1---
2# Source: linkerd-control-plane/templates/namespace.yaml
3---
4# Source: linkerd-control-plane/templates/identity-rbac.yaml
5---
6###
7### Identity Controller Service RBAC
8###
9kind: ClusterRole
10apiVersion: rbac.authorization.k8s.io/v1
11metadata:
12 name: linkerd-linkerd-dev-identity
13 labels:
14 linkerd.io/control-plane-component: identity
15 linkerd.io/control-plane-ns: linkerd-dev
16rules:
17- apiGroups: ["authentication.k8s.io"]
18 resources: ["tokenreviews"]
19 verbs: ["create"]
20# TODO(ver) Restrict this to the Linkerd namespace. See
21# https://github.com/linkerd/linkerd2/issues/9367
22- apiGroups: [""]
23 resources: ["events"]
24 verbs: ["create", "patch"]
25---
26kind: ClusterRoleBinding
27apiVersion: rbac.authorization.k8s.io/v1
28metadata:
29 name: linkerd-linkerd-dev-identity
30 labels:
31 linkerd.io/control-plane-component: identity
32 linkerd.io/control-plane-ns: linkerd-dev
33roleRef:
34 apiGroup: rbac.authorization.k8s.io
35 kind: ClusterRole
36 name: linkerd-linkerd-dev-identity
37subjects:
38- kind: ServiceAccount
39 name: linkerd-identity
40 namespace: linkerd-dev
41---
42kind: ServiceAccount
43apiVersion: v1
44metadata:
45 name: linkerd-identity
46 namespace: linkerd-dev
47 labels:
48 linkerd.io/control-plane-component: identity
49 linkerd.io/control-plane-ns: linkerd-dev
50---
51# Source: linkerd-control-plane/templates/destination-rbac.yaml
52---
53###
54### Destination Controller Service
55###
56kind: ClusterRole
57apiVersion: rbac.authorization.k8s.io/v1
58metadata:
59 name: linkerd-linkerd-dev-destination
60 labels:
61 linkerd.io/control-plane-component: destination
62 linkerd.io/control-plane-ns: linkerd-dev
63rules:
64- apiGroups: ["apps"]
65 resources: ["replicasets"]
66 verbs: ["list", "get", "watch"]
67- apiGroups: ["batch"]
68 resources: ["jobs"]
69 verbs: ["list", "get", "watch"]
70- apiGroups: [""]
71 resources: ["pods", "endpoints", "services", "nodes"]
72 verbs: ["list", "get", "watch"]
73- apiGroups: ["linkerd.io"]
74 resources: ["serviceprofiles"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["workload.linkerd.io"]
77 resources: ["externalworkloads"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: ["coordination.k8s.io"]
80 resources: ["leases"]
81 verbs: ["create", "get", "update", "patch"]
82- apiGroups: ["discovery.k8s.io"]
83 resources: ["endpointslices"]
84 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
85---
86kind: ClusterRoleBinding
87apiVersion: rbac.authorization.k8s.io/v1
88metadata:
89 name: linkerd-linkerd-dev-destination
90 labels:
91 linkerd.io/control-plane-component: destination
92 linkerd.io/control-plane-ns: linkerd-dev
93roleRef:
94 apiGroup: rbac.authorization.k8s.io
95 kind: ClusterRole
96 name: linkerd-linkerd-dev-destination
97subjects:
98- kind: ServiceAccount
99 name: linkerd-destination
100 namespace: linkerd-dev
101---
102kind: ServiceAccount
103apiVersion: v1
104metadata:
105 name: linkerd-destination
106 namespace: linkerd-dev
107 labels:
108 linkerd.io/control-plane-component: destination
109 linkerd.io/control-plane-ns: linkerd-dev
110---
111apiVersion: admissionregistration.k8s.io/v1
112kind: ValidatingWebhookConfiguration
113metadata:
114 name: linkerd-sp-validator-webhook-config
115 labels:
116 linkerd.io/control-plane-component: destination
117 linkerd.io/control-plane-ns: linkerd-dev
118webhooks:
119- name: linkerd-sp-validator.linkerd.io
120 namespaceSelector:
121 matchExpressions:
122 - key: config.linkerd.io/admission-webhooks
123 operator: NotIn
124 values:
125 - disabled
126 clientConfig:
127 service:
128 name: linkerd-sp-validator
129 namespace: linkerd-dev
130 path: "/"
131 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
132 failurePolicy: Fail
133 admissionReviewVersions: ["v1", "v1beta1"]
134 rules:
135 - operations: ["CREATE", "UPDATE"]
136 apiGroups: ["linkerd.io"]
137 apiVersions: ["v1alpha1", "v1alpha2"]
138 resources: ["serviceprofiles"]
139 sideEffects: None
140---
141apiVersion: admissionregistration.k8s.io/v1
142kind: ValidatingWebhookConfiguration
143metadata:
144 name: linkerd-policy-validator-webhook-config
145 labels:
146 linkerd.io/control-plane-component: destination
147 linkerd.io/control-plane-ns: linkerd-dev
148webhooks:
149- name: linkerd-policy-validator.linkerd.io
150 namespaceSelector:
151 matchExpressions:
152 - key: config.linkerd.io/admission-webhooks
153 operator: NotIn
154 values:
155 - disabled
156 clientConfig:
157 service:
158 name: linkerd-policy-validator
159 namespace: linkerd-dev
160 path: "/"
161 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
162 failurePolicy: Fail
163 admissionReviewVersions: ["v1", "v1beta1"]
164 rules:
165 - operations: ["CREATE", "UPDATE"]
166 apiGroups: ["policy.linkerd.io"]
167 apiVersions: ["*"]
168 resources:
169 - authorizationpolicies
170 - httproutes
171 - networkauthentications
172 - meshtlsauthentications
173 - serverauthorizations
174 - servers
175 - operations: ["CREATE", "UPDATE"]
176 apiGroups: ["gateway.networking.k8s.io"]
177 apiVersions: ["*"]
178 resources:
179 - httproutes
180 sideEffects: None
181---
182apiVersion: rbac.authorization.k8s.io/v1
183kind: ClusterRole
184metadata:
185 name: linkerd-policy
186 labels:
187 app.kubernetes.io/part-of: Linkerd
188 linkerd.io/control-plane-component: destination
189 linkerd.io/control-plane-ns: linkerd-dev
190rules:
191 - apiGroups:
192 - ""
193 resources:
194 - pods
195 verbs:
196 - get
197 - list
198 - watch
199 - apiGroups:
200 - apps
201 resources:
202 - deployments
203 verbs:
204 - get
205 - apiGroups:
206 - policy.linkerd.io
207 resources:
208 - authorizationpolicies
209 - httproutes
210 - meshtlsauthentications
211 - networkauthentications
212 - servers
213 - serverauthorizations
214 verbs:
215 - get
216 - list
217 - watch
218 - apiGroups:
219 - gateway.networking.k8s.io
220 resources:
221 - httproutes
222 verbs:
223 - get
224 - list
225 - watch
226 - apiGroups:
227 - policy.linkerd.io
228 resources:
229 - httproutes/status
230 verbs:
231 - patch
232 - apiGroups:
233 - gateway.networking.k8s.io
234 resources:
235 - httproutes/status
236 verbs:
237 - patch
238 - apiGroups:
239 - workload.linkerd.io
240 resources:
241 - externalworkloads
242 verbs:
243 - get
244 - list
245 - watch
246 - apiGroups:
247 - coordination.k8s.io
248 resources:
249 - leases
250 verbs:
251 - create
252 - get
253 - patch
254---
255apiVersion: rbac.authorization.k8s.io/v1
256kind: ClusterRoleBinding
257metadata:
258 name: linkerd-destination-policy
259 labels:
260 app.kubernetes.io/part-of: Linkerd
261 linkerd.io/control-plane-component: destination
262 linkerd.io/control-plane-ns: linkerd-dev
263roleRef:
264 apiGroup: rbac.authorization.k8s.io
265 kind: ClusterRole
266 name: linkerd-policy
267subjects:
268 - kind: ServiceAccount
269 name: linkerd-destination
270 namespace: linkerd-dev
271---
272apiVersion: rbac.authorization.k8s.io/v1
273kind: Role
274metadata:
275 name: remote-discovery
276 namespace: linkerd-dev
277 labels:
278 app.kubernetes.io/part-of: Linkerd
279 linkerd.io/control-plane-component: destination
280 linkerd.io/control-plane-ns: linkerd-dev
281rules:
282 - apiGroups:
283 - ""
284 resources:
285 - secrets
286 verbs:
287 - get
288 - list
289 - watch
290---
291apiVersion: rbac.authorization.k8s.io/v1
292kind: RoleBinding
293metadata:
294 name: linkerd-destination-remote-discovery
295 namespace: linkerd-dev
296 labels:
297 app.kubernetes.io/part-of: Linkerd
298 linkerd.io/control-plane-component: destination
299 linkerd.io/control-plane-ns: linkerd-dev
300roleRef:
301 apiGroup: rbac.authorization.k8s.io
302 kind: Role
303 name: remote-discovery
304subjects:
305 - kind: ServiceAccount
306 name: linkerd-destination
307 namespace: linkerd-dev
308---
309# Source: linkerd-control-plane/templates/heartbeat-rbac.yaml
310---
311###
312### Heartbeat RBAC
313###
314apiVersion: rbac.authorization.k8s.io/v1
315kind: Role
316metadata:
317 name: linkerd-heartbeat
318 namespace: linkerd-dev
319 labels:
320 linkerd.io/control-plane-ns: linkerd-dev
321rules:
322- apiGroups: [""]
323 resources: ["configmaps"]
324 verbs: ["get"]
325 resourceNames: ["linkerd-config"]
326---
327apiVersion: rbac.authorization.k8s.io/v1
328kind: RoleBinding
329metadata:
330 name: linkerd-heartbeat
331 namespace: linkerd-dev
332 labels:
333 linkerd.io/control-plane-ns: linkerd-dev
334roleRef:
335 kind: Role
336 name: linkerd-heartbeat
337 apiGroup: rbac.authorization.k8s.io
338subjects:
339- kind: ServiceAccount
340 name: linkerd-heartbeat
341 namespace: linkerd-dev
342---
343apiVersion: rbac.authorization.k8s.io/v1
344kind: ClusterRole
345metadata:
346 name: linkerd-heartbeat
347 labels:
348 linkerd.io/control-plane-ns: linkerd-dev
349rules:
350- apiGroups: [""]
351 resources: ["namespaces"]
352 verbs: ["list"]
353- apiGroups: ["linkerd.io"]
354 resources: ["serviceprofiles"]
355 verbs: ["list"]
356---
357apiVersion: rbac.authorization.k8s.io/v1
358kind: ClusterRoleBinding
359metadata:
360 name: linkerd-heartbeat
361 labels:
362 linkerd.io/control-plane-ns: linkerd-dev
363roleRef:
364 kind: ClusterRole
365 name: linkerd-heartbeat
366 apiGroup: rbac.authorization.k8s.io
367subjects:
368- kind: ServiceAccount
369 name: linkerd-heartbeat
370 namespace: linkerd-dev
371---
372kind: ServiceAccount
373apiVersion: v1
374metadata:
375 name: linkerd-heartbeat
376 namespace: linkerd-dev
377 labels:
378 linkerd.io/control-plane-component: heartbeat
379 linkerd.io/control-plane-ns: linkerd-dev
380---
381# Source: linkerd-control-plane/templates/podmonitor.yaml
382
383---
384# Source: linkerd-control-plane/templates/proxy-injector-rbac.yaml
385---
386###
387### Proxy Injector RBAC
388###
389kind: ClusterRole
390apiVersion: rbac.authorization.k8s.io/v1
391metadata:
392 name: linkerd-linkerd-dev-proxy-injector
393 labels:
394 linkerd.io/control-plane-component: proxy-injector
395 linkerd.io/control-plane-ns: linkerd-dev
396rules:
397- apiGroups: [""]
398 resources: ["events"]
399 verbs: ["create", "patch"]
400- apiGroups: [""]
401 resources: ["namespaces", "replicationcontrollers"]
402 verbs: ["list", "get", "watch"]
403- apiGroups: [""]
404 resources: ["pods"]
405 verbs: ["list", "watch"]
406- apiGroups: ["extensions", "apps"]
407 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
408 verbs: ["list", "get", "watch"]
409- apiGroups: ["extensions", "batch"]
410 resources: ["cronjobs", "jobs"]
411 verbs: ["list", "get", "watch"]
412---
413kind: ClusterRoleBinding
414apiVersion: rbac.authorization.k8s.io/v1
415metadata:
416 name: linkerd-linkerd-dev-proxy-injector
417 labels:
418 linkerd.io/control-plane-component: proxy-injector
419 linkerd.io/control-plane-ns: linkerd-dev
420subjects:
421- kind: ServiceAccount
422 name: linkerd-proxy-injector
423 namespace: linkerd-dev
424 apiGroup: ""
425roleRef:
426 kind: ClusterRole
427 name: linkerd-linkerd-dev-proxy-injector
428 apiGroup: rbac.authorization.k8s.io
429---
430kind: ServiceAccount
431apiVersion: v1
432metadata:
433 name: linkerd-proxy-injector
434 namespace: linkerd-dev
435 labels:
436 linkerd.io/control-plane-component: proxy-injector
437 linkerd.io/control-plane-ns: linkerd-dev
438---
439apiVersion: admissionregistration.k8s.io/v1
440kind: MutatingWebhookConfiguration
441metadata:
442 name: linkerd-proxy-injector-webhook-config
443 labels:
444 linkerd.io/control-plane-component: proxy-injector
445 linkerd.io/control-plane-ns: linkerd-dev
446webhooks:
447- name: linkerd-proxy-injector.linkerd.io
448 namespaceSelector:
449 matchExpressions:
450 - key: config.linkerd.io/admission-webhooks
451 operator: NotIn
452 values:
453 - disabled
454 - key: kubernetes.io/metadata.name
455 operator: NotIn
456 values:
457 - kube-system
458 - cert-manager
459 objectSelector:
460 null
461 clientConfig:
462 service:
463 name: linkerd-proxy-injector
464 namespace: linkerd-dev
465 path: "/"
466 caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU=
467 failurePolicy: Fail
468 admissionReviewVersions: ["v1", "v1beta1"]
469 rules:
470 - operations: [ "CREATE" ]
471 apiGroups: [""]
472 apiVersions: ["v1"]
473 resources: ["pods", "services"]
474 scope: "Namespaced"
475 sideEffects: None
476 timeoutSeconds: 10
477---
478# Source: linkerd-control-plane/templates/psp.yaml
479---
480# Source: linkerd-control-plane/templates/config.yaml
481---
482kind: ConfigMap
483apiVersion: v1
484metadata:
485 name: linkerd-config
486 namespace: linkerd-dev
487 labels:
488 linkerd.io/control-plane-component: controller
489 linkerd.io/control-plane-ns: linkerd-dev
490 annotations:
491 linkerd.io/created-by: linkerd/helm linkerd-version
492data:
493 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
494 values: |
495 cliVersion: ""
496 clusterDomain: cluster.local
497 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
498 cniEnabled: false
499 controlPlaneTracing: false
500 controlPlaneTracingNamespace: linkerd-jaeger
501 controller:
502 podDisruptionBudget:
503 maxUnavailable: 1
504 controllerGID: -1
505 controllerImage: cr.l5d.io/linkerd/controller
506 controllerLogFormat: plain
507 controllerLogLevel: info
508 controllerReplicas: 3
509 controllerUID: 2103
510 debugContainer:
511 image:
512 name: cr.l5d.io/linkerd/debug
513 pullPolicy: ""
514 version: test-debug-version
515 deploymentStrategy:
516 rollingUpdate:
517 maxSurge: 25%
518 maxUnavailable: 1
519 destinationController:
520 meshedHttp2ClientProtobuf:
521 keep_alive:
522 interval:
523 seconds: 10
524 timeout:
525 seconds: 3
526 while_idle: true
527 destinationProxyResources: null
528 destinationResources:
529 cpu:
530 limit: ""
531 request: 100m
532 ephemeral-storage:
533 limit: ""
534 request: ""
535 memory:
536 limit: 250Mi
537 request: 50Mi
538 disableHeartBeat: false
539 disableIPv6: true
540 enableEndpointSlices: true
541 enableH2Upgrade: true
542 enablePodAntiAffinity: true
543 enablePodDisruptionBudget: true
544 heartbeat: null
545 heartbeatResources:
546 cpu:
547 limit: ""
548 request: 100m
549 ephemeral-storage:
550 limit: ""
551 request: ""
552 memory:
553 limit: 250Mi
554 request: 50Mi
555 heartbeatSchedule: 1 2 3 4 5
556 highAvailability: true
557 identity:
558 additionalEnv: null
559 experimentalEnv: null
560 externalCA: false
561 issuer:
562 clockSkewAllowance: 20s
563 issuanceLifetime: 24h0m0s
564 scheme: linkerd.io/tls
565 tls:
566 crtPEM: test-crt-pem
567 kubeAPI:
568 clientBurst: 200
569 clientQPS: 100
570 serviceAccountTokenProjection: true
571 identityProxyResources: null
572 identityResources:
573 cpu:
574 limit: ""
575 request: 100m
576 ephemeral-storage:
577 limit: ""
578 request: ""
579 memory:
580 limit: 250Mi
581 request: 10Mi
582 identityTrustAnchorsPEM: test-trust-anchor
583 identityTrustDomain: test.trust.domain
584 imagePullPolicy: IfNotPresent
585 imagePullSecrets: null
586 linkerdVersion: linkerd-version
587 networkValidator:
588 connectAddr: 1.1.1.1:20001
589 enableSecurityContext: true
590 listenAddr: 0.0.0.0:4140
591 logFormat: plain
592 logLevel: debug
593 timeout: 10s
594 nodeAffinity: null
595 nodeSelector:
596 kubernetes.io/os: linux
597 podAnnotations: {}
598 podLabels: {}
599 podMonitor:
600 controller:
601 enabled: true
602 namespaceSelector: |
603 matchNames:
604 - {{ .Release.Namespace }}
605 - linkerd-viz
606 - linkerd-jaeger
607 enabled: false
608 proxy:
609 enabled: true
610 scrapeInterval: 10s
611 scrapeTimeout: 10s
612 serviceMirror:
613 enabled: true
614 policyController:
615 image:
616 name: cr.l5d.io/linkerd/policy-controller
617 pullPolicy: ""
618 version: ""
619 logLevel: info
620 probeNetworks:
621 - 0.0.0.0/0
622 - ::/0
623 resources:
624 cpu:
625 limit: ""
626 request: ""
627 ephemeral-storage:
628 limit: ""
629 request: ""
630 memory:
631 limit: ""
632 request: ""
633 policyValidator:
634 caBundle: test-profile-validator-ca-bundle
635 crtPEM: ""
636 externalSecret: true
637 injectCaFrom: ""
638 injectCaFromSecret: ""
639 namespaceSelector:
640 matchExpressions:
641 - key: config.linkerd.io/admission-webhooks
642 operator: NotIn
643 values:
644 - disabled
645 priorityClassName: ""
646 profileValidator:
647 caBundle: test-profile-validator-ca-bundle
648 crtPEM: ""
649 externalSecret: true
650 injectCaFrom: ""
651 injectCaFromSecret: ""
652 namespaceSelector:
653 matchExpressions:
654 - key: config.linkerd.io/admission-webhooks
655 operator: NotIn
656 values:
657 - disabled
658 prometheusUrl: ""
659 proxy:
660 accessLog: ""
661 additionalEnv: null
662 await: true
663 capabilities: null
664 control:
665 streams:
666 idleTimeout: 5m
667 initialTimeout: 3s
668 lifetime: 1h
669 defaultInboundPolicy: all-unauthenticated
670 disableInboundProtocolDetectTimeout: false
671 disableOutboundProtocolDetectTimeout: false
672 enableExternalProfiles: false
673 experimentalEnv: null
674 gid: -1
675 image:
676 name: cr.l5d.io/linkerd/proxy
677 pullPolicy: ""
678 version: test-proxy-version
679 inbound:
680 server:
681 http2:
682 keepAliveInterval: 10s
683 keepAliveTimeout: 3s
684 inboundConnectTimeout: 100ms
685 inboundDiscoveryCacheUnusedTimeout: 90s
686 isGateway: false
687 isIngress: false
688 livenessProbe:
689 initialDelaySeconds: 10
690 timeoutSeconds: 1
691 logFormat: plain
692 logLevel: warn,linkerd=info,trust_dns=error
693 nativeSidecar: false
694 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
695 outbound:
696 server:
697 http2:
698 keepAliveInterval: 10s
699 keepAliveTimeout: 3s
700 outboundConnectTimeout: 1000ms
701 outboundDiscoveryCacheUnusedTimeout: 5s
702 podInboundPorts: ""
703 ports:
704 admin: 4191
705 control: 4190
706 inbound: 4143
707 outbound: 4140
708 readinessProbe:
709 initialDelaySeconds: 2
710 timeoutSeconds: 1
711 requireIdentityOnInboundPorts: ""
712 resources:
713 cpu:
714 limit: ""
715 request: 100m
716 ephemeral-storage:
717 limit: ""
718 request: ""
719 memory:
720 limit: 250Mi
721 request: 20Mi
722 saMountPath: null
723 shutdownGracePeriod: ""
724 startupProbe:
725 failureThreshold: 120
726 initialDelaySeconds: 0
727 periodSeconds: 1
728 uid: 2102
729 waitBeforeExitSeconds: 0
730 proxyContainerName: linkerd-proxy
731 proxyInit:
732 capabilities: null
733 closeWaitTimeoutSecs: 0
734 ignoreInboundPorts: "222"
735 ignoreOutboundPorts: "111"
736 image:
737 name: cr.l5d.io/linkerd/proxy-init
738 pullPolicy: ""
739 version: test-proxy-init-version
740 iptablesMode: legacy
741 kubeAPIServerPorts: 443,6443
742 logFormat: ""
743 logLevel: ""
744 privileged: false
745 resources:
746 cpu:
747 limit: 100m
748 request: 100m
749 ephemeral-storage:
750 limit: ""
751 request: ""
752 memory:
753 limit: 20Mi
754 request: 20Mi
755 runAsGroup: 65534
756 runAsRoot: false
757 runAsUser: 65534
758 saMountPath: null
759 skipSubnets: ""
760 xtMountPath:
761 mountPath: /run
762 name: linkerd-proxy-init-xtables-lock
763 readOnly: false
764 proxyInjector:
765 additionalEnv: null
766 caBundle: test-proxy-injector-ca-bundle
767 crtPEM: ""
768 experimentalEnv: null
769 externalSecret: true
770 injectCaFrom: ""
771 injectCaFromSecret: ""
772 namespaceSelector:
773 matchExpressions:
774 - key: config.linkerd.io/admission-webhooks
775 operator: NotIn
776 values:
777 - disabled
778 - key: kubernetes.io/metadata.name
779 operator: NotIn
780 values:
781 - kube-system
782 - cert-manager
783 proxyInjectorProxyResources: null
784 proxyInjectorResources:
785 cpu:
786 limit: ""
787 request: 100m
788 ephemeral-storage:
789 limit: ""
790 request: ""
791 memory:
792 limit: 250Mi
793 request: 50Mi
794 revisionHistoryLimit: 10
795 spValidator: null
796 tap:
797 caBundle: test-tap-ca-bundle
798 externalSecret: true
799 tolerations: null
800 webhookFailurePolicy: Fail
801---
802# Source: linkerd-control-plane/templates/config-rbac.yaml
803---
804apiVersion: rbac.authorization.k8s.io/v1
805kind: Role
806metadata:
807 annotations:
808 linkerd.io/created-by: linkerd/helm linkerd-version
809 name: ext-namespace-metadata-linkerd-config
810 namespace: linkerd-dev
811rules:
812- apiGroups: [""]
813 resources: ["configmaps"]
814 verbs: ["get"]
815 resourceNames: ["linkerd-config"]
816---
817# Source: linkerd-control-plane/templates/identity.yaml
818---
819###
820### Identity Controller Service
821###
822---
823kind: Secret
824apiVersion: v1
825metadata:
826 name: linkerd-identity-issuer
827 namespace: linkerd-dev
828 labels:
829 linkerd.io/control-plane-component: identity
830 linkerd.io/control-plane-ns: linkerd-dev
831 annotations:
832 linkerd.io/created-by: linkerd/helm linkerd-version
833data:
834 crt.pem: dGVzdC1jcnQtcGVt
835 key.pem: dGVzdC1rZXktcGVt
836---
837kind: ConfigMap
838apiVersion: v1
839metadata:
840 name: linkerd-identity-trust-roots
841 namespace: linkerd-dev
842 labels:
843 linkerd.io/control-plane-component: identity
844 linkerd.io/control-plane-ns: linkerd-dev
845 annotations:
846 linkerd.io/created-by: linkerd/helm linkerd-version
847data:
848 ca-bundle.crt: |-
849 test-trust-anchor
850---
851kind: Service
852apiVersion: v1
853metadata:
854 name: linkerd-identity
855 namespace: linkerd-dev
856 labels:
857 linkerd.io/control-plane-component: identity
858 linkerd.io/control-plane-ns: linkerd-dev
859 annotations:
860 linkerd.io/created-by: linkerd/helm linkerd-version
861spec:
862 type: ClusterIP
863 selector:
864 linkerd.io/control-plane-component: identity
865 ports:
866 - name: grpc
867 port: 8080
868 targetPort: 8080
869---
870kind: Service
871apiVersion: v1
872metadata:
873 name: linkerd-identity-headless
874 namespace: linkerd-dev
875 labels:
876 linkerd.io/control-plane-component: identity
877 linkerd.io/control-plane-ns: linkerd-dev
878 annotations:
879 linkerd.io/created-by: linkerd/helm linkerd-version
880spec:
881 clusterIP: None
882 selector:
883 linkerd.io/control-plane-component: identity
884 ports:
885 - name: grpc
886 port: 8080
887 targetPort: 8080
888---
889kind: PodDisruptionBudget
890apiVersion: policy/v1
891metadata:
892 name: linkerd-identity
893 namespace: linkerd-dev
894 labels:
895 linkerd.io/control-plane-component: identity
896 linkerd.io/control-plane-ns: linkerd-dev
897 annotations:
898 linkerd.io/created-by: linkerd/helm linkerd-version
899spec:
900 maxUnavailable: 1
901 selector:
902 matchLabels:
903 linkerd.io/control-plane-component: identity
904---
905apiVersion: apps/v1
906kind: Deployment
907metadata:
908 annotations:
909 linkerd.io/created-by: linkerd/helm linkerd-version
910 labels:
911 app.kubernetes.io/name: identity
912 app.kubernetes.io/part-of: Linkerd
913 app.kubernetes.io/version: linkerd-version
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd-dev
916 name: linkerd-identity
917 namespace: linkerd-dev
918spec:
919 replicas: 3
920 revisionHistoryLimit: 10
921 selector:
922 matchLabels:
923 linkerd.io/control-plane-component: identity
924 linkerd.io/control-plane-ns: linkerd-dev
925 linkerd.io/proxy-deployment: linkerd-identity
926 strategy:
927 rollingUpdate:
928 maxSurge: 25%
929 maxUnavailable: 1
930 template:
931 metadata:
932 annotations:
933 linkerd.io/created-by: linkerd/helm linkerd-version
934 linkerd.io/proxy-version: test-proxy-version
935 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
936 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
937 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
938 labels:
939 linkerd.io/control-plane-component: identity
940 linkerd.io/control-plane-ns: linkerd-dev
941 linkerd.io/workload-ns: linkerd-dev
942 linkerd.io/proxy-deployment: linkerd-identity
943 spec:
944 nodeSelector:
945 kubernetes.io/os: linux
946 affinity:
947 podAntiAffinity:
948 preferredDuringSchedulingIgnoredDuringExecution:
949 - podAffinityTerm:
950 labelSelector:
951 matchExpressions:
952 - key: linkerd.io/control-plane-component
953 operator: In
954 values:
955 - identity
956 topologyKey: topology.kubernetes.io/zone
957 weight: 100
958 requiredDuringSchedulingIgnoredDuringExecution:
959 - labelSelector:
960 matchExpressions:
961 - key: linkerd.io/control-plane-component
962 operator: In
963 values:
964 - identity
965 topologyKey: kubernetes.io/hostname
966 containers:
967 - args:
968 - identity
969 - -log-level=info
970 - -log-format=plain
971 - -controller-namespace=linkerd-dev
972 - -identity-trust-domain=test.trust.domain
973 - -identity-issuance-lifetime=24h0m0s
974 - -identity-clock-skew-allowance=20s
975 - -identity-scheme=linkerd.io/tls
976 - -enable-pprof=false
977 - -kube-apiclient-qps=100
978 - -kube-apiclient-burst=200
979 env:
980 - name: LINKERD_DISABLED
981 value: "linkerd-await cannot block the identity controller"
982 image: cr.l5d.io/linkerd/controller:linkerd-version
983 imagePullPolicy: IfNotPresent
984 livenessProbe:
985 httpGet:
986 path: /ping
987 port: 9990
988 initialDelaySeconds: 10
989 name: identity
990 ports:
991 - containerPort: 8080
992 name: grpc
993 - containerPort: 9990
994 name: admin-http
995 readinessProbe:
996 failureThreshold: 7
997 httpGet:
998 path: /ready
999 port: 9990
1000 resources:
1001 limits:
1002 memory: "250Mi"
1003 requests:
1004 cpu: "100m"
1005 memory: "10Mi"
1006 securityContext:
1007 capabilities:
1008 drop:
1009 - ALL
1010 readOnlyRootFilesystem: true
1011 runAsNonRoot: true
1012 runAsUser: 2103
1013 allowPrivilegeEscalation: false
1014 seccompProfile:
1015 type: RuntimeDefault
1016 volumeMounts:
1017 - mountPath: /var/run/linkerd/identity/issuer
1018 name: identity-issuer
1019 - mountPath: /var/run/linkerd/identity/trust-roots/
1020 name: trust-roots
1021 - env:
1022 - name: _pod_name
1023 valueFrom:
1024 fieldRef:
1025 fieldPath: metadata.name
1026 - name: _pod_ns
1027 valueFrom:
1028 fieldRef:
1029 fieldPath: metadata.namespace
1030 - name: _pod_nodeName
1031 valueFrom:
1032 fieldRef:
1033 fieldPath: spec.nodeName
1034 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
1035 value: "8080"
1036 - name: LINKERD2_PROXY_LOG
1037 value: "warn,linkerd=info,trust_dns=error"
1038 - name: LINKERD2_PROXY_LOG_FORMAT
1039 value: "plain"
1040 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1041 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1042 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1043 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1044 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1045 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1046 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1047 value: |
1048 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1049 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1050 value: all-unauthenticated
1051 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1052 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1053 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1054 value: "3s"
1055 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1056 value: "5m"
1057 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1058 value: "1h"
1059 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1060 value: "100ms"
1061 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1062 value: "1000ms"
1063 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1064 value: "5s"
1065 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1066 value: "90s"
1067 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1068 value: "[::]:4190"
1069 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1070 value: "[::]:4191"
1071 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1072 value: "127.0.0.1:4140"
1073 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1074 value: "127.0.0.1:4140"
1075 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1076 value: "[::]:4143"
1077 - name: LINKERD2_PROXY_INBOUND_IPS
1078 valueFrom:
1079 fieldRef:
1080 fieldPath: status.podIPs
1081 - name: LINKERD2_PROXY_INBOUND_PORTS
1082 value: "8080,9990"
1083 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1084 value: svc.cluster.local.
1085 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1086 value: 10000ms
1087 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1088 value: 10000ms
1089 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1090 value: "10s"
1091 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1092 value: "3s"
1093 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1094 value: "10s"
1095 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1096 value: "3s"
1097 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1098 value: "25,587,3306,4444,5432,6379,9300,11211"
1099 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1100 value: |
1101 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1102 - name: _pod_sa
1103 valueFrom:
1104 fieldRef:
1105 fieldPath: spec.serviceAccountName
1106 - name: _l5d_ns
1107 value: linkerd-dev
1108 - name: _l5d_trustdomain
1109 value: test.trust.domain
1110 - name: LINKERD2_PROXY_IDENTITY_DIR
1111 value: /var/run/linkerd/identity/end-entity
1112 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1113 valueFrom:
1114 configMapKeyRef:
1115 name: linkerd-identity-trust-roots
1116 key: ca-bundle.crt
1117 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1118 value: /var/run/secrets/tokens/linkerd-identity-token
1119 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1120 value: localhost.:8080
1121 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1122 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1123 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1124 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1125 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1126 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1127 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1128 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1129 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1130 imagePullPolicy: IfNotPresent
1131 livenessProbe:
1132 httpGet:
1133 path: /live
1134 port: 4191
1135 initialDelaySeconds: 10
1136 timeoutSeconds: 1
1137 name: linkerd-proxy
1138 ports:
1139 - containerPort: 4143
1140 name: linkerd-proxy
1141 - containerPort: 4191
1142 name: linkerd-admin
1143 readinessProbe:
1144 httpGet:
1145 path: /ready
1146 port: 4191
1147 initialDelaySeconds: 2
1148 timeoutSeconds: 1
1149 resources:
1150 limits:
1151 memory: "250Mi"
1152 requests:
1153 cpu: "100m"
1154 memory: "20Mi"
1155 securityContext:
1156 allowPrivilegeEscalation: false
1157 capabilities:
1158 drop:
1159 - ALL
1160 readOnlyRootFilesystem: true
1161 runAsNonRoot: true
1162 runAsUser: 2102
1163 seccompProfile:
1164 type: RuntimeDefault
1165 terminationMessagePolicy: FallbackToLogsOnError
1166 volumeMounts:
1167 - mountPath: /var/run/linkerd/identity/end-entity
1168 name: linkerd-identity-end-entity
1169 - mountPath: /var/run/secrets/tokens
1170 name: linkerd-identity-token
1171 initContainers:
1172 - args:
1173 - --ipv6=false
1174 - --incoming-proxy-port
1175 - "4143"
1176 - --outgoing-proxy-port
1177 - "4140"
1178 - --proxy-uid
1179 - "2102"
1180 - --inbound-ports-to-ignore
1181 - "4190,4191,222"
1182 - --outbound-ports-to-ignore
1183 - "443,6443"
1184 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1185 imagePullPolicy: IfNotPresent
1186 name: linkerd-init
1187 resources:
1188 limits:
1189 cpu: "100m"
1190 memory: "20Mi"
1191 requests:
1192 cpu: "100m"
1193 memory: "20Mi"
1194 securityContext:
1195 allowPrivilegeEscalation: false
1196 capabilities:
1197 add:
1198 - NET_ADMIN
1199 - NET_RAW
1200 privileged: false
1201 runAsNonRoot: true
1202 runAsUser: 65534
1203 runAsGroup: 65534
1204 readOnlyRootFilesystem: true
1205 seccompProfile:
1206 type: RuntimeDefault
1207 terminationMessagePolicy: FallbackToLogsOnError
1208 volumeMounts:
1209 - mountPath: /run
1210 name: linkerd-proxy-init-xtables-lock
1211 securityContext:
1212 seccompProfile:
1213 type: RuntimeDefault
1214 serviceAccountName: linkerd-identity
1215 volumes:
1216 - name: identity-issuer
1217 secret:
1218 secretName: linkerd-identity-issuer
1219 - configMap:
1220 name: linkerd-identity-trust-roots
1221 name: trust-roots
1222 - emptyDir: {}
1223 name: linkerd-proxy-init-xtables-lock
1224 - name: linkerd-identity-token
1225 projected:
1226 sources:
1227 - serviceAccountToken:
1228 path: linkerd-identity-token
1229 expirationSeconds: 86400
1230 audience: identity.l5d.io
1231 - emptyDir:
1232 medium: Memory
1233 name: linkerd-identity-end-entity
1234---
1235# Source: linkerd-control-plane/templates/destination.yaml
1236---
1237###
1238### Destination Controller Service
1239###
1240kind: Service
1241apiVersion: v1
1242metadata:
1243 name: linkerd-dst
1244 namespace: linkerd-dev
1245 labels:
1246 linkerd.io/control-plane-component: destination
1247 linkerd.io/control-plane-ns: linkerd-dev
1248 annotations:
1249 linkerd.io/created-by: linkerd/helm linkerd-version
1250spec:
1251 type: ClusterIP
1252 selector:
1253 linkerd.io/control-plane-component: destination
1254 ports:
1255 - name: grpc
1256 port: 8086
1257 targetPort: 8086
1258---
1259kind: Service
1260apiVersion: v1
1261metadata:
1262 name: linkerd-dst-headless
1263 namespace: linkerd-dev
1264 labels:
1265 linkerd.io/control-plane-component: destination
1266 linkerd.io/control-plane-ns: linkerd-dev
1267 annotations:
1268 linkerd.io/created-by: linkerd/helm linkerd-version
1269spec:
1270 clusterIP: None
1271 selector:
1272 linkerd.io/control-plane-component: destination
1273 ports:
1274 - name: grpc
1275 port: 8086
1276 targetPort: 8086
1277---
1278kind: Service
1279apiVersion: v1
1280metadata:
1281 name: linkerd-sp-validator
1282 namespace: linkerd-dev
1283 labels:
1284 linkerd.io/control-plane-component: destination
1285 linkerd.io/control-plane-ns: linkerd-dev
1286 annotations:
1287 linkerd.io/created-by: linkerd/helm linkerd-version
1288spec:
1289 type: ClusterIP
1290 selector:
1291 linkerd.io/control-plane-component: destination
1292 ports:
1293 - name: sp-validator
1294 port: 443
1295 targetPort: sp-validator
1296---
1297kind: Service
1298apiVersion: v1
1299metadata:
1300 name: linkerd-policy
1301 namespace: linkerd-dev
1302 labels:
1303 linkerd.io/control-plane-component: destination
1304 linkerd.io/control-plane-ns: linkerd-dev
1305 annotations:
1306 linkerd.io/created-by: linkerd/helm linkerd-version
1307spec:
1308 clusterIP: None
1309 selector:
1310 linkerd.io/control-plane-component: destination
1311 ports:
1312 - name: grpc
1313 port: 8090
1314 targetPort: 8090
1315---
1316kind: Service
1317apiVersion: v1
1318metadata:
1319 name: linkerd-policy-validator
1320 namespace: linkerd-dev
1321 labels:
1322 linkerd.io/control-plane-component: destination
1323 linkerd.io/control-plane-ns: linkerd-dev
1324 annotations:
1325 linkerd.io/created-by: linkerd/helm linkerd-version
1326spec:
1327 type: ClusterIP
1328 selector:
1329 linkerd.io/control-plane-component: destination
1330 ports:
1331 - name: policy-https
1332 port: 443
1333 targetPort: policy-https
1334---
1335kind: PodDisruptionBudget
1336apiVersion: policy/v1
1337metadata:
1338 name: linkerd-dst
1339 namespace: linkerd-dev
1340 labels:
1341 linkerd.io/control-plane-component: destination
1342 linkerd.io/control-plane-ns: linkerd-dev
1343 annotations:
1344 linkerd.io/created-by: linkerd/helm linkerd-version
1345spec:
1346 maxUnavailable: 1
1347 selector:
1348 matchLabels:
1349 linkerd.io/control-plane-component: destination
1350---
1351apiVersion: apps/v1
1352kind: Deployment
1353metadata:
1354 annotations:
1355 linkerd.io/created-by: linkerd/helm linkerd-version
1356 labels:
1357 app.kubernetes.io/name: destination
1358 app.kubernetes.io/part-of: Linkerd
1359 app.kubernetes.io/version: linkerd-version
1360 linkerd.io/control-plane-component: destination
1361 linkerd.io/control-plane-ns: linkerd-dev
1362 name: linkerd-destination
1363 namespace: linkerd-dev
1364spec:
1365 replicas: 3
1366 revisionHistoryLimit: 10
1367 selector:
1368 matchLabels:
1369 linkerd.io/control-plane-component: destination
1370 linkerd.io/control-plane-ns: linkerd-dev
1371 linkerd.io/proxy-deployment: linkerd-destination
1372 strategy:
1373 rollingUpdate:
1374 maxSurge: 25%
1375 maxUnavailable: 1
1376 template:
1377 metadata:
1378 annotations:
1379 checksum/config: b0c26a237398c80aaed48f6954a403fc169549f3b7e927bdd86c71f8d13c8762
1380 linkerd.io/created-by: linkerd/helm linkerd-version
1381 linkerd.io/proxy-version: test-proxy-version
1382 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1383 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1384 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1385 labels:
1386 linkerd.io/control-plane-component: destination
1387 linkerd.io/control-plane-ns: linkerd-dev
1388 linkerd.io/workload-ns: linkerd-dev
1389 linkerd.io/proxy-deployment: linkerd-destination
1390 spec:
1391 nodeSelector:
1392 kubernetes.io/os: linux
1393 affinity:
1394 podAntiAffinity:
1395 preferredDuringSchedulingIgnoredDuringExecution:
1396 - podAffinityTerm:
1397 labelSelector:
1398 matchExpressions:
1399 - key: linkerd.io/control-plane-component
1400 operator: In
1401 values:
1402 - destination
1403 topologyKey: topology.kubernetes.io/zone
1404 weight: 100
1405 requiredDuringSchedulingIgnoredDuringExecution:
1406 - labelSelector:
1407 matchExpressions:
1408 - key: linkerd.io/control-plane-component
1409 operator: In
1410 values:
1411 - destination
1412 topologyKey: kubernetes.io/hostname
1413 containers:
1414 - env:
1415 - name: _pod_name
1416 valueFrom:
1417 fieldRef:
1418 fieldPath: metadata.name
1419 - name: _pod_ns
1420 valueFrom:
1421 fieldRef:
1422 fieldPath: metadata.namespace
1423 - name: _pod_nodeName
1424 valueFrom:
1425 fieldRef:
1426 fieldPath: spec.nodeName
1427 - name: LINKERD2_PROXY_LOG
1428 value: "warn,linkerd=info,trust_dns=error"
1429 - name: LINKERD2_PROXY_LOG_FORMAT
1430 value: "plain"
1431 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1432 value: localhost.:8086
1433 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1434 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1435 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1436 value: localhost.:8090
1437 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1438 value: |
1439 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1440 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1441 value: all-unauthenticated
1442 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1443 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1444 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1445 value: "3s"
1446 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1447 value: "5m"
1448 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1449 value: "1h"
1450 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1451 value: "100ms"
1452 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1453 value: "1000ms"
1454 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1455 value: "5s"
1456 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1457 value: "90s"
1458 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1459 value: "[::]:4190"
1460 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1461 value: "[::]:4191"
1462 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1463 value: "127.0.0.1:4140"
1464 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1465 value: "127.0.0.1:4140"
1466 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1467 value: "[::]:4143"
1468 - name: LINKERD2_PROXY_INBOUND_IPS
1469 valueFrom:
1470 fieldRef:
1471 fieldPath: status.podIPs
1472 - name: LINKERD2_PROXY_INBOUND_PORTS
1473 value: "8086,8090,8443,9443,9990,9996,9997"
1474 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1475 value: svc.cluster.local.
1476 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1477 value: 10000ms
1478 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1479 value: 10000ms
1480 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1481 value: "10s"
1482 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1483 value: "3s"
1484 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1485 value: "10s"
1486 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1487 value: "3s"
1488 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1489 value: "25,587,3306,4444,5432,6379,9300,11211"
1490 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1491 value: |
1492 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1493 - name: _pod_sa
1494 valueFrom:
1495 fieldRef:
1496 fieldPath: spec.serviceAccountName
1497 - name: _l5d_ns
1498 value: linkerd-dev
1499 - name: _l5d_trustdomain
1500 value: test.trust.domain
1501 - name: LINKERD2_PROXY_IDENTITY_DIR
1502 value: /var/run/linkerd/identity/end-entity
1503 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1504 valueFrom:
1505 configMapKeyRef:
1506 name: linkerd-identity-trust-roots
1507 key: ca-bundle.crt
1508 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1509 value: /var/run/secrets/tokens/linkerd-identity-token
1510 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1511 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
1512 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1513 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1514 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1515 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1516 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1517 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1518 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1519 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1520 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1521 imagePullPolicy: IfNotPresent
1522 livenessProbe:
1523 httpGet:
1524 path: /live
1525 port: 4191
1526 initialDelaySeconds: 10
1527 timeoutSeconds: 1
1528 name: linkerd-proxy
1529 ports:
1530 - containerPort: 4143
1531 name: linkerd-proxy
1532 - containerPort: 4191
1533 name: linkerd-admin
1534 readinessProbe:
1535 httpGet:
1536 path: /ready
1537 port: 4191
1538 initialDelaySeconds: 2
1539 timeoutSeconds: 1
1540 resources:
1541 limits:
1542 memory: "250Mi"
1543 requests:
1544 cpu: "100m"
1545 memory: "20Mi"
1546 securityContext:
1547 allowPrivilegeEscalation: false
1548 capabilities:
1549 drop:
1550 - ALL
1551 readOnlyRootFilesystem: true
1552 runAsNonRoot: true
1553 runAsUser: 2102
1554 seccompProfile:
1555 type: RuntimeDefault
1556 terminationMessagePolicy: FallbackToLogsOnError
1557 lifecycle:
1558 postStart:
1559 exec:
1560 command:
1561 - /usr/lib/linkerd/linkerd-await
1562 - --timeout=2m
1563 - --port=4191
1564 volumeMounts:
1565 - mountPath: /var/run/linkerd/identity/end-entity
1566 name: linkerd-identity-end-entity
1567 - mountPath: /var/run/secrets/tokens
1568 name: linkerd-identity-token
1569 - args:
1570 - destination
1571 - -addr=:8086
1572 - -controller-namespace=linkerd-dev
1573 - -enable-h2-upgrade=true
1574 - -log-level=info
1575 - -log-format=plain
1576 - -enable-endpoint-slices=true
1577 - -cluster-domain=cluster.local
1578 - -identity-trust-domain=test.trust.domain
1579 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1580 - -enable-ipv6=false
1581 - -enable-pprof=false
1582 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1583 image: cr.l5d.io/linkerd/controller:linkerd-version
1584 imagePullPolicy: IfNotPresent
1585 livenessProbe:
1586 httpGet:
1587 path: /ping
1588 port: 9996
1589 initialDelaySeconds: 10
1590 name: destination
1591 ports:
1592 - containerPort: 8086
1593 name: grpc
1594 - containerPort: 9996
1595 name: admin-http
1596 readinessProbe:
1597 failureThreshold: 7
1598 httpGet:
1599 path: /ready
1600 port: 9996
1601 resources:
1602 limits:
1603 memory: "250Mi"
1604 requests:
1605 cpu: "100m"
1606 memory: "50Mi"
1607 securityContext:
1608 capabilities:
1609 drop:
1610 - ALL
1611 readOnlyRootFilesystem: true
1612 runAsNonRoot: true
1613 runAsUser: 2103
1614 allowPrivilegeEscalation: false
1615 seccompProfile:
1616 type: RuntimeDefault
1617 - args:
1618 - sp-validator
1619 - -log-level=info
1620 - -log-format=plain
1621 - -enable-pprof=false
1622 image: cr.l5d.io/linkerd/controller:linkerd-version
1623 imagePullPolicy: IfNotPresent
1624 livenessProbe:
1625 httpGet:
1626 path: /ping
1627 port: 9997
1628 initialDelaySeconds: 10
1629 name: sp-validator
1630 ports:
1631 - containerPort: 8443
1632 name: sp-validator
1633 - containerPort: 9997
1634 name: admin-http
1635 readinessProbe:
1636 failureThreshold: 7
1637 httpGet:
1638 path: /ready
1639 port: 9997
1640 securityContext:
1641 capabilities:
1642 drop:
1643 - ALL
1644 readOnlyRootFilesystem: true
1645 runAsNonRoot: true
1646 runAsUser: 2103
1647 allowPrivilegeEscalation: false
1648 seccompProfile:
1649 type: RuntimeDefault
1650 volumeMounts:
1651 - mountPath: /var/run/linkerd/tls
1652 name: sp-tls
1653 readOnly: true
1654 - args:
1655 - --admin-addr=[::]:9990
1656 - --control-plane-namespace=linkerd-dev
1657 - --grpc-addr=[::]:8090
1658 - --server-addr=[::]:9443
1659 - --server-tls-key=/var/run/linkerd/tls/tls.key
1660 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1661 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1662 - --identity-domain=test.trust.domain
1663 - --cluster-domain=cluster.local
1664 - --default-policy=all-unauthenticated
1665 - --log-level=info
1666 - --log-format=plain
1667 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1668 - --probe-networks=0.0.0.0/0,::/0
1669 image: cr.l5d.io/linkerd/policy-controller:linkerd-version
1670 imagePullPolicy: IfNotPresent
1671 livenessProbe:
1672 httpGet:
1673 path: /live
1674 port: admin-http
1675 name: policy
1676 ports:
1677 - containerPort: 8090
1678 name: grpc
1679 - containerPort: 9990
1680 name: admin-http
1681 - containerPort: 9443
1682 name: policy-https
1683 readinessProbe:
1684 failureThreshold: 7
1685 httpGet:
1686 path: /ready
1687 port: admin-http
1688 initialDelaySeconds: 10
1689 resources:
1690 securityContext:
1691 capabilities:
1692 drop:
1693 - ALL
1694 readOnlyRootFilesystem: true
1695 runAsNonRoot: true
1696 runAsUser: 2103
1697 allowPrivilegeEscalation: false
1698 seccompProfile:
1699 type: RuntimeDefault
1700 volumeMounts:
1701 - mountPath: /var/run/linkerd/tls
1702 name: policy-tls
1703 readOnly: true
1704 initContainers:
1705 - args:
1706 - --ipv6=false
1707 - --incoming-proxy-port
1708 - "4143"
1709 - --outgoing-proxy-port
1710 - "4140"
1711 - --proxy-uid
1712 - "2102"
1713 - --inbound-ports-to-ignore
1714 - "4190,4191,222"
1715 - --outbound-ports-to-ignore
1716 - "443,6443"
1717 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1718 imagePullPolicy: IfNotPresent
1719 name: linkerd-init
1720 resources:
1721 limits:
1722 cpu: "100m"
1723 memory: "20Mi"
1724 requests:
1725 cpu: "100m"
1726 memory: "20Mi"
1727 securityContext:
1728 allowPrivilegeEscalation: false
1729 capabilities:
1730 add:
1731 - NET_ADMIN
1732 - NET_RAW
1733 privileged: false
1734 runAsNonRoot: true
1735 runAsUser: 65534
1736 runAsGroup: 65534
1737 readOnlyRootFilesystem: true
1738 seccompProfile:
1739 type: RuntimeDefault
1740 terminationMessagePolicy: FallbackToLogsOnError
1741 volumeMounts:
1742 - mountPath: /run
1743 name: linkerd-proxy-init-xtables-lock
1744 securityContext:
1745 seccompProfile:
1746 type: RuntimeDefault
1747 serviceAccountName: linkerd-destination
1748 volumes:
1749 - name: sp-tls
1750 secret:
1751 secretName: linkerd-sp-validator-k8s-tls
1752 - name: policy-tls
1753 secret:
1754 secretName: linkerd-policy-validator-k8s-tls
1755 - emptyDir: {}
1756 name: linkerd-proxy-init-xtables-lock
1757 - name: linkerd-identity-token
1758 projected:
1759 sources:
1760 - serviceAccountToken:
1761 path: linkerd-identity-token
1762 expirationSeconds: 86400
1763 audience: identity.l5d.io
1764 - emptyDir:
1765 medium: Memory
1766 name: linkerd-identity-end-entity
1767---
1768# Source: linkerd-control-plane/templates/heartbeat.yaml
1769---
1770###
1771### Heartbeat
1772###
1773apiVersion: batch/v1
1774kind: CronJob
1775metadata:
1776 name: linkerd-heartbeat
1777 namespace: linkerd-dev
1778 labels:
1779 app.kubernetes.io/name: heartbeat
1780 app.kubernetes.io/part-of: Linkerd
1781 app.kubernetes.io/version: linkerd-version
1782 linkerd.io/control-plane-component: heartbeat
1783 linkerd.io/control-plane-ns: linkerd-dev
1784 annotations:
1785 linkerd.io/created-by: linkerd/helm linkerd-version
1786spec:
1787 concurrencyPolicy: Replace
1788 schedule: "1 2 3 4 5"
1789 successfulJobsHistoryLimit: 0
1790 jobTemplate:
1791 spec:
1792 template:
1793 metadata:
1794 labels:
1795 linkerd.io/control-plane-component: heartbeat
1796 linkerd.io/workload-ns: linkerd-dev
1797 annotations:
1798 linkerd.io/created-by: linkerd/helm linkerd-version
1799 spec:
1800 nodeSelector:
1801 kubernetes.io/os: linux
1802 securityContext:
1803 seccompProfile:
1804 type: RuntimeDefault
1805 serviceAccountName: linkerd-heartbeat
1806 restartPolicy: Never
1807 containers:
1808 - name: heartbeat
1809 image: cr.l5d.io/linkerd/controller:linkerd-version
1810 imagePullPolicy: IfNotPresent
1811 env:
1812 - name: LINKERD_DISABLED
1813 value: "the heartbeat controller does not use the proxy"
1814 args:
1815 - "heartbeat"
1816 - "-controller-namespace=linkerd-dev"
1817 - "-log-level=info"
1818 - "-log-format=plain"
1819 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1820 resources:
1821 limits:
1822 memory: "250Mi"
1823 requests:
1824 cpu: "100m"
1825 memory: "50Mi"
1826 securityContext:
1827 capabilities:
1828 drop:
1829 - ALL
1830 readOnlyRootFilesystem: true
1831 runAsNonRoot: true
1832 runAsUser: 2103
1833 allowPrivilegeEscalation: false
1834 seccompProfile:
1835 type: RuntimeDefault
1836---
1837# Source: linkerd-control-plane/templates/proxy-injector.yaml
1838---
1839###
1840### Proxy Injector
1841###
1842apiVersion: apps/v1
1843kind: Deployment
1844metadata:
1845 annotations:
1846 linkerd.io/created-by: linkerd/helm linkerd-version
1847 labels:
1848 app.kubernetes.io/name: proxy-injector
1849 app.kubernetes.io/part-of: Linkerd
1850 app.kubernetes.io/version: linkerd-version
1851 linkerd.io/control-plane-component: proxy-injector
1852 linkerd.io/control-plane-ns: linkerd-dev
1853 name: linkerd-proxy-injector
1854 namespace: linkerd-dev
1855spec:
1856 replicas: 3
1857 revisionHistoryLimit: 10
1858 selector:
1859 matchLabels:
1860 linkerd.io/control-plane-component: proxy-injector
1861 strategy:
1862 rollingUpdate:
1863 maxSurge: 25%
1864 maxUnavailable: 1
1865 template:
1866 metadata:
1867 annotations:
1868 checksum/config: fd3a1b10afd0c6c39c7c63f51aece4a849b0e47ba992a6612a1a5fa99211b084
1869 linkerd.io/created-by: linkerd/helm linkerd-version
1870 linkerd.io/proxy-version: test-proxy-version
1871 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1872 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1873 config.linkerd.io/opaque-ports: "8443"
1874 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1875 labels:
1876 linkerd.io/control-plane-component: proxy-injector
1877 linkerd.io/control-plane-ns: linkerd-dev
1878 linkerd.io/workload-ns: linkerd-dev
1879 linkerd.io/proxy-deployment: linkerd-proxy-injector
1880 spec:
1881 nodeSelector:
1882 kubernetes.io/os: linux
1883 affinity:
1884 podAntiAffinity:
1885 preferredDuringSchedulingIgnoredDuringExecution:
1886 - podAffinityTerm:
1887 labelSelector:
1888 matchExpressions:
1889 - key: linkerd.io/control-plane-component
1890 operator: In
1891 values:
1892 - proxy-injector
1893 topologyKey: topology.kubernetes.io/zone
1894 weight: 100
1895 requiredDuringSchedulingIgnoredDuringExecution:
1896 - labelSelector:
1897 matchExpressions:
1898 - key: linkerd.io/control-plane-component
1899 operator: In
1900 values:
1901 - proxy-injector
1902 topologyKey: kubernetes.io/hostname
1903 containers:
1904 - env:
1905 - name: _pod_name
1906 valueFrom:
1907 fieldRef:
1908 fieldPath: metadata.name
1909 - name: _pod_ns
1910 valueFrom:
1911 fieldRef:
1912 fieldPath: metadata.namespace
1913 - name: _pod_nodeName
1914 valueFrom:
1915 fieldRef:
1916 fieldPath: spec.nodeName
1917 - name: LINKERD2_PROXY_LOG
1918 value: "warn,linkerd=info,trust_dns=error"
1919 - name: LINKERD2_PROXY_LOG_FORMAT
1920 value: "plain"
1921 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1922 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1923 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1924 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1925 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1926 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1927 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1928 value: |
1929 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1930 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1931 value: all-unauthenticated
1932 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1933 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1934 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1935 value: "3s"
1936 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1937 value: "5m"
1938 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1939 value: "1h"
1940 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1941 value: "100ms"
1942 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1943 value: "1000ms"
1944 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1945 value: "5s"
1946 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1947 value: "90s"
1948 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1949 value: "[::]:4190"
1950 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1951 value: "[::]:4191"
1952 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1953 value: "127.0.0.1:4140"
1954 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1955 value: "127.0.0.1:4140"
1956 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1957 value: "[::]:4143"
1958 - name: LINKERD2_PROXY_INBOUND_IPS
1959 valueFrom:
1960 fieldRef:
1961 fieldPath: status.podIPs
1962 - name: LINKERD2_PROXY_INBOUND_PORTS
1963 value: "8443,9995"
1964 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1965 value: svc.cluster.local.
1966 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1967 value: 10000ms
1968 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1969 value: 10000ms
1970 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1971 value: "10s"
1972 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1973 value: "3s"
1974 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1975 value: "10s"
1976 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1977 value: "3s"
1978 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1979 value: "25,587,3306,4444,5432,6379,9300,11211"
1980 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1981 value: |
1982 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1983 - name: _pod_sa
1984 valueFrom:
1985 fieldRef:
1986 fieldPath: spec.serviceAccountName
1987 - name: _l5d_ns
1988 value: linkerd-dev
1989 - name: _l5d_trustdomain
1990 value: test.trust.domain
1991 - name: LINKERD2_PROXY_IDENTITY_DIR
1992 value: /var/run/linkerd/identity/end-entity
1993 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1994 valueFrom:
1995 configMapKeyRef:
1996 name: linkerd-identity-trust-roots
1997 key: ca-bundle.crt
1998 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1999 value: /var/run/secrets/tokens/linkerd-identity-token
2000 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
2001 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
2002 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
2003 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
2004 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
2005 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2006 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
2007 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2008 - name: LINKERD2_PROXY_POLICY_SVC_NAME
2009 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2010 image: cr.l5d.io/linkerd/proxy:test-proxy-version
2011 imagePullPolicy: IfNotPresent
2012 livenessProbe:
2013 httpGet:
2014 path: /live
2015 port: 4191
2016 initialDelaySeconds: 10
2017 timeoutSeconds: 1
2018 name: linkerd-proxy
2019 ports:
2020 - containerPort: 4143
2021 name: linkerd-proxy
2022 - containerPort: 4191
2023 name: linkerd-admin
2024 readinessProbe:
2025 httpGet:
2026 path: /ready
2027 port: 4191
2028 initialDelaySeconds: 2
2029 timeoutSeconds: 1
2030 resources:
2031 limits:
2032 memory: "250Mi"
2033 requests:
2034 cpu: "100m"
2035 memory: "20Mi"
2036 securityContext:
2037 allowPrivilegeEscalation: false
2038 capabilities:
2039 drop:
2040 - ALL
2041 readOnlyRootFilesystem: true
2042 runAsNonRoot: true
2043 runAsUser: 2102
2044 seccompProfile:
2045 type: RuntimeDefault
2046 terminationMessagePolicy: FallbackToLogsOnError
2047 lifecycle:
2048 postStart:
2049 exec:
2050 command:
2051 - /usr/lib/linkerd/linkerd-await
2052 - --timeout=2m
2053 - --port=4191
2054 volumeMounts:
2055 - mountPath: /var/run/linkerd/identity/end-entity
2056 name: linkerd-identity-end-entity
2057 - mountPath: /var/run/secrets/tokens
2058 name: linkerd-identity-token
2059 - args:
2060 - proxy-injector
2061 - -log-level=info
2062 - -log-format=plain
2063 - -linkerd-namespace=linkerd-dev
2064 - -enable-pprof=false
2065 image: cr.l5d.io/linkerd/controller:linkerd-version
2066 imagePullPolicy: IfNotPresent
2067 livenessProbe:
2068 httpGet:
2069 path: /ping
2070 port: 9995
2071 initialDelaySeconds: 10
2072 name: proxy-injector
2073 ports:
2074 - containerPort: 8443
2075 name: proxy-injector
2076 - containerPort: 9995
2077 name: admin-http
2078 readinessProbe:
2079 failureThreshold: 7
2080 httpGet:
2081 path: /ready
2082 port: 9995
2083 resources:
2084 limits:
2085 memory: "250Mi"
2086 requests:
2087 cpu: "100m"
2088 memory: "50Mi"
2089 securityContext:
2090 capabilities:
2091 drop:
2092 - ALL
2093 readOnlyRootFilesystem: true
2094 runAsNonRoot: true
2095 runAsUser: 2103
2096 allowPrivilegeEscalation: false
2097 seccompProfile:
2098 type: RuntimeDefault
2099 volumeMounts:
2100 - mountPath: /var/run/linkerd/config
2101 name: config
2102 - mountPath: /var/run/linkerd/identity/trust-roots
2103 name: trust-roots
2104 - mountPath: /var/run/linkerd/tls
2105 name: tls
2106 readOnly: true
2107 initContainers:
2108 - args:
2109 - --ipv6=false
2110 - --incoming-proxy-port
2111 - "4143"
2112 - --outgoing-proxy-port
2113 - "4140"
2114 - --proxy-uid
2115 - "2102"
2116 - --inbound-ports-to-ignore
2117 - "4190,4191,222"
2118 - --outbound-ports-to-ignore
2119 - "443,6443"
2120 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
2121 imagePullPolicy: IfNotPresent
2122 name: linkerd-init
2123 resources:
2124 limits:
2125 cpu: "100m"
2126 memory: "20Mi"
2127 requests:
2128 cpu: "100m"
2129 memory: "20Mi"
2130 securityContext:
2131 allowPrivilegeEscalation: false
2132 capabilities:
2133 add:
2134 - NET_ADMIN
2135 - NET_RAW
2136 privileged: false
2137 runAsNonRoot: true
2138 runAsUser: 65534
2139 runAsGroup: 65534
2140 readOnlyRootFilesystem: true
2141 seccompProfile:
2142 type: RuntimeDefault
2143 terminationMessagePolicy: FallbackToLogsOnError
2144 volumeMounts:
2145 - mountPath: /run
2146 name: linkerd-proxy-init-xtables-lock
2147 securityContext:
2148 seccompProfile:
2149 type: RuntimeDefault
2150 serviceAccountName: linkerd-proxy-injector
2151 volumes:
2152 - configMap:
2153 name: linkerd-config
2154 name: config
2155 - configMap:
2156 name: linkerd-identity-trust-roots
2157 name: trust-roots
2158 - name: tls
2159 secret:
2160 secretName: linkerd-proxy-injector-k8s-tls
2161 - emptyDir: {}
2162 name: linkerd-proxy-init-xtables-lock
2163 - name: linkerd-identity-token
2164 projected:
2165 sources:
2166 - serviceAccountToken:
2167 path: linkerd-identity-token
2168 expirationSeconds: 86400
2169 audience: identity.l5d.io
2170 - emptyDir:
2171 medium: Memory
2172 name: linkerd-identity-end-entity
2173---
2174kind: Service
2175apiVersion: v1
2176metadata:
2177 name: linkerd-proxy-injector
2178 namespace: linkerd-dev
2179 labels:
2180 linkerd.io/control-plane-component: proxy-injector
2181 linkerd.io/control-plane-ns: linkerd-dev
2182 annotations:
2183 linkerd.io/created-by: linkerd/helm linkerd-version
2184 config.linkerd.io/opaque-ports: "443"
2185spec:
2186 type: ClusterIP
2187 selector:
2188 linkerd.io/control-plane-component: proxy-injector
2189 ports:
2190 - name: proxy-injector
2191 port: 443
2192 targetPort: proxy-injector
2193---
2194kind: PodDisruptionBudget
2195apiVersion: policy/v1
2196metadata:
2197 name: linkerd-proxy-injector
2198 namespace: linkerd-dev
2199 labels:
2200 linkerd.io/control-plane-component: proxy-injector
2201 linkerd.io/control-plane-ns: linkerd-dev
2202 annotations:
2203 linkerd.io/created-by: linkerd/helm linkerd-version
2204spec:
2205 maxUnavailable: 1
2206 selector:
2207 matchLabels:
2208 linkerd.io/control-plane-component: proxy-injector
View as plain text