1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Fail
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Fail
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Fail
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
497 cniEnabled: false
498 controlPlaneTracing: false
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: -1
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 2
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 1
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources:
528 cpu:
529 limit: ""
530 request: 100m
531 ephemeral-storage:
532 limit: ""
533 request: ""
534 memory:
535 limit: 250Mi
536 request: 50Mi
537 disableHeartBeat: false
538 disableIPv6: true
539 enableEndpointSlices: true
540 enableH2Upgrade: true
541 enablePodAntiAffinity: true
542 enablePodDisruptionBudget: true
543 heartbeat: null
544 heartbeatResources:
545 cpu:
546 limit: ""
547 request: 100m
548 ephemeral-storage:
549 limit: ""
550 request: ""
551 memory:
552 limit: 250Mi
553 request: 50Mi
554 heartbeatSchedule: 1 2 3 4 5
555 highAvailability: true
556 identity:
557 additionalEnv: null
558 experimentalEnv: null
559 externalCA: false
560 issuer:
561 clockSkewAllowance: 20s
562 issuanceLifetime: 24h0m0s
563 scheme: linkerd.io/tls
564 tls:
565 crtPEM: |
566 -----BEGIN CERTIFICATE-----
567 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
568 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
569 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
570 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
571 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
572 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
573 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
574 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
575 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
576 51tdrmkHEZRr0qlLSJdHYgEfMzk=
577 -----END CERTIFICATE-----
578 kubeAPI:
579 clientBurst: 200
580 clientQPS: 100
581 serviceAccountTokenProjection: true
582 identityProxyResources: null
583 identityResources:
584 cpu:
585 limit: ""
586 request: 100m
587 ephemeral-storage:
588 limit: ""
589 request: ""
590 memory:
591 limit: 250Mi
592 request: 10Mi
593 identityTrustAnchorsPEM: |
594 -----BEGIN CERTIFICATE-----
595 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
596 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
597 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
598 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
599 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
600 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
601 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
602 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
603 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
604 vgUC0d2/9FMueIVMb+46WTCOjsqr
605 -----END CERTIFICATE-----
606 identityTrustDomain: cluster.local
607 imagePullPolicy: IfNotPresent
608 imagePullSecrets: null
609 linkerdVersion: install-control-plane-version
610 networkValidator:
611 connectAddr: 1.1.1.1:20001
612 enableSecurityContext: true
613 listenAddr: 0.0.0.0:4140
614 logFormat: plain
615 logLevel: debug
616 timeout: 10s
617 nodeAffinity: null
618 nodeSelector:
619 kubernetes.io/os: linux
620 podAnnotations: {}
621 podLabels: {}
622 podMonitor:
623 controller:
624 enabled: true
625 namespaceSelector: |
626 matchNames:
627 - {{ .Release.Namespace }}
628 - linkerd-viz
629 - linkerd-jaeger
630 enabled: false
631 proxy:
632 enabled: true
633 scrapeInterval: 10s
634 scrapeTimeout: 10s
635 serviceMirror:
636 enabled: true
637 policyController:
638 image:
639 name: cr.l5d.io/linkerd/policy-controller
640 pullPolicy: ""
641 version: ""
642 logLevel: info
643 probeNetworks:
644 - 0.0.0.0/0
645 - ::/0
646 resources:
647 cpu:
648 limit: ""
649 request: ""
650 ephemeral-storage:
651 limit: ""
652 request: ""
653 memory:
654 limit: ""
655 request: ""
656 policyValidator:
657 caBundle: policy validator CA bundle
658 crtPEM: ""
659 externalSecret: true
660 injectCaFrom: ""
661 injectCaFromSecret: ""
662 namespaceSelector:
663 matchExpressions:
664 - key: config.linkerd.io/admission-webhooks
665 operator: NotIn
666 values:
667 - disabled
668 priorityClassName: ""
669 profileValidator:
670 caBundle: profile validator CA bundle
671 crtPEM: ""
672 externalSecret: true
673 injectCaFrom: ""
674 injectCaFromSecret: ""
675 namespaceSelector:
676 matchExpressions:
677 - key: config.linkerd.io/admission-webhooks
678 operator: NotIn
679 values:
680 - disabled
681 prometheusUrl: ""
682 proxy:
683 accessLog: ""
684 additionalEnv: null
685 await: true
686 capabilities: null
687 control:
688 streams:
689 idleTimeout: 5m
690 initialTimeout: 3s
691 lifetime: 1h
692 defaultInboundPolicy: all-unauthenticated
693 disableInboundProtocolDetectTimeout: false
694 disableOutboundProtocolDetectTimeout: false
695 enableExternalProfiles: false
696 experimentalEnv: null
697 gid: -1
698 image:
699 name: cr.l5d.io/linkerd/proxy
700 pullPolicy: ""
701 version: install-proxy-version
702 inbound:
703 server:
704 http2:
705 keepAliveInterval: 10s
706 keepAliveTimeout: 3s
707 inboundConnectTimeout: 100ms
708 inboundDiscoveryCacheUnusedTimeout: 90s
709 isGateway: false
710 isIngress: false
711 livenessProbe:
712 initialDelaySeconds: 10
713 timeoutSeconds: 1
714 logFormat: plain
715 logLevel: warn,linkerd=info,trust_dns=error
716 nativeSidecar: false
717 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
718 outbound:
719 server:
720 http2:
721 keepAliveInterval: 10s
722 keepAliveTimeout: 3s
723 outboundConnectTimeout: 1000ms
724 outboundDiscoveryCacheUnusedTimeout: 5s
725 podInboundPorts: ""
726 ports:
727 admin: 4191
728 control: 4190
729 inbound: 4143
730 outbound: 4140
731 readinessProbe:
732 initialDelaySeconds: 2
733 timeoutSeconds: 1
734 requireIdentityOnInboundPorts: ""
735 resources:
736 cpu:
737 limit: ""
738 request: 400m
739 ephemeral-storage:
740 limit: ""
741 request: ""
742 memory:
743 limit: 250Mi
744 request: 300Mi
745 saMountPath: null
746 shutdownGracePeriod: ""
747 startupProbe:
748 failureThreshold: 120
749 initialDelaySeconds: 0
750 periodSeconds: 1
751 uid: 2102
752 waitBeforeExitSeconds: 0
753 proxyContainerName: linkerd-proxy
754 proxyInit:
755 capabilities: null
756 closeWaitTimeoutSecs: 0
757 ignoreInboundPorts: 4567,4568
758 ignoreOutboundPorts: 4567,4568
759 image:
760 name: cr.l5d.io/linkerd/proxy-init
761 pullPolicy: ""
762 version: v2.4.0
763 iptablesMode: legacy
764 kubeAPIServerPorts: 443,6443
765 logFormat: ""
766 logLevel: ""
767 privileged: false
768 resources:
769 cpu:
770 limit: 100m
771 request: 100m
772 ephemeral-storage:
773 limit: ""
774 request: ""
775 memory:
776 limit: 20Mi
777 request: 20Mi
778 runAsGroup: 65534
779 runAsRoot: false
780 runAsUser: 65534
781 saMountPath: null
782 skipSubnets: ""
783 xtMountPath:
784 mountPath: /run
785 name: linkerd-proxy-init-xtables-lock
786 readOnly: false
787 proxyInjector:
788 additionalEnv: null
789 caBundle: proxy injector CA bundle
790 crtPEM: ""
791 experimentalEnv: null
792 externalSecret: true
793 injectCaFrom: ""
794 injectCaFromSecret: ""
795 namespaceSelector:
796 matchExpressions:
797 - key: config.linkerd.io/admission-webhooks
798 operator: NotIn
799 values:
800 - disabled
801 - key: kubernetes.io/metadata.name
802 operator: NotIn
803 values:
804 - kube-system
805 - cert-manager
806 proxyInjectorProxyResources: null
807 proxyInjectorResources:
808 cpu:
809 limit: ""
810 request: 100m
811 ephemeral-storage:
812 limit: ""
813 request: ""
814 memory:
815 limit: 250Mi
816 request: 50Mi
817 revisionHistoryLimit: 10
818 spValidator: null
819 tolerations: null
820 webhookFailurePolicy: Fail
821---
822apiVersion: rbac.authorization.k8s.io/v1
823kind: Role
824metadata:
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827 name: ext-namespace-metadata-linkerd-config
828 namespace: linkerd
829rules:
830- apiGroups: [""]
831 resources: ["configmaps"]
832 verbs: ["get"]
833 resourceNames: ["linkerd-config"]
834---
835###
836### Identity Controller Service
837###
838---
839kind: Secret
840apiVersion: v1
841metadata:
842 name: linkerd-identity-issuer
843 namespace: linkerd
844 labels:
845 linkerd.io/control-plane-component: identity
846 linkerd.io/control-plane-ns: linkerd
847 annotations:
848 linkerd.io/created-by: linkerd/cli dev-undefined
849data:
850 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
851 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
852---
853kind: ConfigMap
854apiVersion: v1
855metadata:
856 name: linkerd-identity-trust-roots
857 namespace: linkerd
858 labels:
859 linkerd.io/control-plane-component: identity
860 linkerd.io/control-plane-ns: linkerd
861 annotations:
862 linkerd.io/created-by: linkerd/cli dev-undefined
863data:
864 ca-bundle.crt: |-
865 -----BEGIN CERTIFICATE-----
866 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
867 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
868 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
869 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
870 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
871 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
872 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
873 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
874 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
875 vgUC0d2/9FMueIVMb+46WTCOjsqr
876 -----END CERTIFICATE-----
877---
878kind: Service
879apiVersion: v1
880metadata:
881 name: linkerd-identity
882 namespace: linkerd
883 labels:
884 linkerd.io/control-plane-component: identity
885 linkerd.io/control-plane-ns: linkerd
886 annotations:
887 linkerd.io/created-by: linkerd/cli dev-undefined
888spec:
889 type: ClusterIP
890 selector:
891 linkerd.io/control-plane-component: identity
892 ports:
893 - name: grpc
894 port: 8080
895 targetPort: 8080
896---
897kind: Service
898apiVersion: v1
899metadata:
900 name: linkerd-identity-headless
901 namespace: linkerd
902 labels:
903 linkerd.io/control-plane-component: identity
904 linkerd.io/control-plane-ns: linkerd
905 annotations:
906 linkerd.io/created-by: linkerd/cli dev-undefined
907spec:
908 clusterIP: None
909 selector:
910 linkerd.io/control-plane-component: identity
911 ports:
912 - name: grpc
913 port: 8080
914 targetPort: 8080
915---
916kind: PodDisruptionBudget
917apiVersion: policy/v1
918metadata:
919 name: linkerd-identity
920 namespace: linkerd
921 labels:
922 linkerd.io/control-plane-component: identity
923 linkerd.io/control-plane-ns: linkerd
924 annotations:
925 linkerd.io/created-by: linkerd/cli dev-undefined
926spec:
927 maxUnavailable: 1
928 selector:
929 matchLabels:
930 linkerd.io/control-plane-component: identity
931---
932apiVersion: apps/v1
933kind: Deployment
934metadata:
935 annotations:
936 linkerd.io/created-by: linkerd/cli dev-undefined
937 labels:
938 app.kubernetes.io/name: identity
939 app.kubernetes.io/part-of: Linkerd
940 app.kubernetes.io/version: install-control-plane-version
941 linkerd.io/control-plane-component: identity
942 linkerd.io/control-plane-ns: linkerd
943 name: linkerd-identity
944 namespace: linkerd
945spec:
946 replicas: 2
947 revisionHistoryLimit: 10
948 selector:
949 matchLabels:
950 linkerd.io/control-plane-component: identity
951 linkerd.io/control-plane-ns: linkerd
952 linkerd.io/proxy-deployment: linkerd-identity
953 strategy:
954 rollingUpdate:
955 maxSurge: 25%
956 maxUnavailable: 1
957 template:
958 metadata:
959 annotations:
960 linkerd.io/created-by: linkerd/cli dev-undefined
961 linkerd.io/proxy-version: install-proxy-version
962 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
963 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
964 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
965 labels:
966 linkerd.io/control-plane-component: identity
967 linkerd.io/control-plane-ns: linkerd
968 linkerd.io/workload-ns: linkerd
969 linkerd.io/proxy-deployment: linkerd-identity
970 spec:
971 nodeSelector:
972 kubernetes.io/os: linux
973 affinity:
974 podAntiAffinity:
975 preferredDuringSchedulingIgnoredDuringExecution:
976 - podAffinityTerm:
977 labelSelector:
978 matchExpressions:
979 - key: linkerd.io/control-plane-component
980 operator: In
981 values:
982 - identity
983 topologyKey: topology.kubernetes.io/zone
984 weight: 100
985 requiredDuringSchedulingIgnoredDuringExecution:
986 - labelSelector:
987 matchExpressions:
988 - key: linkerd.io/control-plane-component
989 operator: In
990 values:
991 - identity
992 topologyKey: kubernetes.io/hostname
993 containers:
994 - args:
995 - identity
996 - -log-level=info
997 - -log-format=plain
998 - -controller-namespace=linkerd
999 - -identity-trust-domain=cluster.local
1000 - -identity-issuance-lifetime=24h0m0s
1001 - -identity-clock-skew-allowance=20s
1002 - -identity-scheme=linkerd.io/tls
1003 - -enable-pprof=false
1004 - -kube-apiclient-qps=100
1005 - -kube-apiclient-burst=200
1006 env:
1007 - name: LINKERD_DISABLED
1008 value: "linkerd-await cannot block the identity controller"
1009 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1010 imagePullPolicy: IfNotPresent
1011 livenessProbe:
1012 httpGet:
1013 path: /ping
1014 port: 9990
1015 initialDelaySeconds: 10
1016 name: identity
1017 ports:
1018 - containerPort: 8080
1019 name: grpc
1020 - containerPort: 9990
1021 name: admin-http
1022 readinessProbe:
1023 failureThreshold: 7
1024 httpGet:
1025 path: /ready
1026 port: 9990
1027 resources:
1028 limits:
1029 memory: "250Mi"
1030 requests:
1031 cpu: "100m"
1032 memory: "10Mi"
1033 securityContext:
1034 capabilities:
1035 drop:
1036 - ALL
1037 readOnlyRootFilesystem: true
1038 runAsNonRoot: true
1039 runAsUser: 2103
1040 allowPrivilegeEscalation: false
1041 seccompProfile:
1042 type: RuntimeDefault
1043 volumeMounts:
1044 - mountPath: /var/run/linkerd/identity/issuer
1045 name: identity-issuer
1046 - mountPath: /var/run/linkerd/identity/trust-roots/
1047 name: trust-roots
1048 - env:
1049 - name: _pod_name
1050 valueFrom:
1051 fieldRef:
1052 fieldPath: metadata.name
1053 - name: _pod_ns
1054 valueFrom:
1055 fieldRef:
1056 fieldPath: metadata.namespace
1057 - name: _pod_nodeName
1058 valueFrom:
1059 fieldRef:
1060 fieldPath: spec.nodeName
1061 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
1062 value: "8080"
1063 - name: LINKERD2_PROXY_LOG
1064 value: "warn,linkerd=info,trust_dns=error"
1065 - name: LINKERD2_PROXY_LOG_FORMAT
1066 value: "plain"
1067 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1068 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1069 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1070 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1071 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1072 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1073 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1074 value: |
1075 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1076 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1077 value: all-unauthenticated
1078 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1079 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1080 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1081 value: "3s"
1082 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1083 value: "5m"
1084 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1085 value: "1h"
1086 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1087 value: "100ms"
1088 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1089 value: "1000ms"
1090 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1091 value: "5s"
1092 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1093 value: "90s"
1094 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1095 value: "[::]:4190"
1096 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1097 value: "[::]:4191"
1098 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1099 value: "127.0.0.1:4140"
1100 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1101 value: "127.0.0.1:4140"
1102 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1103 value: "[::]:4143"
1104 - name: LINKERD2_PROXY_INBOUND_IPS
1105 valueFrom:
1106 fieldRef:
1107 fieldPath: status.podIPs
1108 - name: LINKERD2_PROXY_INBOUND_PORTS
1109 value: "8080,9990"
1110 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1111 value: svc.cluster.local.
1112 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1113 value: 10000ms
1114 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1115 value: 10000ms
1116 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1117 value: "10s"
1118 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1119 value: "3s"
1120 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1121 value: "10s"
1122 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1123 value: "3s"
1124 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1125 value: "25,587,3306,4444,5432,6379,9300,11211"
1126 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1127 value: |
1128 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1129 - name: _pod_sa
1130 valueFrom:
1131 fieldRef:
1132 fieldPath: spec.serviceAccountName
1133 - name: _l5d_ns
1134 value: linkerd
1135 - name: _l5d_trustdomain
1136 value: cluster.local
1137 - name: LINKERD2_PROXY_IDENTITY_DIR
1138 value: /var/run/linkerd/identity/end-entity
1139 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1140 valueFrom:
1141 configMapKeyRef:
1142 name: linkerd-identity-trust-roots
1143 key: ca-bundle.crt
1144 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1145 value: /var/run/secrets/tokens/linkerd-identity-token
1146 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1147 value: localhost.:8080
1148 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1149 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1150 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1151 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1152 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1153 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1154 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1155 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1156 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1157 imagePullPolicy: IfNotPresent
1158 livenessProbe:
1159 httpGet:
1160 path: /live
1161 port: 4191
1162 initialDelaySeconds: 10
1163 timeoutSeconds: 1
1164 name: linkerd-proxy
1165 ports:
1166 - containerPort: 4143
1167 name: linkerd-proxy
1168 - containerPort: 4191
1169 name: linkerd-admin
1170 readinessProbe:
1171 httpGet:
1172 path: /ready
1173 port: 4191
1174 initialDelaySeconds: 2
1175 timeoutSeconds: 1
1176 resources:
1177 limits:
1178 memory: "250Mi"
1179 requests:
1180 cpu: "400m"
1181 memory: "300Mi"
1182 securityContext:
1183 allowPrivilegeEscalation: false
1184 capabilities:
1185 drop:
1186 - ALL
1187 readOnlyRootFilesystem: true
1188 runAsNonRoot: true
1189 runAsUser: 2102
1190 seccompProfile:
1191 type: RuntimeDefault
1192 terminationMessagePolicy: FallbackToLogsOnError
1193 volumeMounts:
1194 - mountPath: /var/run/linkerd/identity/end-entity
1195 name: linkerd-identity-end-entity
1196 - mountPath: /var/run/secrets/tokens
1197 name: linkerd-identity-token
1198 initContainers:
1199 - args:
1200 - --ipv6=false
1201 - --incoming-proxy-port
1202 - "4143"
1203 - --outgoing-proxy-port
1204 - "4140"
1205 - --proxy-uid
1206 - "2102"
1207 - --inbound-ports-to-ignore
1208 - "4190,4191,4567,4568"
1209 - --outbound-ports-to-ignore
1210 - "443,6443"
1211 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1212 imagePullPolicy: IfNotPresent
1213 name: linkerd-init
1214 resources:
1215 limits:
1216 cpu: "100m"
1217 memory: "20Mi"
1218 requests:
1219 cpu: "100m"
1220 memory: "20Mi"
1221 securityContext:
1222 allowPrivilegeEscalation: false
1223 capabilities:
1224 add:
1225 - NET_ADMIN
1226 - NET_RAW
1227 privileged: false
1228 runAsNonRoot: true
1229 runAsUser: 65534
1230 runAsGroup: 65534
1231 readOnlyRootFilesystem: true
1232 seccompProfile:
1233 type: RuntimeDefault
1234 terminationMessagePolicy: FallbackToLogsOnError
1235 volumeMounts:
1236 - mountPath: /run
1237 name: linkerd-proxy-init-xtables-lock
1238 securityContext:
1239 seccompProfile:
1240 type: RuntimeDefault
1241 serviceAccountName: linkerd-identity
1242 volumes:
1243 - name: identity-issuer
1244 secret:
1245 secretName: linkerd-identity-issuer
1246 - configMap:
1247 name: linkerd-identity-trust-roots
1248 name: trust-roots
1249 - emptyDir: {}
1250 name: linkerd-proxy-init-xtables-lock
1251 - name: linkerd-identity-token
1252 projected:
1253 sources:
1254 - serviceAccountToken:
1255 path: linkerd-identity-token
1256 expirationSeconds: 86400
1257 audience: identity.l5d.io
1258 - emptyDir:
1259 medium: Memory
1260 name: linkerd-identity-end-entity
1261---
1262###
1263### Destination Controller Service
1264###
1265kind: Service
1266apiVersion: v1
1267metadata:
1268 name: linkerd-dst
1269 namespace: linkerd
1270 labels:
1271 linkerd.io/control-plane-component: destination
1272 linkerd.io/control-plane-ns: linkerd
1273 annotations:
1274 linkerd.io/created-by: linkerd/cli dev-undefined
1275spec:
1276 type: ClusterIP
1277 selector:
1278 linkerd.io/control-plane-component: destination
1279 ports:
1280 - name: grpc
1281 port: 8086
1282 targetPort: 8086
1283---
1284kind: Service
1285apiVersion: v1
1286metadata:
1287 name: linkerd-dst-headless
1288 namespace: linkerd
1289 labels:
1290 linkerd.io/control-plane-component: destination
1291 linkerd.io/control-plane-ns: linkerd
1292 annotations:
1293 linkerd.io/created-by: linkerd/cli dev-undefined
1294spec:
1295 clusterIP: None
1296 selector:
1297 linkerd.io/control-plane-component: destination
1298 ports:
1299 - name: grpc
1300 port: 8086
1301 targetPort: 8086
1302---
1303kind: Service
1304apiVersion: v1
1305metadata:
1306 name: linkerd-sp-validator
1307 namespace: linkerd
1308 labels:
1309 linkerd.io/control-plane-component: destination
1310 linkerd.io/control-plane-ns: linkerd
1311 annotations:
1312 linkerd.io/created-by: linkerd/cli dev-undefined
1313spec:
1314 type: ClusterIP
1315 selector:
1316 linkerd.io/control-plane-component: destination
1317 ports:
1318 - name: sp-validator
1319 port: 443
1320 targetPort: sp-validator
1321---
1322kind: Service
1323apiVersion: v1
1324metadata:
1325 name: linkerd-policy
1326 namespace: linkerd
1327 labels:
1328 linkerd.io/control-plane-component: destination
1329 linkerd.io/control-plane-ns: linkerd
1330 annotations:
1331 linkerd.io/created-by: linkerd/cli dev-undefined
1332spec:
1333 clusterIP: None
1334 selector:
1335 linkerd.io/control-plane-component: destination
1336 ports:
1337 - name: grpc
1338 port: 8090
1339 targetPort: 8090
1340---
1341kind: Service
1342apiVersion: v1
1343metadata:
1344 name: linkerd-policy-validator
1345 namespace: linkerd
1346 labels:
1347 linkerd.io/control-plane-component: destination
1348 linkerd.io/control-plane-ns: linkerd
1349 annotations:
1350 linkerd.io/created-by: linkerd/cli dev-undefined
1351spec:
1352 type: ClusterIP
1353 selector:
1354 linkerd.io/control-plane-component: destination
1355 ports:
1356 - name: policy-https
1357 port: 443
1358 targetPort: policy-https
1359---
1360kind: PodDisruptionBudget
1361apiVersion: policy/v1
1362metadata:
1363 name: linkerd-dst
1364 namespace: linkerd
1365 labels:
1366 linkerd.io/control-plane-component: destination
1367 linkerd.io/control-plane-ns: linkerd
1368 annotations:
1369 linkerd.io/created-by: linkerd/cli dev-undefined
1370spec:
1371 maxUnavailable: 1
1372 selector:
1373 matchLabels:
1374 linkerd.io/control-plane-component: destination
1375---
1376apiVersion: apps/v1
1377kind: Deployment
1378metadata:
1379 annotations:
1380 linkerd.io/created-by: linkerd/cli dev-undefined
1381 labels:
1382 app.kubernetes.io/name: destination
1383 app.kubernetes.io/part-of: Linkerd
1384 app.kubernetes.io/version: install-control-plane-version
1385 linkerd.io/control-plane-component: destination
1386 linkerd.io/control-plane-ns: linkerd
1387 name: linkerd-destination
1388 namespace: linkerd
1389spec:
1390 replicas: 2
1391 revisionHistoryLimit: 10
1392 selector:
1393 matchLabels:
1394 linkerd.io/control-plane-component: destination
1395 linkerd.io/control-plane-ns: linkerd
1396 linkerd.io/proxy-deployment: linkerd-destination
1397 strategy:
1398 rollingUpdate:
1399 maxSurge: 25%
1400 maxUnavailable: 1
1401 template:
1402 metadata:
1403 annotations:
1404 checksum/config: 8f967c9ecfe4fb09646dfa503d3831a391288c65fb8b77200d2b3c9390620c1e
1405 linkerd.io/created-by: linkerd/cli dev-undefined
1406 linkerd.io/proxy-version: install-proxy-version
1407 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1408 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1409 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1410 labels:
1411 linkerd.io/control-plane-component: destination
1412 linkerd.io/control-plane-ns: linkerd
1413 linkerd.io/workload-ns: linkerd
1414 linkerd.io/proxy-deployment: linkerd-destination
1415 spec:
1416 nodeSelector:
1417 kubernetes.io/os: linux
1418 affinity:
1419 podAntiAffinity:
1420 preferredDuringSchedulingIgnoredDuringExecution:
1421 - podAffinityTerm:
1422 labelSelector:
1423 matchExpressions:
1424 - key: linkerd.io/control-plane-component
1425 operator: In
1426 values:
1427 - destination
1428 topologyKey: topology.kubernetes.io/zone
1429 weight: 100
1430 requiredDuringSchedulingIgnoredDuringExecution:
1431 - labelSelector:
1432 matchExpressions:
1433 - key: linkerd.io/control-plane-component
1434 operator: In
1435 values:
1436 - destination
1437 topologyKey: kubernetes.io/hostname
1438 containers:
1439 - env:
1440 - name: _pod_name
1441 valueFrom:
1442 fieldRef:
1443 fieldPath: metadata.name
1444 - name: _pod_ns
1445 valueFrom:
1446 fieldRef:
1447 fieldPath: metadata.namespace
1448 - name: _pod_nodeName
1449 valueFrom:
1450 fieldRef:
1451 fieldPath: spec.nodeName
1452 - name: LINKERD2_PROXY_LOG
1453 value: "warn,linkerd=info,trust_dns=error"
1454 - name: LINKERD2_PROXY_LOG_FORMAT
1455 value: "plain"
1456 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1457 value: localhost.:8086
1458 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1459 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1460 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1461 value: localhost.:8090
1462 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1463 value: |
1464 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1465 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1466 value: all-unauthenticated
1467 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1468 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1469 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1470 value: "3s"
1471 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1472 value: "5m"
1473 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1474 value: "1h"
1475 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1476 value: "100ms"
1477 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1478 value: "1000ms"
1479 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1480 value: "5s"
1481 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1482 value: "90s"
1483 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1484 value: "[::]:4190"
1485 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1486 value: "[::]:4191"
1487 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1488 value: "127.0.0.1:4140"
1489 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1490 value: "127.0.0.1:4140"
1491 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1492 value: "[::]:4143"
1493 - name: LINKERD2_PROXY_INBOUND_IPS
1494 valueFrom:
1495 fieldRef:
1496 fieldPath: status.podIPs
1497 - name: LINKERD2_PROXY_INBOUND_PORTS
1498 value: "8086,8090,8443,9443,9990,9996,9997"
1499 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1500 value: svc.cluster.local.
1501 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1502 value: 10000ms
1503 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1504 value: 10000ms
1505 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1506 value: "10s"
1507 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1508 value: "3s"
1509 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1510 value: "10s"
1511 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1512 value: "3s"
1513 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1514 value: "25,587,3306,4444,5432,6379,9300,11211"
1515 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1516 value: |
1517 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1518 - name: _pod_sa
1519 valueFrom:
1520 fieldRef:
1521 fieldPath: spec.serviceAccountName
1522 - name: _l5d_ns
1523 value: linkerd
1524 - name: _l5d_trustdomain
1525 value: cluster.local
1526 - name: LINKERD2_PROXY_IDENTITY_DIR
1527 value: /var/run/linkerd/identity/end-entity
1528 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1529 valueFrom:
1530 configMapKeyRef:
1531 name: linkerd-identity-trust-roots
1532 key: ca-bundle.crt
1533 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1534 value: /var/run/secrets/tokens/linkerd-identity-token
1535 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1536 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1537 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1538 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1539 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1540 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1541 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1542 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1543 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1544 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1545 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1546 imagePullPolicy: IfNotPresent
1547 livenessProbe:
1548 httpGet:
1549 path: /live
1550 port: 4191
1551 initialDelaySeconds: 10
1552 timeoutSeconds: 1
1553 name: linkerd-proxy
1554 ports:
1555 - containerPort: 4143
1556 name: linkerd-proxy
1557 - containerPort: 4191
1558 name: linkerd-admin
1559 readinessProbe:
1560 httpGet:
1561 path: /ready
1562 port: 4191
1563 initialDelaySeconds: 2
1564 timeoutSeconds: 1
1565 resources:
1566 limits:
1567 memory: "250Mi"
1568 requests:
1569 cpu: "400m"
1570 memory: "300Mi"
1571 securityContext:
1572 allowPrivilegeEscalation: false
1573 capabilities:
1574 drop:
1575 - ALL
1576 readOnlyRootFilesystem: true
1577 runAsNonRoot: true
1578 runAsUser: 2102
1579 seccompProfile:
1580 type: RuntimeDefault
1581 terminationMessagePolicy: FallbackToLogsOnError
1582 lifecycle:
1583 postStart:
1584 exec:
1585 command:
1586 - /usr/lib/linkerd/linkerd-await
1587 - --timeout=2m
1588 - --port=4191
1589 volumeMounts:
1590 - mountPath: /var/run/linkerd/identity/end-entity
1591 name: linkerd-identity-end-entity
1592 - mountPath: /var/run/secrets/tokens
1593 name: linkerd-identity-token
1594 - args:
1595 - destination
1596 - -addr=:8086
1597 - -controller-namespace=linkerd
1598 - -enable-h2-upgrade=true
1599 - -log-level=info
1600 - -log-format=plain
1601 - -enable-endpoint-slices=true
1602 - -cluster-domain=cluster.local
1603 - -identity-trust-domain=cluster.local
1604 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1605 - -enable-ipv6=false
1606 - -enable-pprof=false
1607 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1608 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1609 imagePullPolicy: IfNotPresent
1610 livenessProbe:
1611 httpGet:
1612 path: /ping
1613 port: 9996
1614 initialDelaySeconds: 10
1615 name: destination
1616 ports:
1617 - containerPort: 8086
1618 name: grpc
1619 - containerPort: 9996
1620 name: admin-http
1621 readinessProbe:
1622 failureThreshold: 7
1623 httpGet:
1624 path: /ready
1625 port: 9996
1626 resources:
1627 limits:
1628 memory: "250Mi"
1629 requests:
1630 cpu: "100m"
1631 memory: "50Mi"
1632 securityContext:
1633 capabilities:
1634 drop:
1635 - ALL
1636 readOnlyRootFilesystem: true
1637 runAsNonRoot: true
1638 runAsUser: 2103
1639 allowPrivilegeEscalation: false
1640 seccompProfile:
1641 type: RuntimeDefault
1642 - args:
1643 - sp-validator
1644 - -log-level=info
1645 - -log-format=plain
1646 - -enable-pprof=false
1647 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1648 imagePullPolicy: IfNotPresent
1649 livenessProbe:
1650 httpGet:
1651 path: /ping
1652 port: 9997
1653 initialDelaySeconds: 10
1654 name: sp-validator
1655 ports:
1656 - containerPort: 8443
1657 name: sp-validator
1658 - containerPort: 9997
1659 name: admin-http
1660 readinessProbe:
1661 failureThreshold: 7
1662 httpGet:
1663 path: /ready
1664 port: 9997
1665 securityContext:
1666 capabilities:
1667 drop:
1668 - ALL
1669 readOnlyRootFilesystem: true
1670 runAsNonRoot: true
1671 runAsUser: 2103
1672 allowPrivilegeEscalation: false
1673 seccompProfile:
1674 type: RuntimeDefault
1675 volumeMounts:
1676 - mountPath: /var/run/linkerd/tls
1677 name: sp-tls
1678 readOnly: true
1679 - args:
1680 - --admin-addr=[::]:9990
1681 - --control-plane-namespace=linkerd
1682 - --grpc-addr=[::]:8090
1683 - --server-addr=[::]:9443
1684 - --server-tls-key=/var/run/linkerd/tls/tls.key
1685 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1686 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1687 - --identity-domain=cluster.local
1688 - --cluster-domain=cluster.local
1689 - --default-policy=all-unauthenticated
1690 - --log-level=info
1691 - --log-format=plain
1692 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1693 - --probe-networks=0.0.0.0/0,::/0
1694 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1695 imagePullPolicy: IfNotPresent
1696 livenessProbe:
1697 httpGet:
1698 path: /live
1699 port: admin-http
1700 name: policy
1701 ports:
1702 - containerPort: 8090
1703 name: grpc
1704 - containerPort: 9990
1705 name: admin-http
1706 - containerPort: 9443
1707 name: policy-https
1708 readinessProbe:
1709 failureThreshold: 7
1710 httpGet:
1711 path: /ready
1712 port: admin-http
1713 initialDelaySeconds: 10
1714 resources:
1715 securityContext:
1716 capabilities:
1717 drop:
1718 - ALL
1719 readOnlyRootFilesystem: true
1720 runAsNonRoot: true
1721 runAsUser: 2103
1722 allowPrivilegeEscalation: false
1723 seccompProfile:
1724 type: RuntimeDefault
1725 volumeMounts:
1726 - mountPath: /var/run/linkerd/tls
1727 name: policy-tls
1728 readOnly: true
1729 initContainers:
1730 - args:
1731 - --ipv6=false
1732 - --incoming-proxy-port
1733 - "4143"
1734 - --outgoing-proxy-port
1735 - "4140"
1736 - --proxy-uid
1737 - "2102"
1738 - --inbound-ports-to-ignore
1739 - "4190,4191,4567,4568"
1740 - --outbound-ports-to-ignore
1741 - "443,6443"
1742 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1743 imagePullPolicy: IfNotPresent
1744 name: linkerd-init
1745 resources:
1746 limits:
1747 cpu: "100m"
1748 memory: "20Mi"
1749 requests:
1750 cpu: "100m"
1751 memory: "20Mi"
1752 securityContext:
1753 allowPrivilegeEscalation: false
1754 capabilities:
1755 add:
1756 - NET_ADMIN
1757 - NET_RAW
1758 privileged: false
1759 runAsNonRoot: true
1760 runAsUser: 65534
1761 runAsGroup: 65534
1762 readOnlyRootFilesystem: true
1763 seccompProfile:
1764 type: RuntimeDefault
1765 terminationMessagePolicy: FallbackToLogsOnError
1766 volumeMounts:
1767 - mountPath: /run
1768 name: linkerd-proxy-init-xtables-lock
1769 securityContext:
1770 seccompProfile:
1771 type: RuntimeDefault
1772 serviceAccountName: linkerd-destination
1773 volumes:
1774 - name: sp-tls
1775 secret:
1776 secretName: linkerd-sp-validator-k8s-tls
1777 - name: policy-tls
1778 secret:
1779 secretName: linkerd-policy-validator-k8s-tls
1780 - emptyDir: {}
1781 name: linkerd-proxy-init-xtables-lock
1782 - name: linkerd-identity-token
1783 projected:
1784 sources:
1785 - serviceAccountToken:
1786 path: linkerd-identity-token
1787 expirationSeconds: 86400
1788 audience: identity.l5d.io
1789 - emptyDir:
1790 medium: Memory
1791 name: linkerd-identity-end-entity
1792---
1793###
1794### Heartbeat
1795###
1796apiVersion: batch/v1
1797kind: CronJob
1798metadata:
1799 name: linkerd-heartbeat
1800 namespace: linkerd
1801 labels:
1802 app.kubernetes.io/name: heartbeat
1803 app.kubernetes.io/part-of: Linkerd
1804 app.kubernetes.io/version: install-control-plane-version
1805 linkerd.io/control-plane-component: heartbeat
1806 linkerd.io/control-plane-ns: linkerd
1807 annotations:
1808 linkerd.io/created-by: linkerd/cli dev-undefined
1809spec:
1810 concurrencyPolicy: Replace
1811 schedule: "1 2 3 4 5"
1812 successfulJobsHistoryLimit: 0
1813 jobTemplate:
1814 spec:
1815 template:
1816 metadata:
1817 labels:
1818 linkerd.io/control-plane-component: heartbeat
1819 linkerd.io/workload-ns: linkerd
1820 annotations:
1821 linkerd.io/created-by: linkerd/cli dev-undefined
1822 spec:
1823 nodeSelector:
1824 kubernetes.io/os: linux
1825 securityContext:
1826 seccompProfile:
1827 type: RuntimeDefault
1828 serviceAccountName: linkerd-heartbeat
1829 restartPolicy: Never
1830 containers:
1831 - name: heartbeat
1832 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1833 imagePullPolicy: IfNotPresent
1834 env:
1835 - name: LINKERD_DISABLED
1836 value: "the heartbeat controller does not use the proxy"
1837 args:
1838 - "heartbeat"
1839 - "-controller-namespace=linkerd"
1840 - "-log-level=info"
1841 - "-log-format=plain"
1842 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1843 resources:
1844 limits:
1845 memory: "250Mi"
1846 requests:
1847 cpu: "100m"
1848 memory: "50Mi"
1849 securityContext:
1850 capabilities:
1851 drop:
1852 - ALL
1853 readOnlyRootFilesystem: true
1854 runAsNonRoot: true
1855 runAsUser: 2103
1856 allowPrivilegeEscalation: false
1857 seccompProfile:
1858 type: RuntimeDefault
1859---
1860###
1861### Proxy Injector
1862###
1863apiVersion: apps/v1
1864kind: Deployment
1865metadata:
1866 annotations:
1867 linkerd.io/created-by: linkerd/cli dev-undefined
1868 labels:
1869 app.kubernetes.io/name: proxy-injector
1870 app.kubernetes.io/part-of: Linkerd
1871 app.kubernetes.io/version: install-control-plane-version
1872 linkerd.io/control-plane-component: proxy-injector
1873 linkerd.io/control-plane-ns: linkerd
1874 name: linkerd-proxy-injector
1875 namespace: linkerd
1876spec:
1877 replicas: 2
1878 revisionHistoryLimit: 10
1879 selector:
1880 matchLabels:
1881 linkerd.io/control-plane-component: proxy-injector
1882 strategy:
1883 rollingUpdate:
1884 maxSurge: 25%
1885 maxUnavailable: 1
1886 template:
1887 metadata:
1888 annotations:
1889 checksum/config: 3ac2189b3e87d5a1ef27d6fe1783bb6f8d53c91b470c4ff42e395ba46cd70d4b
1890 linkerd.io/created-by: linkerd/cli dev-undefined
1891 linkerd.io/proxy-version: install-proxy-version
1892 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1893 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1894 config.linkerd.io/opaque-ports: "8443"
1895 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1896 labels:
1897 linkerd.io/control-plane-component: proxy-injector
1898 linkerd.io/control-plane-ns: linkerd
1899 linkerd.io/workload-ns: linkerd
1900 linkerd.io/proxy-deployment: linkerd-proxy-injector
1901 spec:
1902 nodeSelector:
1903 kubernetes.io/os: linux
1904 affinity:
1905 podAntiAffinity:
1906 preferredDuringSchedulingIgnoredDuringExecution:
1907 - podAffinityTerm:
1908 labelSelector:
1909 matchExpressions:
1910 - key: linkerd.io/control-plane-component
1911 operator: In
1912 values:
1913 - proxy-injector
1914 topologyKey: topology.kubernetes.io/zone
1915 weight: 100
1916 requiredDuringSchedulingIgnoredDuringExecution:
1917 - labelSelector:
1918 matchExpressions:
1919 - key: linkerd.io/control-plane-component
1920 operator: In
1921 values:
1922 - proxy-injector
1923 topologyKey: kubernetes.io/hostname
1924 containers:
1925 - env:
1926 - name: _pod_name
1927 valueFrom:
1928 fieldRef:
1929 fieldPath: metadata.name
1930 - name: _pod_ns
1931 valueFrom:
1932 fieldRef:
1933 fieldPath: metadata.namespace
1934 - name: _pod_nodeName
1935 valueFrom:
1936 fieldRef:
1937 fieldPath: spec.nodeName
1938 - name: LINKERD2_PROXY_LOG
1939 value: "warn,linkerd=info,trust_dns=error"
1940 - name: LINKERD2_PROXY_LOG_FORMAT
1941 value: "plain"
1942 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1943 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1944 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1945 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1946 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1947 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1948 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1949 value: |
1950 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1951 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1952 value: all-unauthenticated
1953 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1954 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1955 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1956 value: "3s"
1957 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1958 value: "5m"
1959 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1960 value: "1h"
1961 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1962 value: "100ms"
1963 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1964 value: "1000ms"
1965 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1966 value: "5s"
1967 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1968 value: "90s"
1969 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1970 value: "[::]:4190"
1971 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1972 value: "[::]:4191"
1973 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1974 value: "127.0.0.1:4140"
1975 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1976 value: "127.0.0.1:4140"
1977 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1978 value: "[::]:4143"
1979 - name: LINKERD2_PROXY_INBOUND_IPS
1980 valueFrom:
1981 fieldRef:
1982 fieldPath: status.podIPs
1983 - name: LINKERD2_PROXY_INBOUND_PORTS
1984 value: "8443,9995"
1985 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1986 value: svc.cluster.local.
1987 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1988 value: 10000ms
1989 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1990 value: 10000ms
1991 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1992 value: "10s"
1993 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1994 value: "3s"
1995 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1996 value: "10s"
1997 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1998 value: "3s"
1999 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
2000 value: "25,587,3306,4444,5432,6379,9300,11211"
2001 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
2002 value: |
2003 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
2004 - name: _pod_sa
2005 valueFrom:
2006 fieldRef:
2007 fieldPath: spec.serviceAccountName
2008 - name: _l5d_ns
2009 value: linkerd
2010 - name: _l5d_trustdomain
2011 value: cluster.local
2012 - name: LINKERD2_PROXY_IDENTITY_DIR
2013 value: /var/run/linkerd/identity/end-entity
2014 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
2015 valueFrom:
2016 configMapKeyRef:
2017 name: linkerd-identity-trust-roots
2018 key: ca-bundle.crt
2019 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
2020 value: /var/run/secrets/tokens/linkerd-identity-token
2021 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
2022 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
2023 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
2024 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
2025 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
2026 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
2027 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
2028 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
2029 - name: LINKERD2_PROXY_POLICY_SVC_NAME
2030 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
2031 image: cr.l5d.io/linkerd/proxy:install-proxy-version
2032 imagePullPolicy: IfNotPresent
2033 livenessProbe:
2034 httpGet:
2035 path: /live
2036 port: 4191
2037 initialDelaySeconds: 10
2038 timeoutSeconds: 1
2039 name: linkerd-proxy
2040 ports:
2041 - containerPort: 4143
2042 name: linkerd-proxy
2043 - containerPort: 4191
2044 name: linkerd-admin
2045 readinessProbe:
2046 httpGet:
2047 path: /ready
2048 port: 4191
2049 initialDelaySeconds: 2
2050 timeoutSeconds: 1
2051 resources:
2052 limits:
2053 memory: "250Mi"
2054 requests:
2055 cpu: "400m"
2056 memory: "300Mi"
2057 securityContext:
2058 allowPrivilegeEscalation: false
2059 capabilities:
2060 drop:
2061 - ALL
2062 readOnlyRootFilesystem: true
2063 runAsNonRoot: true
2064 runAsUser: 2102
2065 seccompProfile:
2066 type: RuntimeDefault
2067 terminationMessagePolicy: FallbackToLogsOnError
2068 lifecycle:
2069 postStart:
2070 exec:
2071 command:
2072 - /usr/lib/linkerd/linkerd-await
2073 - --timeout=2m
2074 - --port=4191
2075 volumeMounts:
2076 - mountPath: /var/run/linkerd/identity/end-entity
2077 name: linkerd-identity-end-entity
2078 - mountPath: /var/run/secrets/tokens
2079 name: linkerd-identity-token
2080 - args:
2081 - proxy-injector
2082 - -log-level=info
2083 - -log-format=plain
2084 - -linkerd-namespace=linkerd
2085 - -enable-pprof=false
2086 image: cr.l5d.io/linkerd/controller:install-control-plane-version
2087 imagePullPolicy: IfNotPresent
2088 livenessProbe:
2089 httpGet:
2090 path: /ping
2091 port: 9995
2092 initialDelaySeconds: 10
2093 name: proxy-injector
2094 ports:
2095 - containerPort: 8443
2096 name: proxy-injector
2097 - containerPort: 9995
2098 name: admin-http
2099 readinessProbe:
2100 failureThreshold: 7
2101 httpGet:
2102 path: /ready
2103 port: 9995
2104 resources:
2105 limits:
2106 memory: "250Mi"
2107 requests:
2108 cpu: "100m"
2109 memory: "50Mi"
2110 securityContext:
2111 capabilities:
2112 drop:
2113 - ALL
2114 readOnlyRootFilesystem: true
2115 runAsNonRoot: true
2116 runAsUser: 2103
2117 allowPrivilegeEscalation: false
2118 seccompProfile:
2119 type: RuntimeDefault
2120 volumeMounts:
2121 - mountPath: /var/run/linkerd/config
2122 name: config
2123 - mountPath: /var/run/linkerd/identity/trust-roots
2124 name: trust-roots
2125 - mountPath: /var/run/linkerd/tls
2126 name: tls
2127 readOnly: true
2128 initContainers:
2129 - args:
2130 - --ipv6=false
2131 - --incoming-proxy-port
2132 - "4143"
2133 - --outgoing-proxy-port
2134 - "4140"
2135 - --proxy-uid
2136 - "2102"
2137 - --inbound-ports-to-ignore
2138 - "4190,4191,4567,4568"
2139 - --outbound-ports-to-ignore
2140 - "443,6443"
2141 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
2142 imagePullPolicy: IfNotPresent
2143 name: linkerd-init
2144 resources:
2145 limits:
2146 cpu: "100m"
2147 memory: "20Mi"
2148 requests:
2149 cpu: "100m"
2150 memory: "20Mi"
2151 securityContext:
2152 allowPrivilegeEscalation: false
2153 capabilities:
2154 add:
2155 - NET_ADMIN
2156 - NET_RAW
2157 privileged: false
2158 runAsNonRoot: true
2159 runAsUser: 65534
2160 runAsGroup: 65534
2161 readOnlyRootFilesystem: true
2162 seccompProfile:
2163 type: RuntimeDefault
2164 terminationMessagePolicy: FallbackToLogsOnError
2165 volumeMounts:
2166 - mountPath: /run
2167 name: linkerd-proxy-init-xtables-lock
2168 securityContext:
2169 seccompProfile:
2170 type: RuntimeDefault
2171 serviceAccountName: linkerd-proxy-injector
2172 volumes:
2173 - configMap:
2174 name: linkerd-config
2175 name: config
2176 - configMap:
2177 name: linkerd-identity-trust-roots
2178 name: trust-roots
2179 - name: tls
2180 secret:
2181 secretName: linkerd-proxy-injector-k8s-tls
2182 - emptyDir: {}
2183 name: linkerd-proxy-init-xtables-lock
2184 - name: linkerd-identity-token
2185 projected:
2186 sources:
2187 - serviceAccountToken:
2188 path: linkerd-identity-token
2189 expirationSeconds: 86400
2190 audience: identity.l5d.io
2191 - emptyDir:
2192 medium: Memory
2193 name: linkerd-identity-end-entity
2194---
2195kind: Service
2196apiVersion: v1
2197metadata:
2198 name: linkerd-proxy-injector
2199 namespace: linkerd
2200 labels:
2201 linkerd.io/control-plane-component: proxy-injector
2202 linkerd.io/control-plane-ns: linkerd
2203 annotations:
2204 linkerd.io/created-by: linkerd/cli dev-undefined
2205 config.linkerd.io/opaque-ports: "443"
2206spec:
2207 type: ClusterIP
2208 selector:
2209 linkerd.io/control-plane-component: proxy-injector
2210 ports:
2211 - name: proxy-injector
2212 port: 443
2213 targetPort: proxy-injector
2214---
2215kind: PodDisruptionBudget
2216apiVersion: policy/v1
2217metadata:
2218 name: linkerd-proxy-injector
2219 namespace: linkerd
2220 labels:
2221 linkerd.io/control-plane-component: proxy-injector
2222 linkerd.io/control-plane-ns: linkerd
2223 annotations:
2224 linkerd.io/created-by: linkerd/cli dev-undefined
2225spec:
2226 maxUnavailable: 1
2227 selector:
2228 matchLabels:
2229 linkerd.io/control-plane-component: proxy-injector
2230---
2231apiVersion: v1
2232data:
2233 linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAyCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlcGxveW1lbnRTdHJhdGVneToKICByb2xsaW5nVXBkYXRlOgogICAgbWF4VW5hdmFpbGFibGU6IDEKZGVzdGluYXRpb25SZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAxMDBtCiAgZXBoZW1lcmFsLXN0b3JhZ2U6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6ICIiCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCmVuYWJsZVBvZEFudGlBZmZpbml0eTogdHJ1ZQplbmFibGVQb2REaXNydXB0aW9uQnVkZ2V0OiB0cnVlCmhlYXJ0YmVhdFJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBlcGhlbWVyYWwtc3RvcmFnZToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogIiIKICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKaGVhcnRiZWF0U2NoZWR1bGU6IDEgMiAzIDQgNQpoaWdoQXZhaWxhYmlsaXR5OiB0cnVlCmlkZW50aXR5OgogIGlzc3VlcjoKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5UmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogMTAwbQogIGVwaGVtZXJhbC1zdG9yYWdlOgogICAgbGltaXQ6ICIiCiAgICByZXF1ZXN0OiAiIgogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogMTBNaQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgTURjeE1qUTNXaGNOTXpBd09ESTJNRGN4TWpRM1dqQXBNU2N3SlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1cgogIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgdWFHNFdXc2l3SktObjdtZ28zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0FRWXdFZ1lEVlIwVEFRSC9CQWd3QmdFQgogIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgSVFDTjdsQkZMRER2ang2VjArWGtqcEtFUlJzSllmNWFkTXZubG9GbDQ4aWxKZ0loQU50eGhuZGNyK1FKUHVDOAogIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCmltYWdlUHVsbFNlY3JldHM6IG51bGwKbGlua2VyZFZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgcmVxdWVzdDogNDAwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogMjUwTWkKICAgICAgcmVxdWVzdDogMzAwTWkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHlJbmplY3RvclJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIiIKICAgIHJlcXVlc3Q6IDEwMG0KICBlcGhlbWVyYWwtc3RvcmFnZToKICAgIGxpbWl0OiAiIgogICAgcmVxdWVzdDogIiIKICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKd2ViaG9va0ZhaWx1cmVQb2xpY3k6IEZhaWwK
2234kind: Secret
2235metadata:
2236 creationTimestamp: null
2237 labels:
2238 linkerd.io/control-plane-ns: linkerd
2239 name: linkerd-config-overrides
2240 namespace: linkerd
View as plain text