containerPort: 4191
1873 name: linkerd-admin
1874 readinessProbe:
1875 httpGet:
1876 path: /ready
1877 port: 4191
1878 initialDelaySeconds: 2
1879 timeoutSeconds: 1
1880 resources:
1881 securityContext:
1882 allowPrivilegeEscalation: false
1883 capabilities:
1884 drop:
1885 - ALL
1886 readOnlyRootFilesystem: true
1887 runAsNonRoot: true
1888 runAsUser: 2102
1889 seccompProfile:
1890 type: RuntimeDefault
1891 terminationMessagePolicy: FallbackToLogsOnError
1892 lifecycle:
1893 postStart:
1894 exec:
1895 command:
1896 - /usr/lib/linkerd/linkerd-await
1897 - --timeout=2m
1898 - --port=4191
1899 volumeMounts:
1900 - mountPath: /var/run/linkerd/identity/end-entity
1901 name: linkerd-identity-end-entity
1902 - args:
1903 - proxy-injector
1904 - -log-level=info
1905 - -log-format=plain
1906 - -linkerd-namespace=linkerd
1907 - -enable-pprof=false
1908 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1909 imagePullPolicy: IfNotPresent
1910 livenessProbe:
1911 httpGet:
1912 path: /ping
1913 port: 9995
1914 initialDelaySeconds: 10
1915 name: proxy-injector
1916 ports:
1917 - containerPort: 8443
1918 name: proxy-injector
1919 - containerPort: 9995
1920 name: admin-http
1921 readinessProbe:
1922 failureThreshold: 7
1923 httpGet:
1924 path: /ready
1925 port: 9995
1926 securityContext:
1927 capabilities:
1928 drop:
1929 - ALL
1930 readOnlyRootFilesystem: true
1931 runAsNonRoot: true
1932 runAsUser: 2103
1933 allowPrivilegeEscalation: false
1934 seccompProfile:
1935 type: RuntimeDefault
1936 volumeMounts:
1937 - mountPath: /var/run/linkerd/config
1938 name: config
1939 - mountPath: /var/run/linkerd/identity/trust-roots
1940 name: trust-roots
1941 - mountPath: /var/run/linkerd/tls
1942 name: tls
1943 readOnly: true
1944 initContainers:
1945 - args:
1946 - --ipv6=false
1947 - --incoming-proxy-port
1948 - "4143"
1949 - --outgoing-proxy-port
1950 - "4140"
1951 - --proxy-uid
1952 - "2102"
1953 - --inbound-ports-to-ignore
1954 - "4190,4191,4567,4568"
1955 - --outbound-ports-to-ignore
1956 - "443,6443"
1957 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1958 imagePullPolicy: IfNotPresent
1959 name: linkerd-init
1960 resources:
1961 limits:
1962 cpu: "100m"
1963 memory: "20Mi"
1964 requests:
1965 cpu: "100m"
1966 memory: "20Mi"
1967 securityContext:
1968 allowPrivilegeEscalation: false
1969 capabilities:
1970 add:
1971 - NET_ADMIN
1972 - NET_RAW
1973 privileged: false
1974 runAsNonRoot: true
1975 runAsUser: 65534
1976 runAsGroup: 65534
1977 readOnlyRootFilesystem: true
1978 seccompProfile:
1979 type: RuntimeDefault
1980 terminationMessagePolicy: FallbackToLogsOnError
1981 volumeMounts:
1982 - mountPath: /run
1983 name: linkerd-proxy-init-xtables-lock
1984 securityContext:
1985 seccompProfile:
1986 type: RuntimeDefault
1987 serviceAccountName: linkerd-proxy-injector
1988 volumes:
1989 - configMap:
1990 name: linkerd-config
1991 name: config
1992 - configMap:
1993 name: linkerd-identity-trust-roots
1994 name: trust-roots
1995 - name: tls
1996 secret:
1997 secretName: linkerd-proxy-injector-k8s-tls
1998 - emptyDir: {}
1999 name: linkerd-proxy-init-xtables-lock
2000 - emptyDir:
2001 medium: Memory
2002 name: linkerd-identity-end-entity
2003---
2004kind: Service
2005apiVersion: v1
2006metadata:
2007 name: linkerd-proxy-injector
2008 namespace: linkerd
2009 labels:
2010 linkerd.io/control-plane-component: proxy-injector
2011 linkerd.io/control-plane-ns: linkerd
2012 annotations:
2013 linkerd.io/created-by: linkerd/cli dev-undefined
2014 config.linkerd.io/opaque-ports: "443"
2015spec:
2016 type: ClusterIP
2017 selector:
2018 linkerd.io/control-plane-component: proxy-injector
2019 ports:
2020 - name: proxy-injector
2021 port: 443
2022 targetPort: proxy-injector
2023---
2024apiVersion: v1
2025data:
2026 linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQppZGVudGl0eToKICBpc3N1ZXI6CiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQogIHNlcnZpY2VBY2NvdW50VG9rZW5Qcm9qZWN0aW9uOiBmYWxzZQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCmxpbmtlcmRWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgpwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHk6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLXByb3h5LXZlcnNpb24KcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUK
2027kind: Secret
2028metadata:
2029 creationTimestamp: null
2030 labels:
2031 linkerd.io/control-plane-ns: linkerd
2032 name: linkerd-config-overrides
2033 namespace: linkerd
View as plain text