1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Ignore
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
497 cniEnabled: false
498 controlPlaneTracing: false
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: 1234
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 1
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 25%
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources: null
528 disableHeartBeat: false
529 disableIPv6: true
530 enableEndpointSlices: true
531 enableH2Upgrade: true
532 enablePodAntiAffinity: false
533 enablePodDisruptionBudget: false
534 heartbeat: null
535 heartbeatResources: null
536 heartbeatSchedule: 1 2 3 4 5
537 highAvailability: false
538 identity:
539 additionalEnv: null
540 experimentalEnv: null
541 externalCA: false
542 issuer:
543 clockSkewAllowance: 20s
544 issuanceLifetime: 24h0m0s
545 scheme: linkerd.io/tls
546 tls:
547 crtPEM: |
548 -----BEGIN CERTIFICATE-----
549 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
550 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
551 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
552 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
553 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
554 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
555 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
556 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
557 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
558 51tdrmkHEZRr0qlLSJdHYgEfMzk=
559 -----END CERTIFICATE-----
560 kubeAPI:
561 clientBurst: 200
562 clientQPS: 100
563 serviceAccountTokenProjection: true
564 identityProxyResources: null
565 identityResources: null
566 identityTrustAnchorsPEM: |
567 -----BEGIN CERTIFICATE-----
568 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
569 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
570 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
571 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
572 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
573 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
574 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
575 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
576 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
577 vgUC0d2/9FMueIVMb+46WTCOjsqr
578 -----END CERTIFICATE-----
579 identityTrustDomain: cluster.local
580 imagePullPolicy: IfNotPresent
581 imagePullSecrets: []
582 linkerdVersion: install-control-plane-version
583 networkValidator:
584 connectAddr: 1.1.1.1:20001
585 enableSecurityContext: true
586 listenAddr: 0.0.0.0:4140
587 logFormat: plain
588 logLevel: debug
589 timeout: 10s
590 nodeAffinity: null
591 nodeSelector:
592 kubernetes.io/os: linux
593 podAnnotations: {}
594 podLabels: {}
595 podMonitor:
596 controller:
597 enabled: true
598 namespaceSelector: |
599 matchNames:
600 - {{ .Release.Namespace }}
601 - linkerd-viz
602 - linkerd-jaeger
603 enabled: false
604 proxy:
605 enabled: true
606 scrapeInterval: 10s
607 scrapeTimeout: 10s
608 serviceMirror:
609 enabled: true
610 policyController:
611 image:
612 name: cr.l5d.io/linkerd/policy-controller
613 pullPolicy: ""
614 version: ""
615 logLevel: info
616 probeNetworks:
617 - 0.0.0.0/0
618 - ::/0
619 resources:
620 cpu:
621 limit: ""
622 request: ""
623 ephemeral-storage:
624 limit: ""
625 request: ""
626 memory:
627 limit: ""
628 request: ""
629 policyValidator:
630 caBundle: policy validator CA bundle
631 crtPEM: ""
632 externalSecret: true
633 injectCaFrom: ""
634 injectCaFromSecret: ""
635 namespaceSelector:
636 matchExpressions:
637 - key: config.linkerd.io/admission-webhooks
638 operator: NotIn
639 values:
640 - disabled
641 priorityClassName: ""
642 profileValidator:
643 caBundle: profile validator CA bundle
644 crtPEM: ""
645 externalSecret: true
646 injectCaFrom: ""
647 injectCaFromSecret: ""
648 namespaceSelector:
649 matchExpressions:
650 - key: config.linkerd.io/admission-webhooks
651 operator: NotIn
652 values:
653 - disabled
654 prometheusUrl: ""
655 proxy:
656 accessLog: ""
657 additionalEnv: null
658 await: true
659 capabilities: null
660 control:
661 streams:
662 idleTimeout: 5m
663 initialTimeout: 3s
664 lifetime: 1h
665 defaultInboundPolicy: all-unauthenticated
666 disableInboundProtocolDetectTimeout: false
667 disableOutboundProtocolDetectTimeout: false
668 enableExternalProfiles: false
669 experimentalEnv: null
670 gid: 4321
671 image:
672 name: cr.l5d.io/linkerd/proxy
673 pullPolicy: ""
674 version: install-proxy-version
675 inbound:
676 server:
677 http2:
678 keepAliveInterval: 10s
679 keepAliveTimeout: 3s
680 inboundConnectTimeout: 100ms
681 inboundDiscoveryCacheUnusedTimeout: 90s
682 isGateway: false
683 isIngress: false
684 livenessProbe:
685 initialDelaySeconds: 10
686 timeoutSeconds: 1
687 logFormat: plain
688 logLevel: warn,linkerd=info,trust_dns=error
689 nativeSidecar: false
690 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
691 outbound:
692 server:
693 http2:
694 keepAliveInterval: 10s
695 keepAliveTimeout: 3s
696 outboundConnectTimeout: 1000ms
697 outboundDiscoveryCacheUnusedTimeout: 5s
698 podInboundPorts: ""
699 ports:
700 admin: 4191
701 control: 4190
702 inbound: 4143
703 outbound: 4140
704 readinessProbe:
705 initialDelaySeconds: 2
706 timeoutSeconds: 1
707 requireIdentityOnInboundPorts: ""
708 resources:
709 cpu:
710 limit: ""
711 request: ""
712 ephemeral-storage:
713 limit: ""
714 request: ""
715 memory:
716 limit: ""
717 request: ""
718 saMountPath: null
719 shutdownGracePeriod: ""
720 startupProbe:
721 failureThreshold: 120
722 initialDelaySeconds: 0
723 periodSeconds: 1
724 uid: 2102
725 waitBeforeExitSeconds: 0
726 proxyContainerName: linkerd-proxy
727 proxyInit:
728 capabilities: null
729 closeWaitTimeoutSecs: 0
730 ignoreInboundPorts: 4567,4568
731 ignoreOutboundPorts: 4567,4568
732 image:
733 name: cr.l5d.io/linkerd/proxy-init
734 pullPolicy: ""
735 version: v2.4.0
736 iptablesMode: legacy
737 kubeAPIServerPorts: 443,6443
738 logFormat: ""
739 logLevel: ""
740 privileged: false
741 resources:
742 cpu:
743 limit: 100m
744 request: 100m
745 ephemeral-storage:
746 limit: ""
747 request: ""
748 memory:
749 limit: 20Mi
750 request: 20Mi
751 runAsGroup: 65534
752 runAsRoot: false
753 runAsUser: 65534
754 saMountPath: null
755 skipSubnets: ""
756 xtMountPath:
757 mountPath: /run
758 name: linkerd-proxy-init-xtables-lock
759 readOnly: false
760 proxyInjector:
761 additionalEnv: null
762 caBundle: proxy injector CA bundle
763 crtPEM: ""
764 experimentalEnv: null
765 externalSecret: true
766 injectCaFrom: ""
767 injectCaFromSecret: ""
768 namespaceSelector:
769 matchExpressions:
770 - key: config.linkerd.io/admission-webhooks
771 operator: NotIn
772 values:
773 - disabled
774 - key: kubernetes.io/metadata.name
775 operator: NotIn
776 values:
777 - kube-system
778 - cert-manager
779 proxyInjectorProxyResources: null
780 proxyInjectorResources: null
781 revisionHistoryLimit: 10
782 spValidator: null
783 tolerations: null
784 webhookFailurePolicy: Ignore
785---
786apiVersion: rbac.authorization.k8s.io/v1
787kind: Role
788metadata:
789 annotations:
790 linkerd.io/created-by: linkerd/cli dev-undefined
791 name: ext-namespace-metadata-linkerd-config
792 namespace: linkerd
793rules:
794- apiGroups: [""]
795 resources: ["configmaps"]
796 verbs: ["get"]
797 resourceNames: ["linkerd-config"]
798---
799###
800### Identity Controller Service
801###
802---
803kind: Secret
804apiVersion: v1
805metadata:
806 name: linkerd-identity-issuer
807 namespace: linkerd
808 labels:
809 linkerd.io/control-plane-component: identity
810 linkerd.io/control-plane-ns: linkerd
811 annotations:
812 linkerd.io/created-by: linkerd/cli dev-undefined
813data:
814 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
815 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
816---
817kind: ConfigMap
818apiVersion: v1
819metadata:
820 name: linkerd-identity-trust-roots
821 namespace: linkerd
822 labels:
823 linkerd.io/control-plane-component: identity
824 linkerd.io/control-plane-ns: linkerd
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827data:
828 ca-bundle.crt: |-
829 -----BEGIN CERTIFICATE-----
830 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
831 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
832 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
833 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
834 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
835 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
836 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
837 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
838 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
839 vgUC0d2/9FMueIVMb+46WTCOjsqr
840 -----END CERTIFICATE-----
841---
842kind: Service
843apiVersion: v1
844metadata:
845 name: linkerd-identity
846 namespace: linkerd
847 labels:
848 linkerd.io/control-plane-component: identity
849 linkerd.io/control-plane-ns: linkerd
850 annotations:
851 linkerd.io/created-by: linkerd/cli dev-undefined
852spec:
853 type: ClusterIP
854 selector:
855 linkerd.io/control-plane-component: identity
856 ports:
857 - name: grpc
858 port: 8080
859 targetPort: 8080
860---
861kind: Service
862apiVersion: v1
863metadata:
864 name: linkerd-identity-headless
865 namespace: linkerd
866 labels:
867 linkerd.io/control-plane-component: identity
868 linkerd.io/control-plane-ns: linkerd
869 annotations:
870 linkerd.io/created-by: linkerd/cli dev-undefined
871spec:
872 clusterIP: None
873 selector:
874 linkerd.io/control-plane-component: identity
875 ports:
876 - name: grpc
877 port: 8080
878 targetPort: 8080
879---
880apiVersion: apps/v1
881kind: Deployment
882metadata:
883 annotations:
884 linkerd.io/created-by: linkerd/cli dev-undefined
885 labels:
886 app.kubernetes.io/name: identity
887 app.kubernetes.io/part-of: Linkerd
888 app.kubernetes.io/version: install-control-plane-version
889 linkerd.io/control-plane-component: identity
890 linkerd.io/control-plane-ns: linkerd
891 name: linkerd-identity
892 namespace: linkerd
893spec:
894 replicas: 1
895 revisionHistoryLimit: 10
896 selector:
897 matchLabels:
898 linkerd.io/control-plane-component: identity
899 linkerd.io/control-plane-ns: linkerd
900 linkerd.io/proxy-deployment: linkerd-identity
901 strategy:
902 rollingUpdate:
903 maxSurge: 25%
904 maxUnavailable: 25%
905 template:
906 metadata:
907 annotations:
908 linkerd.io/created-by: linkerd/cli dev-undefined
909 linkerd.io/proxy-version: install-proxy-version
910 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
911 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
912 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
913 labels:
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd
916 linkerd.io/workload-ns: linkerd
917 linkerd.io/proxy-deployment: linkerd-identity
918 spec:
919 nodeSelector:
920 kubernetes.io/os: linux
921
922 containers:
923 - args:
924 - identity
925 - -log-level=info
926 - -log-format=plain
927 - -controller-namespace=linkerd
928 - -identity-trust-domain=cluster.local
929 - -identity-issuance-lifetime=24h0m0s
930 - -identity-clock-skew-allowance=20s
931 - -identity-scheme=linkerd.io/tls
932 - -enable-pprof=false
933 - -kube-apiclient-qps=100
934 - -kube-apiclient-burst=200
935 env:
936 - name: LINKERD_DISABLED
937 value: "linkerd-await cannot block the identity controller"
938 image: cr.l5d.io/linkerd/controller:install-control-plane-version
939 imagePullPolicy: IfNotPresent
940 livenessProbe:
941 httpGet:
942 path: /ping
943 port: 9990
944 initialDelaySeconds: 10
945 name: identity
946 ports:
947 - containerPort: 8080
948 name: grpc
949 - containerPort: 9990
950 name: admin-http
951 readinessProbe:
952 failureThreshold: 7
953 httpGet:
954 path: /ready
955 port: 9990
956 securityContext:
957 capabilities:
958 drop:
959 - ALL
960 readOnlyRootFilesystem: true
961 runAsNonRoot: true
962 runAsUser: 2103
963 runAsGroup: 1234
964 allowPrivilegeEscalation: false
965 seccompProfile:
966 type: RuntimeDefault
967 volumeMounts:
968 - mountPath: /var/run/linkerd/identity/issuer
969 name: identity-issuer
970 - mountPath: /var/run/linkerd/identity/trust-roots/
971 name: trust-roots
972 - env:
973 - name: _pod_name
974 valueFrom:
975 fieldRef:
976 fieldPath: metadata.name
977 - name: _pod_ns
978 valueFrom:
979 fieldRef:
980 fieldPath: metadata.namespace
981 - name: _pod_nodeName
982 valueFrom:
983 fieldRef:
984 fieldPath: spec.nodeName
985 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
986 value: "8080"
987 - name: LINKERD2_PROXY_LOG
988 value: "warn,linkerd=info,trust_dns=error"
989 - name: LINKERD2_PROXY_LOG_FORMAT
990 value: "plain"
991 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
992 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
993 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
994 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
995 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
996 value: linkerd-policy.linkerd.svc.cluster.local.:8090
997 - name: LINKERD2_PROXY_POLICY_WORKLOAD
998 value: |
999 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1000 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1001 value: all-unauthenticated
1002 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1003 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1004 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1005 value: "3s"
1006 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1007 value: "5m"
1008 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1009 value: "1h"
1010 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1011 value: "100ms"
1012 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1013 value: "1000ms"
1014 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1015 value: "5s"
1016 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1017 value: "90s"
1018 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1019 value: "[::]:4190"
1020 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1021 value: "[::]:4191"
1022 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1023 value: "127.0.0.1:4140"
1024 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1025 value: "127.0.0.1:4140"
1026 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1027 value: "[::]:4143"
1028 - name: LINKERD2_PROXY_INBOUND_IPS
1029 valueFrom:
1030 fieldRef:
1031 fieldPath: status.podIPs
1032 - name: LINKERD2_PROXY_INBOUND_PORTS
1033 value: "8080,9990"
1034 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1035 value: svc.cluster.local.
1036 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1037 value: 10000ms
1038 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1039 value: 10000ms
1040 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1041 value: "10s"
1042 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1043 value: "3s"
1044 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1045 value: "10s"
1046 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1047 value: "3s"
1048 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1049 value: "25,587,3306,4444,5432,6379,9300,11211"
1050 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1051 value: |
1052 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1053 - name: _pod_sa
1054 valueFrom:
1055 fieldRef:
1056 fieldPath: spec.serviceAccountName
1057 - name: _l5d_ns
1058 value: linkerd
1059 - name: _l5d_trustdomain
1060 value: cluster.local
1061 - name: LINKERD2_PROXY_IDENTITY_DIR
1062 value: /var/run/linkerd/identity/end-entity
1063 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1064 valueFrom:
1065 configMapKeyRef:
1066 name: linkerd-identity-trust-roots
1067 key: ca-bundle.crt
1068 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1069 value: /var/run/secrets/tokens/linkerd-identity-token
1070 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1071 value: localhost.:8080
1072 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1073 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1074 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1075 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1076 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1077 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1078 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1079 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1080 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1081 imagePullPolicy: IfNotPresent
1082 livenessProbe:
1083 httpGet:
1084 path: /live
1085 port: 4191
1086 initialDelaySeconds: 10
1087 timeoutSeconds: 1
1088 name: linkerd-proxy
1089 ports:
1090 - containerPort: 4143
1091 name: linkerd-proxy
1092 - containerPort: 4191
1093 name: linkerd-admin
1094 readinessProbe:
1095 httpGet:
1096 path: /ready
1097 port: 4191
1098 initialDelaySeconds: 2
1099 timeoutSeconds: 1
1100 resources:
1101 securityContext:
1102 allowPrivilegeEscalation: false
1103 capabilities:
1104 drop:
1105 - ALL
1106 readOnlyRootFilesystem: true
1107 runAsNonRoot: true
1108 runAsUser: 2102
1109 runAsGroup: 4321
1110 seccompProfile:
1111 type: RuntimeDefault
1112 terminationMessagePolicy: FallbackToLogsOnError
1113 volumeMounts:
1114 - mountPath: /var/run/linkerd/identity/end-entity
1115 name: linkerd-identity-end-entity
1116 - mountPath: /var/run/secrets/tokens
1117 name: linkerd-identity-token
1118 initContainers:
1119 - args:
1120 - --ipv6=false
1121 - --incoming-proxy-port
1122 - "4143"
1123 - --outgoing-proxy-port
1124 - "4140"
1125 - --proxy-uid
1126 - "2102"
1127 - --proxy-gid
1128 - "4321"
1129 - --inbound-ports-to-ignore
1130 - "4190,4191,4567,4568"
1131 - --outbound-ports-to-ignore
1132 - "443,6443"
1133 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1134 imagePullPolicy: IfNotPresent
1135 name: linkerd-init
1136 resources:
1137 limits:
1138 cpu: "100m"
1139 memory: "20Mi"
1140 requests:
1141 cpu: "100m"
1142 memory: "20Mi"
1143 securityContext:
1144 allowPrivilegeEscalation: false
1145 capabilities:
1146 add:
1147 - NET_ADMIN
1148 - NET_RAW
1149 privileged: false
1150 runAsNonRoot: true
1151 runAsUser: 65534
1152 runAsGroup: 65534
1153 readOnlyRootFilesystem: true
1154 seccompProfile:
1155 type: RuntimeDefault
1156 terminationMessagePolicy: FallbackToLogsOnError
1157 volumeMounts:
1158 - mountPath: /run
1159 name: linkerd-proxy-init-xtables-lock
1160 securityContext:
1161 seccompProfile:
1162 type: RuntimeDefault
1163 serviceAccountName: linkerd-identity
1164 volumes:
1165 - name: identity-issuer
1166 secret:
1167 secretName: linkerd-identity-issuer
1168 - configMap:
1169 name: linkerd-identity-trust-roots
1170 name: trust-roots
1171 - emptyDir: {}
1172 name: linkerd-proxy-init-xtables-lock
1173 - name: linkerd-identity-token
1174 projected:
1175 sources:
1176 - serviceAccountToken:
1177 path: linkerd-identity-token
1178 expirationSeconds: 86400
1179 audience: identity.l5d.io
1180 - emptyDir:
1181 medium: Memory
1182 name: linkerd-identity-end-entity
1183---
1184###
1185### Destination Controller Service
1186###
1187kind: Service
1188apiVersion: v1
1189metadata:
1190 name: linkerd-dst
1191 namespace: linkerd
1192 labels:
1193 linkerd.io/control-plane-component: destination
1194 linkerd.io/control-plane-ns: linkerd
1195 annotations:
1196 linkerd.io/created-by: linkerd/cli dev-undefined
1197spec:
1198 type: ClusterIP
1199 selector:
1200 linkerd.io/control-plane-component: destination
1201 ports:
1202 - name: grpc
1203 port: 8086
1204 targetPort: 8086
1205---
1206kind: Service
1207apiVersion: v1
1208metadata:
1209 name: linkerd-dst-headless
1210 namespace: linkerd
1211 labels:
1212 linkerd.io/control-plane-component: destination
1213 linkerd.io/control-plane-ns: linkerd
1214 annotations:
1215 linkerd.io/created-by: linkerd/cli dev-undefined
1216spec:
1217 clusterIP: None
1218 selector:
1219 linkerd.io/control-plane-component: destination
1220 ports:
1221 - name: grpc
1222 port: 8086
1223 targetPort: 8086
1224---
1225kind: Service
1226apiVersion: v1
1227metadata:
1228 name: linkerd-sp-validator
1229 namespace: linkerd
1230 labels:
1231 linkerd.io/control-plane-component: destination
1232 linkerd.io/control-plane-ns: linkerd
1233 annotations:
1234 linkerd.io/created-by: linkerd/cli dev-undefined
1235spec:
1236 type: ClusterIP
1237 selector:
1238 linkerd.io/control-plane-component: destination
1239 ports:
1240 - name: sp-validator
1241 port: 443
1242 targetPort: sp-validator
1243---
1244kind: Service
1245apiVersion: v1
1246metadata:
1247 name: linkerd-policy
1248 namespace: linkerd
1249 labels:
1250 linkerd.io/control-plane-component: destination
1251 linkerd.io/control-plane-ns: linkerd
1252 annotations:
1253 linkerd.io/created-by: linkerd/cli dev-undefined
1254spec:
1255 clusterIP: None
1256 selector:
1257 linkerd.io/control-plane-component: destination
1258 ports:
1259 - name: grpc
1260 port: 8090
1261 targetPort: 8090
1262---
1263kind: Service
1264apiVersion: v1
1265metadata:
1266 name: linkerd-policy-validator
1267 namespace: linkerd
1268 labels:
1269 linkerd.io/control-plane-component: destination
1270 linkerd.io/control-plane-ns: linkerd
1271 annotations:
1272 linkerd.io/created-by: linkerd/cli dev-undefined
1273spec:
1274 type: ClusterIP
1275 selector:
1276 linkerd.io/control-plane-component: destination
1277 ports:
1278 - name: policy-https
1279 port: 443
1280 targetPort: policy-https
1281---
1282apiVersion: apps/v1
1283kind: Deployment
1284metadata:
1285 annotations:
1286 linkerd.io/created-by: linkerd/cli dev-undefined
1287 labels:
1288 app.kubernetes.io/name: destination
1289 app.kubernetes.io/part-of: Linkerd
1290 app.kubernetes.io/version: install-control-plane-version
1291 linkerd.io/control-plane-component: destination
1292 linkerd.io/control-plane-ns: linkerd
1293 name: linkerd-destination
1294 namespace: linkerd
1295spec:
1296 replicas: 1
1297 revisionHistoryLimit: 10
1298 selector:
1299 matchLabels:
1300 linkerd.io/control-plane-component: destination
1301 linkerd.io/control-plane-ns: linkerd
1302 linkerd.io/proxy-deployment: linkerd-destination
1303 strategy:
1304 rollingUpdate:
1305 maxSurge: 25%
1306 maxUnavailable: 25%
1307 template:
1308 metadata:
1309 annotations:
1310 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1311 linkerd.io/created-by: linkerd/cli dev-undefined
1312 linkerd.io/proxy-version: install-proxy-version
1313 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1314 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1315 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1316 labels:
1317 linkerd.io/control-plane-component: destination
1318 linkerd.io/control-plane-ns: linkerd
1319 linkerd.io/workload-ns: linkerd
1320 linkerd.io/proxy-deployment: linkerd-destination
1321 spec:
1322 nodeSelector:
1323 kubernetes.io/os: linux
1324
1325 containers:
1326 - env:
1327 - name: _pod_name
1328 valueFrom:
1329 fieldRef:
1330 fieldPath: metadata.name
1331 - name: _pod_ns
1332 valueFrom:
1333 fieldRef:
1334 fieldPath: metadata.namespace
1335 - name: _pod_nodeName
1336 valueFrom:
1337 fieldRef:
1338 fieldPath: spec.nodeName
1339 - name: LINKERD2_PROXY_LOG
1340 value: "warn,linkerd=info,trust_dns=error"
1341 - name: LINKERD2_PROXY_LOG_FORMAT
1342 value: "plain"
1343 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1344 value: localhost.:8086
1345 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1346 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1347 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1348 value: localhost.:8090
1349 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1350 value: |
1351 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1352 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1353 value: all-unauthenticated
1354 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1355 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1356 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1357 value: "3s"
1358 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1359 value: "5m"
1360 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1361 value: "1h"
1362 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1363 value: "100ms"
1364 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1365 value: "1000ms"
1366 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1367 value: "5s"
1368 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1369 value: "90s"
1370 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1371 value: "[::]:4190"
1372 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1373 value: "[::]:4191"
1374 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1375 value: "127.0.0.1:4140"
1376 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1377 value: "127.0.0.1:4140"
1378 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1379 value: "[::]:4143"
1380 - name: LINKERD2_PROXY_INBOUND_IPS
1381 valueFrom:
1382 fieldRef:
1383 fieldPath: status.podIPs
1384 - name: LINKERD2_PROXY_INBOUND_PORTS
1385 value: "8086,8090,8443,9443,9990,9996,9997"
1386 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1387 value: svc.cluster.local.
1388 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1389 value: 10000ms
1390 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1391 value: 10000ms
1392 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1393 value: "10s"
1394 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1395 value: "3s"
1396 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1397 value: "10s"
1398 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1399 value: "3s"
1400 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1401 value: "25,587,3306,4444,5432,6379,9300,11211"
1402 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1403 value: |
1404 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1405 - name: _pod_sa
1406 valueFrom:
1407 fieldRef:
1408 fieldPath: spec.serviceAccountName
1409 - name: _l5d_ns
1410 value: linkerd
1411 - name: _l5d_trustdomain
1412 value: cluster.local
1413 - name: LINKERD2_PROXY_IDENTITY_DIR
1414 value: /var/run/linkerd/identity/end-entity
1415 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1416 valueFrom:
1417 configMapKeyRef:
1418 name: linkerd-identity-trust-roots
1419 key: ca-bundle.crt
1420 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1421 value: /var/run/secrets/tokens/linkerd-identity-token
1422 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1423 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1424 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1425 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1426 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1427 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1428 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1429 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1430 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1431 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1432 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1433 imagePullPolicy: IfNotPresent
1434 livenessProbe:
1435 httpGet:
1436 path: /live
1437 port: 4191
1438 initialDelaySeconds: 10
1439 timeoutSeconds: 1
1440 name: linkerd-proxy
1441 ports:
1442 - containerPort: 4143
1443 name: linkerd-proxy
1444 - containerPort: 4191
1445 name: linkerd-admin
1446 readinessProbe:
1447 httpGet:
1448 path: /ready
1449 port: 4191
1450 initialDelaySeconds: 2
1451 timeoutSeconds: 1
1452 resources:
1453 securityContext:
1454 allowPrivilegeEscalation: false
1455 capabilities:
1456 drop:
1457 - ALL
1458 readOnlyRootFilesystem: true
1459 runAsNonRoot: true
1460 runAsUser: 2102
1461 runAsGroup: 4321
1462 seccompProfile:
1463 type: RuntimeDefault
1464 terminationMessagePolicy: FallbackToLogsOnError
1465 lifecycle:
1466 postStart:
1467 exec:
1468 command:
1469 - /usr/lib/linkerd/linkerd-await
1470 - --timeout=2m
1471 - --port=4191
1472 volumeMounts:
1473 - mountPath: /var/run/linkerd/identity/end-entity
1474 name: linkerd-identity-end-entity
1475 - mountPath: /var/run/secrets/tokens
1476 name: linkerd-identity-token
1477 - args:
1478 - destination
1479 - -addr=:8086
1480 - -controller-namespace=linkerd
1481 - -enable-h2-upgrade=true
1482 - -log-level=info
1483 - -log-format=plain
1484 - -enable-endpoint-slices=true
1485 - -cluster-domain=cluster.local
1486 - -identity-trust-domain=cluster.local
1487 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1488 - -enable-ipv6=false
1489 - -enable-pprof=false
1490 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1491 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1492 imagePullPolicy: IfNotPresent
1493 livenessProbe:
1494 httpGet:
1495 path: /ping
1496 port: 9996
1497 initialDelaySeconds: 10
1498 name: destination
1499 ports:
1500 - containerPort: 8086
1501 name: grpc
1502 - containerPort: 9996
1503 name: admin-http
1504 readinessProbe:
1505 failureThreshold: 7
1506 httpGet:
1507 path: /ready
1508 port: 9996
1509 securityContext:
1510 capabilities:
1511 drop:
1512 - ALL
1513 readOnlyRootFilesystem: true
1514 runAsNonRoot: true
1515 runAsUser: 2103
1516 runAsGroup: 1234
1517 allowPrivilegeEscalation: false
1518 seccompProfile:
1519 type: RuntimeDefault
1520 - args:
1521 - sp-validator
1522 - -log-level=info
1523 - -log-format=plain
1524 - -enable-pprof=false
1525 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1526 imagePullPolicy: IfNotPresent
1527 livenessProbe:
1528 httpGet:
1529 path: /ping
1530 port: 9997
1531 initialDelaySeconds: 10
1532 name: sp-validator
1533 ports:
1534 - containerPort: 8443
1535 name: sp-validator
1536 - containerPort: 9997
1537 name: admin-http
1538 readinessProbe:
1539 failureThreshold: 7
1540 httpGet:
1541 path: /ready
1542 port: 9997
1543 securityContext:
1544 capabilities:
1545 drop:
1546 - ALL
1547 readOnlyRootFilesystem: true
1548 runAsNonRoot: true
1549 runAsUser: 2103
1550 runAsGroup: 1234
1551 allowPrivilegeEscalation: false
1552 seccompProfile:
1553 type: RuntimeDefault
1554 volumeMounts:
1555 - mountPath: /var/run/linkerd/tls
1556 name: sp-tls
1557 readOnly: true
1558 - args:
1559 - --admin-addr=[::]:9990
1560 - --control-plane-namespace=linkerd
1561 - --grpc-addr=[::]:8090
1562 - --server-addr=[::]:9443
1563 - --server-tls-key=/var/run/linkerd/tls/tls.key
1564 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1565 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1566 - --identity-domain=cluster.local
1567 - --cluster-domain=cluster.local
1568 - --default-policy=all-unauthenticated
1569 - --log-level=info
1570 - --log-format=plain
1571 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1572 - --probe-networks=0.0.0.0/0,::/0
1573 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1574 imagePullPolicy: IfNotPresent
1575 livenessProbe:
1576 httpGet:
1577 path: /live
1578 port: admin-http
1579 name: policy
1580 ports:
1581 - containerPort: 8090
1582 name: grpc
1583 - containerPort: 9990
1584 name: admin-http
1585 - containerPort: 9443
1586 name: policy-https
1587 readinessProbe:
1588 failureThreshold: 7
1589 httpGet:
1590 path: /ready
1591 port: admin-http
1592 initialDelaySeconds: 10
1593 resources:
1594 securityContext:
1595 capabilities:
1596 drop:
1597 - ALL
1598 readOnlyRootFilesystem: true
1599 runAsNonRoot: true
1600 runAsUser: 2103
1601 runAsGroup: 1234
1602 allowPrivilegeEscalation: false
1603 seccompProfile:
1604 type: RuntimeDefault
1605 volumeMounts:
1606 - mountPath: /var/run/linkerd/tls
1607 name: policy-tls
1608 readOnly: true
1609 initContainers:
1610 - args:
1611 - --ipv6=false
1612 - --incoming-proxy-port
1613 - "4143"
1614 - --outgoing-proxy-port
1615 - "4140"
1616 - --proxy-uid
1617 - "2102"
1618 - --proxy-gid
1619 - "4321"
1620 - --inbound-ports-to-ignore
1621 - "4190,4191,4567,4568"
1622 - --outbound-ports-to-ignore
1623 - "443,6443"
1624 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1625 imagePullPolicy: IfNotPresent
1626 name: linkerd-init
1627 resources:
1628 limits:
1629 cpu: "100m"
1630 memory: "20Mi"
1631 requests:
1632 cpu: "100m"
1633 memory: "20Mi"
1634 securityContext:
1635 allowPrivilegeEscalation: false
1636 capabilities:
1637 add:
1638 - NET_ADMIN
1639 - NET_RAW
1640 privileged: false
1641 runAsNonRoot: true
1642 runAsUser: 65534
1643 runAsGroup: 65534
1644 readOnlyRootFilesystem: true
1645 seccompProfile:
1646 type: RuntimeDefault
1647 terminationMessagePolicy: FallbackToLogsOnError
1648 volumeMounts:
1649 - mountPath: /run
1650 name: linkerd-proxy-init-xtables-lock
1651 securityContext:
1652 seccompProfile:
1653 type: RuntimeDefault
1654 serviceAccountName: linkerd-destination
1655 volumes:
1656 - name: sp-tls
1657 secret:
1658 secretName: linkerd-sp-validator-k8s-tls
1659 - name: policy-tls
1660 secret:
1661 secretName: linkerd-policy-validator-k8s-tls
1662 - emptyDir: {}
1663 name: linkerd-proxy-init-xtables-lock
1664 - name: linkerd-identity-token
1665 projected:
1666 sources:
1667 - serviceAccountToken:
1668 path: linkerd-identity-token
1669 expirationSeconds: 86400
1670 audience: identity.l5d.io
1671 - emptyDir:
1672 medium: Memory
1673 name: linkerd-identity-end-entity
1674---
1675###
1676### Heartbeat
1677###
1678apiVersion: batch/v1
1679kind: CronJob
1680metadata:
1681 name: linkerd-heartbeat
1682 namespace: linkerd
1683 labels:
1684 app.kubernetes.io/name: heartbeat
1685 app.kubernetes.io/part-of: Linkerd
1686 app.kubernetes.io/version: install-control-plane-version
1687 linkerd.io/control-plane-component: heartbeat
1688 linkerd.io/control-plane-ns: linkerd
1689 annotations:
1690 linkerd.io/created-by: linkerd/cli dev-undefined
1691spec:
1692 concurrencyPolicy: Replace
1693 schedule: "1 2 3 4 5"
1694 successfulJobsHistoryLimit: 0
1695 jobTemplate:
1696 spec:
1697 template:
1698 metadata:
1699 labels:
1700 linkerd.io/control-plane-component: heartbeat
1701 linkerd.io/workload-ns: linkerd
1702 annotations:
1703 linkerd.io/created-by: linkerd/cli dev-undefined
1704 spec:
1705 nodeSelector:
1706 kubernetes.io/os: linux
1707 securityContext:
1708 seccompProfile:
1709 type: RuntimeDefault
1710 serviceAccountName: linkerd-heartbeat
1711 restartPolicy: Never
1712 containers:
1713 - name: heartbeat
1714 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1715 imagePullPolicy: IfNotPresent
1716 env:
1717 - name: LINKERD_DISABLED
1718 value: "the heartbeat controller does not use the proxy"
1719 args:
1720 - "heartbeat"
1721 - "-controller-namespace=linkerd"
1722 - "-log-level=info"
1723 - "-log-format=plain"
1724 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1725 securityContext:
1726 capabilities:
1727 drop:
1728 - ALL
1729 readOnlyRootFilesystem: true
1730 runAsNonRoot: true
1731 runAsUser: 2103
1732 runAsGroup: 1234
1733 allowPrivilegeEscalation: false
1734 seccompProfile:
1735 type: RuntimeDefault
1736---
1737###
1738### Proxy Injector
1739###
1740apiVersion: apps/v1
1741kind: Deployment
1742metadata:
1743 annotations:
1744 linkerd.io/created-by: linkerd/cli dev-undefined
1745 labels:
1746 app.kubernetes.io/name: proxy-injector
1747 app.kubernetes.io/part-of: Linkerd
1748 app.kubernetes.io/version: install-control-plane-version
1749 linkerd.io/control-plane-component: proxy-injector
1750 linkerd.io/control-plane-ns: linkerd
1751 name: linkerd-proxy-injector
1752 namespace: linkerd
1753spec:
1754 replicas: 1
1755 revisionHistoryLimit: 10
1756 selector:
1757 matchLabels:
1758 linkerd.io/control-plane-component: proxy-injector
1759 strategy:
1760 rollingUpdate:
1761 maxSurge: 25%
1762 maxUnavailable: 25%
1763 template:
1764 metadata:
1765 annotations:
1766 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1767 linkerd.io/created-by: linkerd/cli dev-undefined
1768 linkerd.io/proxy-version: install-proxy-version
1769 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1770 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1771 config.linkerd.io/opaque-ports: "8443"
1772 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1773 labels:
1774 linkerd.io/control-plane-component: proxy-injector
1775 linkerd.io/control-plane-ns: linkerd
1776 linkerd.io/workload-ns: linkerd
1777 linkerd.io/proxy-deployment: linkerd-proxy-injector
1778 spec:
1779 nodeSelector:
1780 kubernetes.io/os: linux
1781
1782 containers:
1783 - env:
1784 - name: _pod_name
1785 valueFrom:
1786 fieldRef:
1787 fieldPath: metadata.name
1788 - name: _pod_ns
1789 valueFrom:
1790 fieldRef:
1791 fieldPath: metadata.namespace
1792 - name: _pod_nodeName
1793 valueFrom:
1794 fieldRef:
1795 fieldPath: spec.nodeName
1796 - name: LINKERD2_PROXY_LOG
1797 value: "warn,linkerd=info,trust_dns=error"
1798 - name: LINKERD2_PROXY_LOG_FORMAT
1799 value: "plain"
1800 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1801 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1802 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1803 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1804 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1805 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1806 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1807 value: |
1808 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1809 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1810 value: all-unauthenticated
1811 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1812 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1813 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1814 value: "3s"
1815 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1816 value: "5m"
1817 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1818 value: "1h"
1819 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1820 value: "100ms"
1821 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1822 value: "1000ms"
1823 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1824 value: "5s"
1825 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1826 value: "90s"
1827 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1828 value: "[::]:4190"
1829 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1830 value: "[::]:4191"
1831 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1832 value: "127.0.0.1:4140"
1833 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1834 value: "127.0.0.1:4140"
1835 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1836 value: "[::]:4143"
1837 - name: LINKERD2_PROXY_INBOUND_IPS
1838 valueFrom:
1839 fieldRef:
1840 fieldPath: status.podIPs
1841 - name: LINKERD2_PROXY_INBOUND_PORTS
1842 value: "8443,9995"
1843 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1844 value: svc.cluster.local.
1845 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1846 value: 10000ms
1847 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1848 value: 10000ms
1849 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1850 value: "10s"
1851 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1852 value: "3s"
1853 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1854 value: "10s"
1855 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1856 value: "3s"
1857 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1858 value: "25,587,3306,4444,5432,6379,9300,11211"
1859 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1860 value: |
1861 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1862 - name: _pod_sa
1863 valueFrom:
1864 fieldRef:
1865 fieldPath: spec.serviceAccountName
1866 - name: _l5d_ns
1867 value: linkerd
1868 - name: _l5d_trustdomain
1869 value: cluster.local
1870 - name: LINKERD2_PROXY_IDENTITY_DIR
1871 value: /var/run/linkerd/identity/end-entity
1872 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1873 valueFrom:
1874 configMapKeyRef:
1875 name: linkerd-identity-trust-roots
1876 key: ca-bundle.crt
1877 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1878 value: /var/run/secrets/tokens/linkerd-identity-token
1879 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1880 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1881 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1882 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1883 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1884 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1885 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1886 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1887 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1888 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1889 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1890 imagePullPolicy: IfNotPresent
1891 livenessProbe:
1892 httpGet:
1893 path: /live
1894 port: 4191
1895 initialDelaySeconds: 10
1896 timeoutSeconds: 1
1897 name: linkerd-proxy
1898 ports:
1899 - containerPort: 4143
1900 name: linkerd-proxy
1901 - containerPort: 4191
1902 name: linkerd-admin
1903 readinessProbe:
1904 httpGet:
1905 path: /ready
1906 port: 4191
1907 initialDelaySeconds: 2
1908 timeoutSeconds: 1
1909 resources:
1910 securityContext:
1911 allowPrivilegeEscalation: false
1912 capabilities:
1913 drop:
1914 - ALL
1915 readOnlyRootFilesystem: true
1916 runAsNonRoot: true
1917 runAsUser: 2102
1918 runAsGroup: 4321
1919 seccompProfile:
1920 type: RuntimeDefault
1921 terminationMessagePolicy: FallbackToLogsOnError
1922 lifecycle:
1923 postStart:
1924 exec:
1925 command:
1926 - /usr/lib/linkerd/linkerd-await
1927 - --timeout=2m
1928 - --port=4191
1929 volumeMounts:
1930 - mountPath: /var/run/linkerd/identity/end-entity
1931 name: linkerd-identity-end-entity
1932 - mountPath: /var/run/secrets/tokens
1933 name: linkerd-identity-token
1934 - args:
1935 - proxy-injector
1936 - -log-level=info
1937 - -log-format=plain
1938 - -linkerd-namespace=linkerd
1939 - -enable-pprof=false
1940 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1941 imagePullPolicy: IfNotPresent
1942 livenessProbe:
1943 httpGet:
1944 path: /ping
1945 port: 9995
1946 initialDelaySeconds: 10
1947 name: proxy-injector
1948 ports:
1949 - containerPort: 8443
1950 name: proxy-injector
1951 - containerPort: 9995
1952 name: admin-http
1953 readinessProbe:
1954 failureThreshold: 7
1955 httpGet:
1956 path: /ready
1957 port: 9995
1958 securityContext:
1959 capabilities:
1960 drop:
1961 - ALL
1962 readOnlyRootFilesystem: true
1963 runAsNonRoot: true
1964 runAsUser: 2103
1965 runAsGroup: 1234
1966 allowPrivilegeEscalation: false
1967 seccompProfile:
1968 type: RuntimeDefault
1969 volumeMounts:
1970 - mountPath: /var/run/linkerd/config
1971 name: config
1972 - mountPath: /var/run/linkerd/identity/trust-roots
1973 name: trust-roots
1974 - mountPath: /var/run/linkerd/tls
1975 name: tls
1976 readOnly: true
1977 initContainers:
1978 - args:
1979 - --ipv6=false
1980 - --incoming-proxy-port
1981 - "4143"
1982 - --outgoing-proxy-port
1983 - "4140"
1984 - --proxy-uid
1985 - "2102"
1986 - --proxy-gid
1987 - "4321"
1988 - --inbound-ports-to-ignore
1989 - "4190,4191,4567,4568"
1990 - --outbound-ports-to-ignore
1991 - "443,6443"
1992 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1993 imagePullPolicy: IfNotPresent
1994 name: linkerd-init
1995 resources:
1996 limits:
1997 cpu: "100m"
1998 memory: "20Mi"
1999 requests:
2000 cpu: "100m"
2001 memory: "20Mi"
2002 securityContext:
2003 allowPrivilegeEscalation: false
2004 capabilities:
2005 add:
2006 - NET_ADMIN
2007 - NET_RAW
2008 privileged: false
2009 runAsNonRoot: true
2010 runAsUser: 65534
2011 runAsGroup: 65534
2012 readOnlyRootFilesystem: true
2013 seccompProfile:
2014 type: RuntimeDefault
2015 terminationMessagePolicy: FallbackToLogsOnError
2016 volumeMounts:
2017 - mountPath: /run
2018 name: linkerd-proxy-init-xtables-lock
2019 securityContext:
2020 seccompProfile:
2021 type: RuntimeDefault
2022 serviceAccountName: linkerd-proxy-injector
2023 volumes:
2024 - configMap:
2025 name: linkerd-config
2026 name: config
2027 - configMap:
2028 name: linkerd-identity-trust-roots
2029 name: trust-roots
2030 - name: tls
2031 secret:
2032 secretName: linkerd-proxy-injector-k8s-tls
2033 - emptyDir: {}
2034 name: linkerd-proxy-init-xtables-lock
2035 - name: linkerd-identity-token
2036 projected:
2037 sources:
2038 - serviceAccountToken:
2039 path: linkerd-identity-token
2040 expirationSeconds: 86400
2041 audience: identity.l5d.io
2042 - emptyDir:
2043 medium: Memory
2044 name: linkerd-identity-end-entity
2045---
2046kind: Service
2047apiVersion: v1
2048metadata:
2049 name: linkerd-proxy-injector
2050 namespace: linkerd
2051 labels:
2052 linkerd.io/control-plane-component: proxy-injector
2053 linkerd.io/control-plane-ns: linkerd
2054 annotations:
2055 linkerd.io/created-by: linkerd/cli dev-undefined
2056 config.linkerd.io/opaque-ports: "443"
2057spec:
2058 type: ClusterIP
2059 selector:
2060 linkerd.io/control-plane-component: proxy-injector
2061 ports:
2062 - name: proxy-injector
2063 port: 443
2064 targetPort: proxy-injector
2065---
2066apiVersion: v1
2067data:
2068 linkerd-config-overrides: Y29udHJvbGxlckdJRDogMTIzNApkZWJ1Z0NvbnRhaW5lcjoKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtZGVidWctdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KbGlua2VyZFZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBnaWQ6IDQzMjEKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQo=
2069kind: Secret
2070metadata:
2071 creationTimestamp: null
2072 labels:
2073 linkerd.io/control-plane-ns: linkerd
2074 name: linkerd-config-overrides
2075 namespace: linkerd
View as plain text