1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317
318
319---
320###
321### Proxy Injector RBAC
322###
323kind: ClusterRole
324apiVersion: rbac.authorization.k8s.io/v1
325metadata:
326 name: linkerd-linkerd-proxy-injector
327 labels:
328 linkerd.io/control-plane-component: proxy-injector
329 linkerd.io/control-plane-ns: linkerd
330rules:
331- apiGroups: [""]
332 resources: ["events"]
333 verbs: ["create", "patch"]
334- apiGroups: [""]
335 resources: ["namespaces", "replicationcontrollers"]
336 verbs: ["list", "get", "watch"]
337- apiGroups: [""]
338 resources: ["pods"]
339 verbs: ["list", "watch"]
340- apiGroups: ["extensions", "apps"]
341 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
342 verbs: ["list", "get", "watch"]
343- apiGroups: ["extensions", "batch"]
344 resources: ["cronjobs", "jobs"]
345 verbs: ["list", "get", "watch"]
346---
347kind: ClusterRoleBinding
348apiVersion: rbac.authorization.k8s.io/v1
349metadata:
350 name: linkerd-linkerd-proxy-injector
351 labels:
352 linkerd.io/control-plane-component: proxy-injector
353 linkerd.io/control-plane-ns: linkerd
354subjects:
355- kind: ServiceAccount
356 name: linkerd-proxy-injector
357 namespace: linkerd
358 apiGroup: ""
359roleRef:
360 kind: ClusterRole
361 name: linkerd-linkerd-proxy-injector
362 apiGroup: rbac.authorization.k8s.io
363---
364kind: ServiceAccount
365apiVersion: v1
366metadata:
367 name: linkerd-proxy-injector
368 namespace: linkerd
369 labels:
370 linkerd.io/control-plane-component: proxy-injector
371 linkerd.io/control-plane-ns: linkerd
372---
373apiVersion: admissionregistration.k8s.io/v1
374kind: MutatingWebhookConfiguration
375metadata:
376 name: linkerd-proxy-injector-webhook-config
377 labels:
378 linkerd.io/control-plane-component: proxy-injector
379 linkerd.io/control-plane-ns: linkerd
380webhooks:
381- name: linkerd-proxy-injector.linkerd.io
382 namespaceSelector:
383 matchExpressions:
384 - key: config.linkerd.io/admission-webhooks
385 operator: NotIn
386 values:
387 - disabled
388 - key: kubernetes.io/metadata.name
389 operator: NotIn
390 values:
391 - kube-system
392 - cert-manager
393 objectSelector:
394 null
395 clientConfig:
396 service:
397 name: linkerd-proxy-injector
398 namespace: linkerd
399 path: "/"
400 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
401 failurePolicy: Ignore
402 admissionReviewVersions: ["v1", "v1beta1"]
403 rules:
404 - operations: [ "CREATE" ]
405 apiGroups: [""]
406 apiVersions: ["v1"]
407 resources: ["pods", "services"]
408 scope: "Namespaced"
409 sideEffects: None
410 timeoutSeconds: 10
411---
412kind: ConfigMap
413apiVersion: v1
414metadata:
415 name: linkerd-config
416 namespace: linkerd
417 labels:
418 linkerd.io/control-plane-component: controller
419 linkerd.io/control-plane-ns: linkerd
420 annotations:
421 linkerd.io/created-by: linkerd/cli dev-undefined
422data:
423 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
424 values: |
425 cliVersion: linkerd/cli dev-undefined
426 clusterDomain: cluster.local
427 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
428 cniEnabled: false
429 controlPlaneTracing: false
430 controlPlaneTracingNamespace: linkerd-jaeger
431 controller:
432 podDisruptionBudget:
433 maxUnavailable: 1
434 controllerGID: -1
435 controllerImage: cr.l5d.io/linkerd/controller
436 controllerLogFormat: plain
437 controllerLogLevel: info
438 controllerReplicas: 1
439 controllerUID: 2103
440 debugContainer:
441 image:
442 name: cr.l5d.io/linkerd/debug
443 pullPolicy: ""
444 version: install-debug-version
445 deploymentStrategy:
446 rollingUpdate:
447 maxSurge: 25%
448 maxUnavailable: 25%
449 destinationController:
450 meshedHttp2ClientProtobuf:
451 keep_alive:
452 interval:
453 seconds: 10
454 timeout:
455 seconds: 3
456 while_idle: true
457 destinationProxyResources: null
458 destinationResources: null
459 disableHeartBeat: true
460 disableIPv6: true
461 enableEndpointSlices: true
462 enableH2Upgrade: true
463 enablePodAntiAffinity: false
464 enablePodDisruptionBudget: false
465 heartbeat: null
466 heartbeatResources: null
467 heartbeatSchedule: 1 2 3 4 5
468 highAvailability: false
469 identity:
470 additionalEnv: null
471 experimentalEnv: null
472 externalCA: false
473 issuer:
474 clockSkewAllowance: 20s
475 issuanceLifetime: 24h0m0s
476 scheme: linkerd.io/tls
477 tls:
478 crtPEM: |
479 -----BEGIN CERTIFICATE-----
480 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
481 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
482 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
483 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
484 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
485 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
486 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
487 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
488 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
489 51tdrmkHEZRr0qlLSJdHYgEfMzk=
490 -----END CERTIFICATE-----
491 kubeAPI:
492 clientBurst: 200
493 clientQPS: 100
494 serviceAccountTokenProjection: true
495 identityProxyResources: null
496 identityResources: null
497 identityTrustAnchorsPEM: |
498 -----BEGIN CERTIFICATE-----
499 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
500 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
501 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
502 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
503 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
504 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
505 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
506 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
507 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
508 vgUC0d2/9FMueIVMb+46WTCOjsqr
509 -----END CERTIFICATE-----
510 identityTrustDomain: cluster.local
511 imagePullPolicy: IfNotPresent
512 imagePullSecrets: []
513 linkerdVersion: install-control-plane-version
514 networkValidator:
515 connectAddr: 1.1.1.1:20001
516 enableSecurityContext: true
517 listenAddr: 0.0.0.0:4140
518 logFormat: plain
519 logLevel: debug
520 timeout: 10s
521 nodeAffinity: null
522 nodeSelector:
523 kubernetes.io/os: linux
524 podAnnotations: {}
525 podLabels: {}
526 podMonitor:
527 controller:
528 enabled: true
529 namespaceSelector: |
530 matchNames:
531 - {{ .Release.Namespace }}
532 - linkerd-viz
533 - linkerd-jaeger
534 enabled: false
535 proxy:
536 enabled: true
537 scrapeInterval: 10s
538 scrapeTimeout: 10s
539 serviceMirror:
540 enabled: true
541 policyController:
542 image:
543 name: cr.l5d.io/linkerd/policy-controller
544 pullPolicy: ""
545 version: ""
546 logLevel: info
547 probeNetworks:
548 - 0.0.0.0/0
549 - ::/0
550 resources:
551 cpu:
552 limit: ""
553 request: ""
554 ephemeral-storage:
555 limit: ""
556 request: ""
557 memory:
558 limit: ""
559 request: ""
560 policyValidator:
561 caBundle: policy validator CA bundle
562 crtPEM: ""
563 externalSecret: true
564 injectCaFrom: ""
565 injectCaFromSecret: ""
566 namespaceSelector:
567 matchExpressions:
568 - key: config.linkerd.io/admission-webhooks
569 operator: NotIn
570 values:
571 - disabled
572 priorityClassName: ""
573 profileValidator:
574 caBundle: profile validator CA bundle
575 crtPEM: ""
576 externalSecret: true
577 injectCaFrom: ""
578 injectCaFromSecret: ""
579 namespaceSelector:
580 matchExpressions:
581 - key: config.linkerd.io/admission-webhooks
582 operator: NotIn
583 values:
584 - disabled
585 prometheusUrl: ""
586 proxy:
587 accessLog: ""
588 additionalEnv: null
589 await: true
590 capabilities: null
591 control:
592 streams:
593 idleTimeout: 5m
594 initialTimeout: 3s
595 lifetime: 1h
596 defaultInboundPolicy: all-unauthenticated
597 disableInboundProtocolDetectTimeout: false
598 disableOutboundProtocolDetectTimeout: false
599 enableExternalProfiles: false
600 experimentalEnv: null
601 gid: -1
602 image:
603 name: cr.l5d.io/linkerd/proxy
604 pullPolicy: ""
605 version: install-proxy-version
606 inbound:
607 server:
608 http2:
609 keepAliveInterval: 10s
610 keepAliveTimeout: 3s
611 inboundConnectTimeout: 100ms
612 inboundDiscoveryCacheUnusedTimeout: 90s
613 isGateway: false
614 isIngress: false
615 livenessProbe:
616 initialDelaySeconds: 10
617 timeoutSeconds: 1
618 logFormat: plain
619 logLevel: warn,linkerd=info,trust_dns=error
620 nativeSidecar: false
621 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
622 outbound:
623 server:
624 http2:
625 keepAliveInterval: 10s
626 keepAliveTimeout: 3s
627 outboundConnectTimeout: 1000ms
628 outboundDiscoveryCacheUnusedTimeout: 5s
629 podInboundPorts: ""
630 ports:
631 admin: 4191
632 control: 4190
633 inbound: 4143
634 outbound: 4140
635 readinessProbe:
636 initialDelaySeconds: 2
637 timeoutSeconds: 1
638 requireIdentityOnInboundPorts: ""
639 resources:
640 cpu:
641 limit: ""
642 request: ""
643 ephemeral-storage:
644 limit: ""
645 request: ""
646 memory:
647 limit: ""
648 request: ""
649 saMountPath: null
650 shutdownGracePeriod: ""
651 startupProbe:
652 failureThreshold: 120
653 initialDelaySeconds: 0
654 periodSeconds: 1
655 uid: 2102
656 waitBeforeExitSeconds: 0
657 proxyContainerName: linkerd-proxy
658 proxyInit:
659 capabilities: null
660 closeWaitTimeoutSecs: 0
661 ignoreInboundPorts: 4567,4568
662 ignoreOutboundPorts: 4567,4568
663 image:
664 name: cr.l5d.io/linkerd/proxy-init
665 pullPolicy: ""
666 version: v2.4.0
667 iptablesMode: legacy
668 kubeAPIServerPorts: 443,6443
669 logFormat: ""
670 logLevel: ""
671 privileged: false
672 resources:
673 cpu:
674 limit: 100m
675 request: 100m
676 ephemeral-storage:
677 limit: ""
678 request: ""
679 memory:
680 limit: 20Mi
681 request: 20Mi
682 runAsGroup: 65534
683 runAsRoot: false
684 runAsUser: 65534
685 saMountPath: null
686 skipSubnets: ""
687 xtMountPath:
688 mountPath: /run
689 name: linkerd-proxy-init-xtables-lock
690 readOnly: false
691 proxyInjector:
692 additionalEnv: null
693 caBundle: proxy injector CA bundle
694 crtPEM: ""
695 experimentalEnv: null
696 externalSecret: true
697 injectCaFrom: ""
698 injectCaFromSecret: ""
699 namespaceSelector:
700 matchExpressions:
701 - key: config.linkerd.io/admission-webhooks
702 operator: NotIn
703 values:
704 - disabled
705 - key: kubernetes.io/metadata.name
706 operator: NotIn
707 values:
708 - kube-system
709 - cert-manager
710 proxyInjectorProxyResources: null
711 proxyInjectorResources: null
712 revisionHistoryLimit: 10
713 spValidator: null
714 tolerations: null
715 webhookFailurePolicy: Ignore
716---
717apiVersion: rbac.authorization.k8s.io/v1
718kind: Role
719metadata:
720 annotations:
721 linkerd.io/created-by: linkerd/cli dev-undefined
722 name: ext-namespace-metadata-linkerd-config
723 namespace: linkerd
724rules:
725- apiGroups: [""]
726 resources: ["configmaps"]
727 verbs: ["get"]
728 resourceNames: ["linkerd-config"]
729---
730###
731### Identity Controller Service
732###
733---
734kind: Secret
735apiVersion: v1
736metadata:
737 name: linkerd-identity-issuer
738 namespace: linkerd
739 labels:
740 linkerd.io/control-plane-component: identity
741 linkerd.io/control-plane-ns: linkerd
742 annotations:
743 linkerd.io/created-by: linkerd/cli dev-undefined
744data:
745 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
746 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
747---
748kind: ConfigMap
749apiVersion: v1
750metadata:
751 name: linkerd-identity-trust-roots
752 namespace: linkerd
753 labels:
754 linkerd.io/control-plane-component: identity
755 linkerd.io/control-plane-ns: linkerd
756 annotations:
757 linkerd.io/created-by: linkerd/cli dev-undefined
758data:
759 ca-bundle.crt: |-
760 -----BEGIN CERTIFICATE-----
761 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
762 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
763 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
764 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
765 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
766 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
767 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
768 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
769 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
770 vgUC0d2/9FMueIVMb+46WTCOjsqr
771 -----END CERTIFICATE-----
772---
773kind: Service
774apiVersion: v1
775metadata:
776 name: linkerd-identity
777 namespace: linkerd
778 labels:
779 linkerd.io/control-plane-component: identity
780 linkerd.io/control-plane-ns: linkerd
781 annotations:
782 linkerd.io/created-by: linkerd/cli dev-undefined
783spec:
784 type: ClusterIP
785 selector:
786 linkerd.io/control-plane-component: identity
787 ports:
788 - name: grpc
789 port: 8080
790 targetPort: 8080
791---
792kind: Service
793apiVersion: v1
794metadata:
795 name: linkerd-identity-headless
796 namespace: linkerd
797 labels:
798 linkerd.io/control-plane-component: identity
799 linkerd.io/control-plane-ns: linkerd
800 annotations:
801 linkerd.io/created-by: linkerd/cli dev-undefined
802spec:
803 clusterIP: None
804 selector:
805 linkerd.io/control-plane-component: identity
806 ports:
807 - name: grpc
808 port: 8080
809 targetPort: 8080
810---
811apiVersion: apps/v1
812kind: Deployment
813metadata:
814 annotations:
815 linkerd.io/created-by: linkerd/cli dev-undefined
816 labels:
817 app.kubernetes.io/name: identity
818 app.kubernetes.io/part-of: Linkerd
819 app.kubernetes.io/version: install-control-plane-version
820 linkerd.io/control-plane-component: identity
821 linkerd.io/control-plane-ns: linkerd
822 name: linkerd-identity
823 namespace: linkerd
824spec:
825 replicas: 1
826 revisionHistoryLimit: 10
827 selector:
828 matchLabels:
829 linkerd.io/control-plane-component: identity
830 linkerd.io/control-plane-ns: linkerd
831 linkerd.io/proxy-deployment: linkerd-identity
832 strategy:
833 rollingUpdate:
834 maxSurge: 25%
835 maxUnavailable: 25%
836 template:
837 metadata:
838 annotations:
839 linkerd.io/created-by: linkerd/cli dev-undefined
840 linkerd.io/proxy-version: install-proxy-version
841 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
842 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
843 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
844 labels:
845 linkerd.io/control-plane-component: identity
846 linkerd.io/control-plane-ns: linkerd
847 linkerd.io/workload-ns: linkerd
848 linkerd.io/proxy-deployment: linkerd-identity
849 spec:
850 nodeSelector:
851 kubernetes.io/os: linux
852
853 containers:
854 - args:
855 - identity
856 - -log-level=info
857 - -log-format=plain
858 - -controller-namespace=linkerd
859 - -identity-trust-domain=cluster.local
860 - -identity-issuance-lifetime=24h0m0s
861 - -identity-clock-skew-allowance=20s
862 - -identity-scheme=linkerd.io/tls
863 - -enable-pprof=false
864 - -kube-apiclient-qps=100
865 - -kube-apiclient-burst=200
866 env:
867 - name: LINKERD_DISABLED
868 value: "linkerd-await cannot block the identity controller"
869 image: cr.l5d.io/linkerd/controller:install-control-plane-version
870 imagePullPolicy: IfNotPresent
871 livenessProbe:
872 httpGet:
873 path: /ping
874 port: 9990
875 initialDelaySeconds: 10
876 name: identity
877 ports:
878 - containerPort: 8080
879 name: grpc
880 - containerPort: 9990
881 name: admin-http
882 readinessProbe:
883 failureThreshold: 7
884 httpGet:
885 path: /ready
886 port: 9990
887 securityContext:
888 capabilities:
889 drop:
890 - ALL
891 readOnlyRootFilesystem: true
892 runAsNonRoot: true
893 runAsUser: 2103
894 allowPrivilegeEscalation: false
895 seccompProfile:
896 type: RuntimeDefault
897 volumeMounts:
898 - mountPath: /var/run/linkerd/identity/issuer
899 name: identity-issuer
900 - mountPath: /var/run/linkerd/identity/trust-roots/
901 name: trust-roots
902 - env:
903 - name: _pod_name
904 valueFrom:
905 fieldRef:
906 fieldPath: metadata.name
907 - name: _pod_ns
908 valueFrom:
909 fieldRef:
910 fieldPath: metadata.namespace
911 - name: _pod_nodeName
912 valueFrom:
913 fieldRef:
914 fieldPath: spec.nodeName
915 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
916 value: "8080"
917 - name: LINKERD2_PROXY_LOG
918 value: "warn,linkerd=info,trust_dns=error"
919 - name: LINKERD2_PROXY_LOG_FORMAT
920 value: "plain"
921 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
922 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
923 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
924 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
925 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
926 value: linkerd-policy.linkerd.svc.cluster.local.:8090
927 - name: LINKERD2_PROXY_POLICY_WORKLOAD
928 value: |
929 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
930 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
931 value: all-unauthenticated
932 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
933 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
934 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
935 value: "3s"
936 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
937 value: "5m"
938 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
939 value: "1h"
940 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
941 value: "100ms"
942 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
943 value: "1000ms"
944 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
945 value: "5s"
946 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
947 value: "90s"
948 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
949 value: "[::]:4190"
950 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
951 value: "[::]:4191"
952 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
953 value: "127.0.0.1:4140"
954 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
955 value: "127.0.0.1:4140"
956 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
957 value: "[::]:4143"
958 - name: LINKERD2_PROXY_INBOUND_IPS
959 valueFrom:
960 fieldRef:
961 fieldPath: status.podIPs
962 - name: LINKERD2_PROXY_INBOUND_PORTS
963 value: "8080,9990"
964 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
965 value: svc.cluster.local.
966 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
967 value: 10000ms
968 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
969 value: 10000ms
970 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
971 value: "10s"
972 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
973 value: "3s"
974 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
975 value: "10s"
976 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
977 value: "3s"
978 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
979 value: "25,587,3306,4444,5432,6379,9300,11211"
980 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
981 value: |
982 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
983 - name: _pod_sa
984 valueFrom:
985 fieldRef:
986 fieldPath: spec.serviceAccountName
987 - name: _l5d_ns
988 value: linkerd
989 - name: _l5d_trustdomain
990 value: cluster.local
991 - name: LINKERD2_PROXY_IDENTITY_DIR
992 value: /var/run/linkerd/identity/end-entity
993 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
994 valueFrom:
995 configMapKeyRef:
996 name: linkerd-identity-trust-roots
997 key: ca-bundle.crt
998 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
999 value: /var/run/secrets/tokens/linkerd-identity-token
1000 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1001 value: localhost.:8080
1002 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1003 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1004 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1005 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1006 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1007 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1008 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1009 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1010 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1011 imagePullPolicy: IfNotPresent
1012 livenessProbe:
1013 httpGet:
1014 path: /live
1015 port: 4191
1016 initialDelaySeconds: 10
1017 timeoutSeconds: 1
1018 name: linkerd-proxy
1019 ports:
1020 - containerPort: 4143
1021 name: linkerd-proxy
1022 - containerPort: 4191
1023 name: linkerd-admin
1024 readinessProbe:
1025 httpGet:
1026 path: /ready
1027 port: 4191
1028 initialDelaySeconds: 2
1029 timeoutSeconds: 1
1030 resources:
1031 securityContext:
1032 allowPrivilegeEscalation: false
1033 capabilities:
1034 drop:
1035 - ALL
1036 readOnlyRootFilesystem: true
1037 runAsNonRoot: true
1038 runAsUser: 2102
1039 seccompProfile:
1040 type: RuntimeDefault
1041 terminationMessagePolicy: FallbackToLogsOnError
1042 volumeMounts:
1043 - mountPath: /var/run/linkerd/identity/end-entity
1044 name: linkerd-identity-end-entity
1045 - mountPath: /var/run/secrets/tokens
1046 name: linkerd-identity-token
1047 initContainers:
1048 - args:
1049 - --ipv6=false
1050 - --incoming-proxy-port
1051 - "4143"
1052 - --outgoing-proxy-port
1053 - "4140"
1054 - --proxy-uid
1055 - "2102"
1056 - --inbound-ports-to-ignore
1057 - "4190,4191,4567,4568"
1058 - --outbound-ports-to-ignore
1059 - "443,6443"
1060 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1061 imagePullPolicy: IfNotPresent
1062 name: linkerd-init
1063 resources:
1064 limits:
1065 cpu: "100m"
1066 memory: "20Mi"
1067 requests:
1068 cpu: "100m"
1069 memory: "20Mi"
1070 securityContext:
1071 allowPrivilegeEscalation: false
1072 capabilities:
1073 add:
1074 - NET_ADMIN
1075 - NET_RAW
1076 privileged: false
1077 runAsNonRoot: true
1078 runAsUser: 65534
1079 runAsGroup: 65534
1080 readOnlyRootFilesystem: true
1081 seccompProfile:
1082 type: RuntimeDefault
1083 terminationMessagePolicy: FallbackToLogsOnError
1084 volumeMounts:
1085 - mountPath: /run
1086 name: linkerd-proxy-init-xtables-lock
1087 securityContext:
1088 seccompProfile:
1089 type: RuntimeDefault
1090 serviceAccountName: linkerd-identity
1091 volumes:
1092 - name: identity-issuer
1093 secret:
1094 secretName: linkerd-identity-issuer
1095 - configMap:
1096 name: linkerd-identity-trust-roots
1097 name: trust-roots
1098 - emptyDir: {}
1099 name: linkerd-proxy-init-xtables-lock
1100 - name: linkerd-identity-token
1101 projected:
1102 sources:
1103 - serviceAccountToken:
1104 path: linkerd-identity-token
1105 expirationSeconds: 86400
1106 audience: identity.l5d.io
1107 - emptyDir:
1108 medium: Memory
1109 name: linkerd-identity-end-entity
1110---
1111###
1112### Destination Controller Service
1113###
1114kind: Service
1115apiVersion: v1
1116metadata:
1117 name: linkerd-dst
1118 namespace: linkerd
1119 labels:
1120 linkerd.io/control-plane-component: destination
1121 linkerd.io/control-plane-ns: linkerd
1122 annotations:
1123 linkerd.io/created-by: linkerd/cli dev-undefined
1124spec:
1125 type: ClusterIP
1126 selector:
1127 linkerd.io/control-plane-component: destination
1128 ports:
1129 - name: grpc
1130 port: 8086
1131 targetPort: 8086
1132---
1133kind: Service
1134apiVersion: v1
1135metadata:
1136 name: linkerd-dst-headless
1137 namespace: linkerd
1138 labels:
1139 linkerd.io/control-plane-component: destination
1140 linkerd.io/control-plane-ns: linkerd
1141 annotations:
1142 linkerd.io/created-by: linkerd/cli dev-undefined
1143spec:
1144 clusterIP: None
1145 selector:
1146 linkerd.io/control-plane-component: destination
1147 ports:
1148 - name: grpc
1149 port: 8086
1150 targetPort: 8086
1151---
1152kind: Service
1153apiVersion: v1
1154metadata:
1155 name: linkerd-sp-validator
1156 namespace: linkerd
1157 labels:
1158 linkerd.io/control-plane-component: destination
1159 linkerd.io/control-plane-ns: linkerd
1160 annotations:
1161 linkerd.io/created-by: linkerd/cli dev-undefined
1162spec:
1163 type: ClusterIP
1164 selector:
1165 linkerd.io/control-plane-component: destination
1166 ports:
1167 - name: sp-validator
1168 port: 443
1169 targetPort: sp-validator
1170---
1171kind: Service
1172apiVersion: v1
1173metadata:
1174 name: linkerd-policy
1175 namespace: linkerd
1176 labels:
1177 linkerd.io/control-plane-component: destination
1178 linkerd.io/control-plane-ns: linkerd
1179 annotations:
1180 linkerd.io/created-by: linkerd/cli dev-undefined
1181spec:
1182 clusterIP: None
1183 selector:
1184 linkerd.io/control-plane-component: destination
1185 ports:
1186 - name: grpc
1187 port: 8090
1188 targetPort: 8090
1189---
1190kind: Service
1191apiVersion: v1
1192metadata:
1193 name: linkerd-policy-validator
1194 namespace: linkerd
1195 labels:
1196 linkerd.io/control-plane-component: destination
1197 linkerd.io/control-plane-ns: linkerd
1198 annotations:
1199 linkerd.io/created-by: linkerd/cli dev-undefined
1200spec:
1201 type: ClusterIP
1202 selector:
1203 linkerd.io/control-plane-component: destination
1204 ports:
1205 - name: policy-https
1206 port: 443
1207 targetPort: policy-https
1208---
1209apiVersion: apps/v1
1210kind: Deployment
1211metadata:
1212 annotations:
1213 linkerd.io/created-by: linkerd/cli dev-undefined
1214 labels:
1215 app.kubernetes.io/name: destination
1216 app.kubernetes.io/part-of: Linkerd
1217 app.kubernetes.io/version: install-control-plane-version
1218 linkerd.io/control-plane-component: destination
1219 linkerd.io/control-plane-ns: linkerd
1220 name: linkerd-destination
1221 namespace: linkerd
1222spec:
1223 replicas: 1
1224 revisionHistoryLimit: 10
1225 selector:
1226 matchLabels:
1227 linkerd.io/control-plane-component: destination
1228 linkerd.io/control-plane-ns: linkerd
1229 linkerd.io/proxy-deployment: linkerd-destination
1230 strategy:
1231 rollingUpdate:
1232 maxSurge: 25%
1233 maxUnavailable: 25%
1234 template:
1235 metadata:
1236 annotations:
1237 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1238 linkerd.io/created-by: linkerd/cli dev-undefined
1239 linkerd.io/proxy-version: install-proxy-version
1240 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1241 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1242 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1243 labels:
1244 linkerd.io/control-plane-component: destination
1245 linkerd.io/control-plane-ns: linkerd
1246 linkerd.io/workload-ns: linkerd
1247 linkerd.io/proxy-deployment: linkerd-destination
1248 spec:
1249 nodeSelector:
1250 kubernetes.io/os: linux
1251
1252 containers:
1253 - env:
1254 - name: _pod_name
1255 valueFrom:
1256 fieldRef:
1257 fieldPath: metadata.name
1258 - name: _pod_ns
1259 valueFrom:
1260 fieldRef:
1261 fieldPath: metadata.namespace
1262 - name: _pod_nodeName
1263 valueFrom:
1264 fieldRef:
1265 fieldPath: spec.nodeName
1266 - name: LINKERD2_PROXY_LOG
1267 value: "warn,linkerd=info,trust_dns=error"
1268 - name: LINKERD2_PROXY_LOG_FORMAT
1269 value: "plain"
1270 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1271 value: localhost.:8086
1272 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1273 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1274 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1275 value: localhost.:8090
1276 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1277 value: |
1278 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1279 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1280 value: all-unauthenticated
1281 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1282 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1283 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1284 value: "3s"
1285 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1286 value: "5m"
1287 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1288 value: "1h"
1289 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1290 value: "100ms"
1291 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1292 value: "1000ms"
1293 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1294 value: "5s"
1295 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1296 value: "90s"
1297 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1298 value: "[::]:4190"
1299 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1300 value: "[::]:4191"
1301 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1302 value: "127.0.0.1:4140"
1303 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1304 value: "127.0.0.1:4140"
1305 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1306 value: "[::]:4143"
1307 - name: LINKERD2_PROXY_INBOUND_IPS
1308 valueFrom:
1309 fieldRef:
1310 fieldPath: status.podIPs
1311 - name: LINKERD2_PROXY_INBOUND_PORTS
1312 value: "8086,8090,8443,9443,9990,9996,9997"
1313 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1314 value: svc.cluster.local.
1315 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1316 value: 10000ms
1317 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1318 value: 10000ms
1319 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1320 value: "10s"
1321 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1322 value: "3s"
1323 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1324 value: "10s"
1325 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1326 value: "3s"
1327 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1328 value: "25,587,3306,4444,5432,6379,9300,11211"
1329 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1330 value: |
1331 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1332 - name: _pod_sa
1333 valueFrom:
1334 fieldRef:
1335 fieldPath: spec.serviceAccountName
1336 - name: _l5d_ns
1337 value: linkerd
1338 - name: _l5d_trustdomain
1339 value: cluster.local
1340 - name: LINKERD2_PROXY_IDENTITY_DIR
1341 value: /var/run/linkerd/identity/end-entity
1342 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1343 valueFrom:
1344 configMapKeyRef:
1345 name: linkerd-identity-trust-roots
1346 key: ca-bundle.crt
1347 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1348 value: /var/run/secrets/tokens/linkerd-identity-token
1349 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1350 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1351 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1352 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1353 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1354 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1355 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1356 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1357 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1358 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1359 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1360 imagePullPolicy: IfNotPresent
1361 livenessProbe:
1362 httpGet:
1363 path: /live
1364 port: 4191
1365 initialDelaySeconds: 10
1366 timeoutSeconds: 1
1367 name: linkerd-proxy
1368 ports:
1369 - containerPort: 4143
1370 name: linkerd-proxy
1371 - containerPort: 4191
1372 name: linkerd-admin
1373 readinessProbe:
1374 httpGet:
1375 path: /ready
1376 port: 4191
1377 initialDelaySeconds: 2
1378 timeoutSeconds: 1
1379 resources:
1380 securityContext:
1381 allowPrivilegeEscalation: false
1382 capabilities:
1383 drop:
1384 - ALL
1385 readOnlyRootFilesystem: true
1386 runAsNonRoot: true
1387 runAsUser: 2102
1388 seccompProfile:
1389 type: RuntimeDefault
1390 terminationMessagePolicy: FallbackToLogsOnError
1391 lifecycle:
1392 postStart:
1393 exec:
1394 command:
1395 - /usr/lib/linkerd/linkerd-await
1396 - --timeout=2m
1397 - --port=4191
1398 volumeMounts:
1399 - mountPath: /var/run/linkerd/identity/end-entity
1400 name: linkerd-identity-end-entity
1401 - mountPath: /var/run/secrets/tokens
1402 name: linkerd-identity-token
1403 - args:
1404 - destination
1405 - -addr=:8086
1406 - -controller-namespace=linkerd
1407 - -enable-h2-upgrade=true
1408 - -log-level=info
1409 - -log-format=plain
1410 - -enable-endpoint-slices=true
1411 - -cluster-domain=cluster.local
1412 - -identity-trust-domain=cluster.local
1413 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1414 - -enable-ipv6=false
1415 - -enable-pprof=false
1416 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1417 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1418 imagePullPolicy: IfNotPresent
1419 livenessProbe:
1420 httpGet:
1421 path: /ping
1422 port: 9996
1423 initialDelaySeconds: 10
1424 name: destination
1425 ports:
1426 - containerPort: 8086
1427 name: grpc
1428 - containerPort: 9996
1429 name: admin-http
1430 readinessProbe:
1431 failureThreshold: 7
1432 httpGet:
1433 path: /ready
1434 port: 9996
1435 securityContext:
1436 capabilities:
1437 drop:
1438 - ALL
1439 readOnlyRootFilesystem: true
1440 runAsNonRoot: true
1441 runAsUser: 2103
1442 allowPrivilegeEscalation: false
1443 seccompProfile:
1444 type: RuntimeDefault
1445 - args:
1446 - sp-validator
1447 - -log-level=info
1448 - -log-format=plain
1449 - -enable-pprof=false
1450 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1451 imagePullPolicy: IfNotPresent
1452 livenessProbe:
1453 httpGet:
1454 path: /ping
1455 port: 9997
1456 initialDelaySeconds: 10
1457 name: sp-validator
1458 ports:
1459 - containerPort: 8443
1460 name: sp-validator
1461 - containerPort: 9997
1462 name: admin-http
1463 readinessProbe:
1464 failureThreshold: 7
1465 httpGet:
1466 path: /ready
1467 port: 9997
1468 securityContext:
1469 capabilities:
1470 drop:
1471 - ALL
1472 readOnlyRootFilesystem: true
1473 runAsNonRoot: true
1474 runAsUser: 2103
1475 allowPrivilegeEscalation: false
1476 seccompProfile:
1477 type: RuntimeDefault
1478 volumeMounts:
1479 - mountPath: /var/run/linkerd/tls
1480 name: sp-tls
1481 readOnly: true
1482 - args:
1483 - --admin-addr=[::]:9990
1484 - --control-plane-namespace=linkerd
1485 - --grpc-addr=[::]:8090
1486 - --server-addr=[::]:9443
1487 - --server-tls-key=/var/run/linkerd/tls/tls.key
1488 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1489 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1490 - --identity-domain=cluster.local
1491 - --cluster-domain=cluster.local
1492 - --default-policy=all-unauthenticated
1493 - --log-level=info
1494 - --log-format=plain
1495 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1496 - --probe-networks=0.0.0.0/0,::/0
1497 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1498 imagePullPolicy: IfNotPresent
1499 livenessProbe:
1500 httpGet:
1501 path: /live
1502 port: admin-http
1503 name: policy
1504 ports:
1505 - containerPort: 8090
1506 name: grpc
1507 - containerPort: 9990
1508 name: admin-http
1509 - containerPort: 9443
1510 name: policy-https
1511 readinessProbe:
1512 failureThreshold: 7
1513 httpGet:
1514 path: /ready
1515 port: admin-http
1516 initialDelaySeconds: 10
1517 resources:
1518 securityContext:
1519 capabilities:
1520 drop:
1521 - ALL
1522 readOnlyRootFilesystem: true
1523 runAsNonRoot: true
1524 runAsUser: 2103
1525 allowPrivilegeEscalation: false
1526 seccompProfile:
1527 type: RuntimeDefault
1528 volumeMounts:
1529 - mountPath: /var/run/linkerd/tls
1530 name: policy-tls
1531 readOnly: true
1532 initContainers:
1533 - args:
1534 - --ipv6=false
1535 - --incoming-proxy-port
1536 - "4143"
1537 - --outgoing-proxy-port
1538 - "4140"
1539 - --proxy-uid
1540 - "2102"
1541 - --inbound-ports-to-ignore
1542 - "4190,4191,4567,4568"
1543 - --outbound-ports-to-ignore
1544 - "443,6443"
1545 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1546 imagePullPolicy: IfNotPresent
1547 name: linkerd-init
1548 resources:
1549 limits:
1550 cpu: "100m"
1551 memory: "20Mi"
1552 requests:
1553 cpu: "100m"
1554 memory: "20Mi"
1555 securityContext:
1556 allowPrivilegeEscalation: false
1557 capabilities:
1558 add:
1559 - NET_ADMIN
1560 - NET_RAW
1561 privileged: false
1562 runAsNonRoot: true
1563 runAsUser: 65534
1564 runAsGroup: 65534
1565 readOnlyRootFilesystem: true
1566 seccompProfile:
1567 type: RuntimeDefault
1568 terminationMessagePolicy: FallbackToLogsOnError
1569 volumeMounts:
1570 - mountPath: /run
1571 name: linkerd-proxy-init-xtables-lock
1572 securityContext:
1573 seccompProfile:
1574 type: RuntimeDefault
1575 serviceAccountName: linkerd-destination
1576 volumes:
1577 - name: sp-tls
1578 secret:
1579 secretName: linkerd-sp-validator-k8s-tls
1580 - name: policy-tls
1581 secret:
1582 secretName: linkerd-policy-validator-k8s-tls
1583 - emptyDir: {}
1584 name: linkerd-proxy-init-xtables-lock
1585 - name: linkerd-identity-token
1586 projected:
1587 sources:
1588 - serviceAccountToken:
1589 path: linkerd-identity-token
1590 expirationSeconds: 86400
1591 audience: identity.l5d.io
1592 - emptyDir:
1593 medium: Memory
1594 name: linkerd-identity-end-entity
1595
1596---
1597###
1598### Proxy Injector
1599###
1600apiVersion: apps/v1
1601kind: Deployment
1602metadata:
1603 annotations:
1604 linkerd.io/created-by: linkerd/cli dev-undefined
1605 labels:
1606 app.kubernetes.io/name: proxy-injector
1607 app.kubernetes.io/part-of: Linkerd
1608 app.kubernetes.io/version: install-control-plane-version
1609 linkerd.io/control-plane-component: proxy-injector
1610 linkerd.io/control-plane-ns: linkerd
1611 name: linkerd-proxy-injector
1612 namespace: linkerd
1613spec:
1614 replicas: 1
1615 revisionHistoryLimit: 10
1616 selector:
1617 matchLabels:
1618 linkerd.io/control-plane-component: proxy-injector
1619 strategy:
1620 rollingUpdate:
1621 maxSurge: 25%
1622 maxUnavailable: 25%
1623 template:
1624 metadata:
1625 annotations:
1626 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1627 linkerd.io/created-by: linkerd/cli dev-undefined
1628 linkerd.io/proxy-version: install-proxy-version
1629 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1630 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1631 config.linkerd.io/opaque-ports: "8443"
1632 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1633 labels:
1634 linkerd.io/control-plane-component: proxy-injector
1635 linkerd.io/control-plane-ns: linkerd
1636 linkerd.io/workload-ns: linkerd
1637 linkerd.io/proxy-deployment: linkerd-proxy-injector
1638 spec:
1639 nodeSelector:
1640 kubernetes.io/os: linux
1641
1642 containers:
1643 - env:
1644 - name: _pod_name
1645 valueFrom:
1646 fieldRef:
1647 fieldPath: metadata.name
1648 - name: _pod_ns
1649 valueFrom:
1650 fieldRef:
1651 fieldPath: metadata.namespace
1652 - name: _pod_nodeName
1653 valueFrom:
1654 fieldRef:
1655 fieldPath: spec.nodeName
1656 - name: LINKERD2_PROXY_LOG
1657 value: "warn,linkerd=info,trust_dns=error"
1658 - name: LINKERD2_PROXY_LOG_FORMAT
1659 value: "plain"
1660 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1661 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1662 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1663 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1664 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1665 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1666 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1667 value: |
1668 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1669 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1670 value: all-unauthenticated
1671 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1672 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1673 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1674 value: "3s"
1675 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1676 value: "5m"
1677 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1678 value: "1h"
1679 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1680 value: "100ms"
1681 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1682 value: "1000ms"
1683 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1684 value: "5s"
1685 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1686 value: "90s"
1687 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1688 value: "[::]:4190"
1689 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1690 value: "[::]:4191"
1691 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1692 value: "127.0.0.1:4140"
1693 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1694 value: "127.0.0.1:4140"
1695 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1696 value: "[::]:4143"
1697 - name: LINKERD2_PROXY_INBOUND_IPS
1698 valueFrom:
1699 fieldRef:
1700 fieldPath: status.podIPs
1701 - name: LINKERD2_PROXY_INBOUND_PORTS
1702 value: "8443,9995"
1703 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1704 value: svc.cluster.local.
1705 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1706 value: 10000ms
1707 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1708 value: 10000ms
1709 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1710 value: "10s"
1711 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1712 value: "3s"
1713 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1714 value: "10s"
1715 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1716 value: "3s"
1717 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1718 value: "25,587,3306,4444,5432,6379,9300,11211"
1719 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1720 value: |
1721 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1722 - name: _pod_sa
1723 valueFrom:
1724 fieldRef:
1725 fieldPath: spec.serviceAccountName
1726 - name: _l5d_ns
1727 value: linkerd
1728 - name: _l5d_trustdomain
1729 value: cluster.local
1730 - name: LINKERD2_PROXY_IDENTITY_DIR
1731 value: /var/run/linkerd/identity/end-entity
1732 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1733 valueFrom:
1734 configMapKeyRef:
1735 name: linkerd-identity-trust-roots
1736 key: ca-bundle.crt
1737 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1738 value: /var/run/secrets/tokens/linkerd-identity-token
1739 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1740 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1741 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1742 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1743 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1744 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1745 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1746 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1747 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1748 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1749 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1750 imagePullPolicy: IfNotPresent
1751 livenessProbe:
1752 httpGet:
1753 path: /live
1754 port: 4191
1755 initialDelaySeconds: 10
1756 timeoutSeconds: 1
1757 name: linkerd-proxy
1758 ports:
1759 - containerPort: 4143
1760 name: linkerd-proxy
1761 - containerPort: 4191
1762 name: linkerd-admin
1763 readinessProbe:
1764 httpGet:
1765 path: /ready
1766 port: 4191
1767 initialDelaySeconds: 2
1768 timeoutSeconds: 1
1769 resources:
1770 securityContext:
1771 allowPrivilegeEscalation: false
1772 capabilities:
1773 drop:
1774 - ALL
1775 readOnlyRootFilesystem: true
1776 runAsNonRoot: true
1777 runAsUser: 2102
1778 seccompProfile:
1779 type: RuntimeDefault
1780 terminationMessagePolicy: FallbackToLogsOnError
1781 lifecycle:
1782 postStart:
1783 exec:
1784 command:
1785 - /usr/lib/linkerd/linkerd-await
1786 - --timeout=2m
1787 - --port=4191
1788 volumeMounts:
1789 - mountPath: /var/run/linkerd/identity/end-entity
1790 name: linkerd-identity-end-entity
1791 - mountPath: /var/run/secrets/tokens
1792 name: linkerd-identity-token
1793 - args:
1794 - proxy-injector
1795 - -log-level=info
1796 - -log-format=plain
1797 - -linkerd-namespace=linkerd
1798 - -enable-pprof=false
1799 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1800 imagePullPolicy: IfNotPresent
1801 livenessProbe:
1802 httpGet:
1803 path: /ping
1804 port: 9995
1805 initialDelaySeconds: 10
1806 name: proxy-injector
1807 ports:
1808 - containerPort: 8443
1809 name: proxy-injector
1810 - containerPort: 9995
1811 name: admin-http
1812 readinessProbe:
1813 failureThreshold: 7
1814 httpGet:
1815 path: /ready
1816 port: 9995
1817 securityContext:
1818 capabilities:
1819 drop:
1820 - ALL
1821 readOnlyRootFilesystem: true
1822 runAsNonRoot: true
1823 runAsUser: 2103
1824 allowPrivilegeEscalation: false
1825 seccompProfile:
1826 type: RuntimeDefault
1827 volumeMounts:
1828 - mountPath: /var/run/linkerd/config
1829 name: config
1830 - mountPath: /var/run/linkerd/identity/trust-roots
1831 name: trust-roots
1832 - mountPath: /var/run/linkerd/tls
1833 name: tls
1834 readOnly: true
1835 initContainers:
1836 - args:
1837 - --ipv6=false
1838 - --incoming-proxy-port
1839 - "4143"
1840 - --outgoing-proxy-port
1841 - "4140"
1842 - --proxy-uid
1843 - "2102"
1844 - --inbound-ports-to-ignore
1845 - "4190,4191,4567,4568"
1846 - --outbound-ports-to-ignore
1847 - "443,6443"
1848 image: cr.l5d.io/linkerd/proxy-init:v2.4.0
1849 imagePullPolicy: IfNotPresent
1850 name: linkerd-init
1851 resources:
1852 limits:
1853 cpu: "100m"
1854 memory: "20Mi"
1855 requests:
1856 cpu: "100m"
1857 memory: "20Mi"
1858 securityContext:
1859 allowPrivilegeEscalation: false
1860 capabilities:
1861 add:
1862 - NET_ADMIN
1863 - NET_RAW
1864 privileged: false
1865 runAsNonRoot: true
1866 runAsUser: 65534
1867 runAsGroup: 65534
1868 readOnlyRootFilesystem: true
1869 seccompProfile:
1870 type: RuntimeDefault
1871 terminationMessagePolicy: FallbackToLogsOnError
1872 volumeMounts:
1873 - mountPath: /run
1874 name: linkerd-proxy-init-xtables-lock
1875 securityContext:
1876 seccompProfile:
1877 type: RuntimeDefault
1878 serviceAccountName: linkerd-proxy-injector
1879 volumes:
1880 - configMap:
1881 name: linkerd-config
1882 name: config
1883 - configMap:
1884 name: linkerd-identity-trust-roots
1885 name: trust-roots
1886 - name: tls
1887 secret:
1888 secretName: linkerd-proxy-injector-k8s-tls
1889 - emptyDir: {}
1890 name: linkerd-proxy-init-xtables-lock
1891 - name: linkerd-identity-token
1892 projected:
1893 sources:
1894 - serviceAccountToken:
1895 path: linkerd-identity-token
1896 expirationSeconds: 86400
1897 audience: identity.l5d.io
1898 - emptyDir:
1899 medium: Memory
1900 name: linkerd-identity-end-entity
1901---
1902kind: Service
1903apiVersion: v1
1904metadata:
1905 name: linkerd-proxy-injector
1906 namespace: linkerd
1907 labels:
1908 linkerd.io/control-plane-component: proxy-injector
1909 linkerd.io/control-plane-ns: linkerd
1910 annotations:
1911 linkerd.io/created-by: linkerd/cli dev-undefined
1912 config.linkerd.io/opaque-ports: "443"
1913spec:
1914 type: ClusterIP
1915 selector:
1916 linkerd.io/control-plane-component: proxy-injector
1917 ports:
1918 - name: proxy-injector
1919 port: 443
1920 targetPort: proxy-injector
1921---
1922apiVersion: v1
1923data:
1924 linkerd-config-overrides: ZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICB2ZXJzaW9uOiBpbnN0YWxsLWRlYnVnLXZlcnNpb24KZGlzYWJsZUhlYXJ0QmVhdDogdHJ1ZQpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KbGlua2VyZFZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQo=
1925kind: Secret
1926metadata:
1927 creationTimestamp: null
1928 labels:
1929 linkerd.io/control-plane-ns: linkerd
1930 name: linkerd-config-overrides
1931 namespace: linkerd
View as plain text