1---
2# Source: linkerd-control-plane/templates/namespace.yaml
3---
4# Source: linkerd-control-plane/templates/identity-rbac.yaml
5---
6###
7### Identity Controller Service RBAC
8###
9kind: ClusterRole
10apiVersion: rbac.authorization.k8s.io/v1
11metadata:
12 name: linkerd-linkerd-dev-identity
13 labels:
14 linkerd.io/control-plane-component: identity
15 linkerd.io/control-plane-ns: linkerd-dev
16rules:
17- apiGroups: ["authentication.k8s.io"]
18 resources: ["tokenreviews"]
19 verbs: ["create"]
20# TODO(ver) Restrict this to the Linkerd namespace. See
21# https://github.com/linkerd/linkerd2/issues/9367
22- apiGroups: [""]
23 resources: ["events"]
24 verbs: ["create", "patch"]
25---
26kind: ClusterRoleBinding
27apiVersion: rbac.authorization.k8s.io/v1
28metadata:
29 name: linkerd-linkerd-dev-identity
30 labels:
31 linkerd.io/control-plane-component: identity
32 linkerd.io/control-plane-ns: linkerd-dev
33roleRef:
34 apiGroup: rbac.authorization.k8s.io
35 kind: ClusterRole
36 name: linkerd-linkerd-dev-identity
37subjects:
38- kind: ServiceAccount
39 name: linkerd-identity
40 namespace: linkerd-dev
41---
42kind: ServiceAccount
43apiVersion: v1
44metadata:
45 name: linkerd-identity
46 namespace: linkerd-dev
47 labels:
48 linkerd.io/control-plane-component: identity
49 linkerd.io/control-plane-ns: linkerd-dev
50---
51# Source: linkerd-control-plane/templates/destination-rbac.yaml
52---
53###
54### Destination Controller Service
55###
56kind: ClusterRole
57apiVersion: rbac.authorization.k8s.io/v1
58metadata:
59 name: linkerd-linkerd-dev-destination
60 labels:
61 linkerd.io/control-plane-component: destination
62 linkerd.io/control-plane-ns: linkerd-dev
63rules:
64- apiGroups: ["apps"]
65 resources: ["replicasets"]
66 verbs: ["list", "get", "watch"]
67- apiGroups: ["batch"]
68 resources: ["jobs"]
69 verbs: ["list", "get", "watch"]
70- apiGroups: [""]
71 resources: ["pods", "endpoints", "services", "nodes"]
72 verbs: ["list", "get", "watch"]
73- apiGroups: ["linkerd.io"]
74 resources: ["serviceprofiles"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["workload.linkerd.io"]
77 resources: ["externalworkloads"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: ["coordination.k8s.io"]
80 resources: ["leases"]
81 verbs: ["create", "get", "update", "patch"]
82- apiGroups: ["discovery.k8s.io"]
83 resources: ["endpointslices"]
84 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
85---
86kind: ClusterRoleBinding
87apiVersion: rbac.authorization.k8s.io/v1
88metadata:
89 name: linkerd-linkerd-dev-destination
90 labels:
91 linkerd.io/control-plane-component: destination
92 linkerd.io/control-plane-ns: linkerd-dev
93roleRef:
94 apiGroup: rbac.authorization.k8s.io
95 kind: ClusterRole
96 name: linkerd-linkerd-dev-destination
97subjects:
98- kind: ServiceAccount
99 name: linkerd-destination
100 namespace: linkerd-dev
101---
102kind: ServiceAccount
103apiVersion: v1
104metadata:
105 name: linkerd-destination
106 namespace: linkerd-dev
107 labels:
108 linkerd.io/control-plane-component: destination
109 linkerd.io/control-plane-ns: linkerd-dev
110---
111apiVersion: admissionregistration.k8s.io/v1
112kind: ValidatingWebhookConfiguration
113metadata:
114 name: linkerd-sp-validator-webhook-config
115 labels:
116 linkerd.io/control-plane-component: destination
117 linkerd.io/control-plane-ns: linkerd-dev
118webhooks:
119- name: linkerd-sp-validator.linkerd.io
120 namespaceSelector:
121 matchExpressions:
122 - key: config.linkerd.io/admission-webhooks
123 operator: NotIn
124 values:
125 - disabled
126 clientConfig:
127 service:
128 name: linkerd-sp-validator
129 namespace: linkerd-dev
130 path: "/"
131 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
132 failurePolicy: Fail
133 admissionReviewVersions: ["v1", "v1beta1"]
134 rules:
135 - operations: ["CREATE", "UPDATE"]
136 apiGroups: ["linkerd.io"]
137 apiVersions: ["v1alpha1", "v1alpha2"]
138 resources: ["serviceprofiles"]
139 sideEffects: None
140---
141apiVersion: admissionregistration.k8s.io/v1
142kind: ValidatingWebhookConfiguration
143metadata:
144 name: linkerd-policy-validator-webhook-config
145 labels:
146 linkerd.io/control-plane-component: destination
147 linkerd.io/control-plane-ns: linkerd-dev
148webhooks:
149- name: linkerd-policy-validator.linkerd.io
150 namespaceSelector:
151 matchExpressions:
152 - key: config.linkerd.io/admission-webhooks
153 operator: NotIn
154 values:
155 - disabled
156 clientConfig:
157 service:
158 name: linkerd-policy-validator
159 namespace: linkerd-dev
160 path: "/"
161 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
162 failurePolicy: Fail
163 admissionReviewVersions: ["v1", "v1beta1"]
164 rules:
165 - operations: ["CREATE", "UPDATE"]
166 apiGroups: ["policy.linkerd.io"]
167 apiVersions: ["*"]
168 resources:
169 - authorizationpolicies
170 - httproutes
171 - networkauthentications
172 - meshtlsauthentications
173 - serverauthorizations
174 - servers
175 - operations: ["CREATE", "UPDATE"]
176 apiGroups: ["gateway.networking.k8s.io"]
177 apiVersions: ["*"]
178 resources:
179 - httproutes
180 sideEffects: None
181---
182apiVersion: rbac.authorization.k8s.io/v1
183kind: ClusterRole
184metadata:
185 name: linkerd-policy
186 labels:
187 app.kubernetes.io/part-of: Linkerd
188 linkerd.io/control-plane-component: destination
189 linkerd.io/control-plane-ns: linkerd-dev
190rules:
191 - apiGroups:
192 - ""
193 resources:
194 - pods
195 verbs:
196 - get
197 - list
198 - watch
199 - apiGroups:
200 - apps
201 resources:
202 - deployments
203 verbs:
204 - get
205 - apiGroups:
206 - policy.linkerd.io
207 resources:
208 - authorizationpolicies
209 - httproutes
210 - meshtlsauthentications
211 - networkauthentications
212 - servers
213 - serverauthorizations
214 verbs:
215 - get
216 - list
217 - watch
218 - apiGroups:
219 - gateway.networking.k8s.io
220 resources:
221 - httproutes
222 verbs:
223 - get
224 - list
225 - watch
226 - apiGroups:
227 - policy.linkerd.io
228 resources:
229 - httproutes/status
230 verbs:
231 - patch
232 - apiGroups:
233 - gateway.networking.k8s.io
234 resources:
235 - httproutes/status
236 verbs:
237 - patch
238 - apiGroups:
239 - workload.linkerd.io
240 resources:
241 - externalworkloads
242 verbs:
243 - get
244 - list
245 - watch
246 - apiGroups:
247 - coordination.k8s.io
248 resources:
249 - leases
250 verbs:
251 - create
252 - get
253 - patch
254---
255apiVersion: rbac.authorization.k8s.io/v1
256kind: ClusterRoleBinding
257metadata:
258 name: linkerd-destination-policy
259 labels:
260 app.kubernetes.io/part-of: Linkerd
261 linkerd.io/control-plane-component: destination
262 linkerd.io/control-plane-ns: linkerd-dev
263roleRef:
264 apiGroup: rbac.authorization.k8s.io
265 kind: ClusterRole
266 name: linkerd-policy
267subjects:
268 - kind: ServiceAccount
269 name: linkerd-destination
270 namespace: linkerd-dev
271---
272apiVersion: rbac.authorization.k8s.io/v1
273kind: Role
274metadata:
275 name: remote-discovery
276 namespace: linkerd-dev
277 labels:
278 app.kubernetes.io/part-of: Linkerd
279 linkerd.io/control-plane-component: destination
280 linkerd.io/control-plane-ns: linkerd-dev
281rules:
282 - apiGroups:
283 - ""
284 resources:
285 - secrets
286 verbs:
287 - get
288 - list
289 - watch
290---
291apiVersion: rbac.authorization.k8s.io/v1
292kind: RoleBinding
293metadata:
294 name: linkerd-destination-remote-discovery
295 namespace: linkerd-dev
296 labels:
297 app.kubernetes.io/part-of: Linkerd
298 linkerd.io/control-plane-component: destination
299 linkerd.io/control-plane-ns: linkerd-dev
300roleRef:
301 apiGroup: rbac.authorization.k8s.io
302 kind: Role
303 name: remote-discovery
304subjects:
305 - kind: ServiceAccount
306 name: linkerd-destination
307 namespace: linkerd-dev
308---
309# Source: linkerd-control-plane/templates/heartbeat-rbac.yaml
310---
311###
312### Heartbeat RBAC
313###
314apiVersion: rbac.authorization.k8s.io/v1
315kind: Role
316metadata:
317 name: linkerd-heartbeat
318 namespace: linkerd-dev
319 labels:
320 linkerd.io/control-plane-ns: linkerd-dev
321rules:
322- apiGroups: [""]
323 resources: ["configmaps"]
324 verbs: ["get"]
325 resourceNames: ["linkerd-config"]
326---
327apiVersion: rbac.authorization.k8s.io/v1
328kind: RoleBinding
329metadata:
330 name: linkerd-heartbeat
331 namespace: linkerd-dev
332 labels:
333 linkerd.io/control-plane-ns: linkerd-dev
334roleRef:
335 kind: Role
336 name: linkerd-heartbeat
337 apiGroup: rbac.authorization.k8s.io
338subjects:
339- kind: ServiceAccount
340 name: linkerd-heartbeat
341 namespace: linkerd-dev
342---
343apiVersion: rbac.authorization.k8s.io/v1
344kind: ClusterRole
345metadata:
346 name: linkerd-heartbeat
347 labels:
348 linkerd.io/control-plane-ns: linkerd-dev
349rules:
350- apiGroups: [""]
351 resources: ["namespaces"]
352 verbs: ["list"]
353- apiGroups: ["linkerd.io"]
354 resources: ["serviceprofiles"]
355 verbs: ["list"]
356---
357apiVersion: rbac.authorization.k8s.io/v1
358kind: ClusterRoleBinding
359metadata:
360 name: linkerd-heartbeat
361 labels:
362 linkerd.io/control-plane-ns: linkerd-dev
363roleRef:
364 kind: ClusterRole
365 name: linkerd-heartbeat
366 apiGroup: rbac.authorization.k8s.io
367subjects:
368- kind: ServiceAccount
369 name: linkerd-heartbeat
370 namespace: linkerd-dev
371---
372kind: ServiceAccount
373apiVersion: v1
374metadata:
375 name: linkerd-heartbeat
376 namespace: linkerd-dev
377 labels:
378 linkerd.io/control-plane-component: heartbeat
379 linkerd.io/control-plane-ns: linkerd-dev
380---
381# Source: linkerd-control-plane/templates/podmonitor.yaml
382
383---
384# Source: linkerd-control-plane/templates/proxy-injector-rbac.yaml
385---
386###
387### Proxy Injector RBAC
388###
389kind: ClusterRole
390apiVersion: rbac.authorization.k8s.io/v1
391metadata:
392 name: linkerd-linkerd-dev-proxy-injector
393 labels:
394 linkerd.io/control-plane-component: proxy-injector
395 linkerd.io/control-plane-ns: linkerd-dev
396rules:
397- apiGroups: [""]
398 resources: ["events"]
399 verbs: ["create", "patch"]
400- apiGroups: [""]
401 resources: ["namespaces", "replicationcontrollers"]
402 verbs: ["list", "get", "watch"]
403- apiGroups: [""]
404 resources: ["pods"]
405 verbs: ["list", "watch"]
406- apiGroups: ["extensions", "apps"]
407 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
408 verbs: ["list", "get", "watch"]
409- apiGroups: ["extensions", "batch"]
410 resources: ["cronjobs", "jobs"]
411 verbs: ["list", "get", "watch"]
412---
413kind: ClusterRoleBinding
414apiVersion: rbac.authorization.k8s.io/v1
415metadata:
416 name: linkerd-linkerd-dev-proxy-injector
417 labels:
418 linkerd.io/control-plane-component: proxy-injector
419 linkerd.io/control-plane-ns: linkerd-dev
420subjects:
421- kind: ServiceAccount
422 name: linkerd-proxy-injector
423 namespace: linkerd-dev
424 apiGroup: ""
425roleRef:
426 kind: ClusterRole
427 name: linkerd-linkerd-dev-proxy-injector
428 apiGroup: rbac.authorization.k8s.io
429---
430kind: ServiceAccount
431apiVersion: v1
432metadata:
433 name: linkerd-proxy-injector
434 namespace: linkerd-dev
435 labels:
436 linkerd.io/control-plane-component: proxy-injector
437 linkerd.io/control-plane-ns: linkerd-dev
438---
439apiVersion: admissionregistration.k8s.io/v1
440kind: MutatingWebhookConfiguration
441metadata:
442 name: linkerd-proxy-injector-webhook-config
443 labels:
444 linkerd.io/control-plane-component: proxy-injector
445 linkerd.io/control-plane-ns: linkerd-dev
446webhooks:
447- name: linkerd-proxy-injector.linkerd.io
448 namespaceSelector:
449 matchExpressions:
450 - key: config.linkerd.io/admission-webhooks
451 operator: NotIn
452 values:
453 - disabled
454 - key: kubernetes.io/metadata.name
455 operator: NotIn
456 values:
457 - kube-system
458 - cert-manager
459 objectSelector:
460 null
461 clientConfig:
462 service:
463 name: linkerd-proxy-injector
464 namespace: linkerd-dev
465 path: "/"
466 caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU=
467 failurePolicy: Fail
468 admissionReviewVersions: ["v1", "v1beta1"]
469 rules:
470 - operations: [ "CREATE" ]
471 apiGroups: [""]
472 apiVersions: ["v1"]
473 resources: ["pods", "services"]
474 scope: "Namespaced"
475 sideEffects: None
476 timeoutSeconds: 10
477---
478# Source: linkerd-control-plane/templates/psp.yaml
479---
480# Source: linkerd-control-plane/templates/config.yaml
481---
482kind: ConfigMap
483apiVersion: v1
484metadata:
485 name: linkerd-config
486 namespace: linkerd-dev
487 labels:
488 linkerd.io/control-plane-component: controller
489 linkerd.io/control-plane-ns: linkerd-dev
490 annotations:
491 linkerd.io/created-by: linkerd/helm linkerd-version
492data:
493 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
494 values: |
495 cliVersion: ""
496 clusterDomain: cluster.local
497 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
498 cniEnabled: false
499 controlPlaneTracing: false
500 controlPlaneTracingNamespace: linkerd-jaeger
501 controller:
502 podDisruptionBudget:
503 maxUnavailable: 1
504 controllerGID: -1
505 controllerImage: cr.l5d.io/linkerd/controller
506 controllerLogFormat: plain
507 controllerLogLevel: info
508 controllerReplicas: 3
509 controllerUID: 2103
510 debugContainer:
511 image:
512 name: cr.l5d.io/linkerd/debug
513 pullPolicy: ""
514 version: test-debug-version
515 deploymentStrategy:
516 rollingUpdate:
517 maxSurge: 25%
518 maxUnavailable: 1
519 destinationController:
520 meshedHttp2ClientProtobuf:
521 keep_alive:
522 interval:
523 seconds: 10
524 timeout:
525 seconds: 3
526 while_idle: true
527 destinationProxyResources: null
528 destinationResources:
529 cpu:
530 limit: ""
531 request: 100m
532 ephemeral-storage:
533 limit: ""
534 request: ""
535 memory:
536 limit: 250Mi
537 request: 50Mi
538 disableHeartBeat: false
539 disableIPv6: true
540 enableEndpointSlices: true
541 enableH2Upgrade: true
542 enablePodAntiAffinity: true
543 enablePodDisruptionBudget: true
544 heartbeat: null
545 heartbeatResources:
546 cpu:
547 limit: ""
548 request: 100m
549 ephemeral-storage:
550 limit: ""
551 request: ""
552 memory:
553 limit: 250Mi
554 request: 50Mi
555 heartbeatSchedule: 1 2 3 4 5
556 highAvailability: true
557 identity:
558 additionalEnv: null
559 experimentalEnv: null
560 externalCA: false
561 issuer:
562 clockSkewAllowance: 20s
563 issuanceLifetime: 24h0m0s
564 scheme: linkerd.io/tls
565 tls:
566 crtPEM: test-crt-pem
567 kubeAPI:
568 clientBurst: 200
569 clientQPS: 100
570 serviceAccountTokenProjection: true
571 identityProxyResources: null
572 identityResources:
573 cpu:
574 limit: ""
575 request: 100m
576 ephemeral-storage:
577 limit: ""
578 request: ""
579 memory:
580 limit: 250Mi
581 request: 10Mi
582 identityTrustAnchorsPEM: test-trust-anchor
583 identityTrustDomain: test.trust.domain
584 imagePullPolicy: IfNotPresent
585 imagePullSecrets: null
586 linkerdVersion: linkerd-version
587 networkValidator:
588 connectAddr: 1.1.1.1:20001
589 enableSecurityContext: true
590 listenAddr: 0.0.0.0:4140
591 logFormat: plain
592 logLevel: debug
593 timeout: 10s
594 nodeAffinity: null
595 nodeSelector:
596 kubernetes.io/os: linux
597 podAnnotations:
598 asda: fasda
599 bingo: bongo
600 podLabels:
601 fiz: buz
602 foo: bar
603 podMonitor:
604 controller:
605 enabled: true
606 namespaceSelector: |
607 matchNames:
608 - {{ .Release.Namespace }}
609 - linkerd-viz
610 - linkerd-jaeger
611 enabled: false
612 proxy:
613 enabled: true
614 scrapeInterval: 10s
615 scrapeTimeout: 10s
616 serviceMirror:
617 enabled: true
618 policyController:
619 image:
620 name: cr.l5d.io/linkerd/policy-controller
621 pullPolicy: ""
622 version: ""
623 logLevel: info
624 probeNetworks:
625 - 0.0.0.0/0
626 - ::/0
627 resources:
628 cpu:
629 limit: ""
630 request: ""
631 ephemeral-storage:
632 limit: ""
633 request: ""
634 memory:
635 limit: ""
636 request: ""
637 policyValidator:
638 caBundle: test-profile-validator-ca-bundle
639 crtPEM: ""
640 externalSecret: true
641 injectCaFrom: ""
642 injectCaFromSecret: ""
643 namespaceSelector:
644 matchExpressions:
645 - key: config.linkerd.io/admission-webhooks
646 operator: NotIn
647 values:
648 - disabled
649 priorityClassName: ""
650 profileValidator:
651 caBundle: test-profile-validator-ca-bundle
652 crtPEM: ""
653 externalSecret: true
654 injectCaFrom: ""
655 injectCaFromSecret: ""
656 namespaceSelector:
657 matchExpressions:
658 - key: config.linkerd.io/admission-webhooks
659 operator: NotIn
660 values:
661 - disabled
662 prometheusUrl: ""
663 proxy:
664 accessLog: ""
665 additionalEnv: null
666 await: true
667 capabilities: null
668 control:
669 streams:
670 idleTimeout: 5m
671 initialTimeout: 3s
672 lifetime: 1h
673 defaultInboundPolicy: all-unauthenticated
674 disableInboundProtocolDetectTimeout: false
675 disableOutboundProtocolDetectTimeout: false
676 enableExternalProfiles: false
677 experimentalEnv: null
678 gid: -1
679 image:
680 name: cr.l5d.io/linkerd/proxy
681 pullPolicy: ""
682 version: test-proxy-version
683 inbound:
684 server:
685 http2:
686 keepAliveInterval: 10s
687 keepAliveTimeout: 3s
688 inboundConnectTimeout: 100ms
689 inboundDiscoveryCacheUnusedTimeout: 90s
690 isGateway: false
691 isIngress: false
692 livenessProbe:
693 initialDelaySeconds: 10
694 timeoutSeconds: 1
695 logFormat: plain
696 logLevel: warn,linkerd=info,trust_dns=error
697 nativeSidecar: false
698 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
699 outbound:
700 server:
701 http2:
702 keepAliveInterval: 10s
703 keepAliveTimeout: 3s
704 outboundConnectTimeout: 1000ms
705 outboundDiscoveryCacheUnusedTimeout: 5s
706 podInboundPorts: ""
707 ports:
708 admin: 4191
709 control: 4190
710 inbound: 4143
711 outbound: 4140
712 readinessProbe:
713 initialDelaySeconds: 2
714 timeoutSeconds: 1
715 requireIdentityOnInboundPorts: ""
716 resources:
717 cpu:
718 limit: ""
719 request: 100m
720 ephemeral-storage:
721 limit: ""
722 request: ""
723 memory:
724 limit: 250Mi
725 request: 20Mi
726 saMountPath: null
727 shutdownGracePeriod: ""
728 startupProbe:
729 failureThreshold: 120
730 initialDelaySeconds: 0
731 periodSeconds: 1
732 uid: 2102
733 waitBeforeExitSeconds: 0
734 proxyContainerName: linkerd-proxy
735 proxyInit:
736 capabilities: null
737 closeWaitTimeoutSecs: 0
738 ignoreInboundPorts: "444"
739 ignoreOutboundPorts: "333"
740 image:
741 name: cr.l5d.io/linkerd/proxy-init
742 pullPolicy: ""
743 version: test-proxy-init-version
744 iptablesMode: legacy
745 kubeAPIServerPorts: 443,6443
746 logFormat: ""
747 logLevel: ""
748 privileged: false
749 resources:
750 cpu:
751 limit: 100m
752 request: 100m
753 ephemeral-storage:
754 limit: ""
755 request: ""
756 memory:
757 limit: 20Mi
758 request: 20Mi
759 runAsGroup: 65534
760 runAsRoot: false
761 runAsUser: 65534
762 saMountPath: null
763 skipSubnets: ""
764 xtMountPath:
765 mountPath: /run
766 name: linkerd-proxy-init-xtables-lock
767 readOnly: false
768 proxyInjector:
769 additionalEnv: null
770 caBundle: test-proxy-injector-ca-bundle
771 crtPEM: ""
772 experimentalEnv: null
773 externalSecret: true
774 injectCaFrom: ""
775 injectCaFromSecret: ""
776 namespaceSelector:
777 matchExpressions:
778 - key: config.linkerd.io/admission-webhooks
779 operator: NotIn
780 values:
781 - disabled
782 - key: kubernetes.io/metadata.name
783 operator: NotIn
784 values:
785 - kube-system
786 - cert-manager
787 proxyInjectorProxyResources: null
788 proxyInjectorResources:
789 cpu:
790 limit: ""
791 request: 100m
792 ephemeral-storage:
793 limit: ""
794 request: ""
795 memory:
796 limit: 250Mi
797 request: 50Mi
798 revisionHistoryLimit: 10
799 spValidator: null
800 tap:
801 caBundle: test-tap-ca-bundle
802 externalSecret: true
803 tolerations: null
804 webhookFailurePolicy: Fail
805---
806# Source: linkerd-control-plane/templates/config-rbac.yaml
807---
808apiVersion: rbac.authorization.k8s.io/v1
809kind: Role
810metadata:
811 annotations:
812 linkerd.io/created-by: linkerd/helm linkerd-version
813 name: ext-namespace-metadata-linkerd-config
814 namespace: linkerd-dev
815rules:
816- apiGroups: [""]
817 resources: ["configmaps"]
818 verbs: ["get"]
819 resourceNames: ["linkerd-config"]
820---
821# Source: linkerd-control-plane/templates/identity.yaml
822---
823###
824### Identity Controller Service
825###
826---
827kind: Secret
828apiVersion: v1
829metadata:
830 name: linkerd-identity-issuer
831 namespace: linkerd-dev
832 labels:
833 linkerd.io/control-plane-component: identity
834 linkerd.io/control-plane-ns: linkerd-dev
835 annotations:
836 linkerd.io/created-by: linkerd/helm linkerd-version
837data:
838 crt.pem: dGVzdC1jcnQtcGVt
839 key.pem: dGVzdC1rZXktcGVt
840---
841kind: ConfigMap
842apiVersion: v1
843metadata:
844 name: linkerd-identity-trust-roots
845 namespace: linkerd-dev
846 labels:
847 linkerd.io/control-plane-component: identity
848 linkerd.io/control-plane-ns: linkerd-dev
849 annotations:
850 linkerd.io/created-by: linkerd/helm linkerd-version
851data:
852 ca-bundle.crt: |-
853 test-trust-anchor
854---
855kind: Service
856apiVersion: v1
857metadata:
858 name: linkerd-identity
859 namespace: linkerd-dev
860 labels:
861 linkerd.io/control-plane-component: identity
862 linkerd.io/control-plane-ns: linkerd-dev
863 annotations:
864 linkerd.io/created-by: linkerd/helm linkerd-version
865spec:
866 type: ClusterIP
867 selector:
868 linkerd.io/control-plane-component: identity
869 ports:
870 - name: grpc
871 port: 8080
872 targetPort: 8080
873---
874kind: Service
875apiVersion: v1
876metadata:
877 name: linkerd-identity-headless
878 namespace: linkerd-dev
879 labels:
880 linkerd.io/control-plane-component: identity
881 linkerd.io/control-plane-ns: linkerd-dev
882 annotations:
883 linkerd.io/created-by: linkerd/helm linkerd-version
884spec:
885 clusterIP: None
886 selector:
887 linkerd.io/control-plane-component: identity
888 ports:
889 - name: grpc
890 port: 8080
891 targetPort: 8080
892---
893kind: PodDisruptionBudget
894apiVersion: policy/v1
895metadata:
896 name: linkerd-identity
897 namespace: linkerd-dev
898 labels:
899 linkerd.io/control-plane-component: identity
900 linkerd.io/control-plane-ns: linkerd-dev
901 annotations:
902 linkerd.io/created-by: linkerd/helm linkerd-version
903spec:
904 maxUnavailable: 1
905 selector:
906 matchLabels:
907 linkerd.io/control-plane-component: identity
908---
909apiVersion: apps/v1
910kind: Deployment
911metadata:
912 annotations:
913 linkerd.io/created-by: linkerd/helm linkerd-version
914 labels:
915 app.kubernetes.io/name: identity
916 app.kubernetes.io/part-of: Linkerd
917 app.kubernetes.io/version: linkerd-version
918 linkerd.io/control-plane-component: identity
919 linkerd.io/control-plane-ns: linkerd-dev
920 name: linkerd-identity
921 namespace: linkerd-dev
922spec:
923 replicas: 3
924 revisionHistoryLimit: 10
925 selector:
926 matchLabels:
927 linkerd.io/control-plane-component: identity
928 linkerd.io/control-plane-ns: linkerd-dev
929 linkerd.io/proxy-deployment: linkerd-identity
930 strategy:
931 rollingUpdate:
932 maxSurge: 25%
933 maxUnavailable: 1
934 template:
935 metadata:
936 annotations:
937 linkerd.io/created-by: linkerd/helm linkerd-version
938 linkerd.io/proxy-version: test-proxy-version
939 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
940 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
941 asda: fasda
942 bingo: bongo
943 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
944 labels:
945 linkerd.io/control-plane-component: identity
946 linkerd.io/control-plane-ns: linkerd-dev
947 linkerd.io/workload-ns: linkerd-dev
948 linkerd.io/proxy-deployment: linkerd-identity
949 fiz: buz
950 foo: bar
951 spec:
952 nodeSelector:
953 kubernetes.io/os: linux
954 affinity:
955 podAntiAffinity:
956 preferredDuringSchedulingIgnoredDuringExecution:
957 - podAffinityTerm:
958 labelSelector:
959 matchExpressions:
960 - key: linkerd.io/control-plane-component
961 operator: In
962 values:
963 - identity
964 topologyKey: topology.kubernetes.io/zone
965 weight: 100
966 requiredDuringSchedulingIgnoredDuringExecution:
967 - labelSelector:
968 matchExpressions:
969 - key: linkerd.io/control-plane-component
970 operator: In
971 values:
972 - identity
973 topologyKey: kubernetes.io/hostname
974 containers:
975 - args:
976 - identity
977 - -log-level=info
978 - -log-format=plain
979 - -controller-namespace=linkerd-dev
980 - -identity-trust-domain=test.trust.domain
981 - -identity-issuance-lifetime=24h0m0s
982 - -identity-clock-skew-allowance=20s
983 - -identity-scheme=linkerd.io/tls
984 - -enable-pprof=false
985 - -kube-apiclient-qps=100
986 - -kube-apiclient-burst=200
987 env:
988 - name: LINKERD_DISABLED
989 value: "linkerd-await cannot block the identity controller"
990 image: cr.l5d.io/linkerd/controller:linkerd-version
991 imagePullPolicy: IfNotPresent
992 livenessProbe:
993 httpGet:
994 path: /ping
995 port: 9990
996 initialDelaySeconds: 10
997 name: identity
998 ports:
999 - containerPort: 8080
1000 name: grpc
1001 - containerPort: 9990
1002 name: admin-http
1003 readinessProbe:
1004 failureThreshold: 7
1005 httpGet:
1006 path: /ready
1007 port: 9990
1008 resources:
1009 limits:
1010 memory: "250Mi"
1011 requests:
1012 cpu: "100m"
1013 memory: "10Mi"
1014 securityContext:
1015 capabilities:
1016 drop:
1017 - ALL
1018 readOnlyRootFilesystem: true
1019 runAsNonRoot: true
1020 runAsUser: 2103
1021 allowPrivilegeEscalation: false
1022 seccompProfile:
1023 type: RuntimeDefault
1024 volumeMounts:
1025 - mountPath: /var/run/linkerd/identity/issuer
1026 name: identity-issuer
1027 - mountPath: /var/run/linkerd/identity/trust-roots/
1028 name: trust-roots
1029 - env:
1030 - name: _pod_name
1031 valueFrom:
1032 fieldRef:
1033 fieldPath: metadata.name
1034 - name: _pod_ns
1035 valueFrom:
1036 fieldRef:
1037 fieldPath: metadata.namespace
1038 - name: _pod_nodeName
1039 valueFrom:
1040 fieldRef:
1041 fieldPath: spec.nodeName
1042 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
1043 value: "8080"
1044 - name: LINKERD2_PROXY_LOG
1045 value: "warn,linkerd=info,trust_dns=error"
1046 - name: LINKERD2_PROXY_LOG_FORMAT
1047 value: "plain"
1048 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1049 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1050 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1051 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1052 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1053 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1054 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1055 value: |
1056 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1057 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1058 value: all-unauthenticated
1059 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1060 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1061 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1062 value: "3s"
1063 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1064 value: "5m"
1065 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1066 value: "1h"
1067 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1068 value: "100ms"
1069 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1070 value: "1000ms"
1071 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1072 value: "5s"
1073 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1074 value: "90s"
1075 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1076 value: "[::]:4190"
1077 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1078 value: "[::]:4191"
1079 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1080 value: "127.0.0.1:4140"
1081 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1082 value: "127.0.0.1:4140"
1083 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1084 value: "[::]:4143"
1085 - name: LINKERD2_PROXY_INBOUND_IPS
1086 valueFrom:
1087 fieldRef:
1088 fieldPath: status.podIPs
1089 - name: LINKERD2_PROXY_INBOUND_PORTS
1090 value: "8080,9990"
1091 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1092 value: svc.cluster.local.
1093 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1094 value: 10000ms
1095 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1096 value: 10000ms
1097 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1098 value: "10s"
1099 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1100 value: "3s"
1101 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1102 value: "10s"
1103 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1104 value: "3s"
1105 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1106 value: "25,587,3306,4444,5432,6379,9300,11211"
1107 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1108 value: |
1109 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1110 - name: _pod_sa
1111 valueFrom:
1112 fieldRef:
1113 fieldPath: spec.serviceAccountName
1114 - name: _l5d_ns
1115 value: linkerd-dev
1116 - name: _l5d_trustdomain
1117 value: test.trust.domain
1118 - name: LINKERD2_PROXY_IDENTITY_DIR
1119 value: /var/run/linkerd/identity/end-entity
1120 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1121 valueFrom:
1122 configMapKeyRef:
1123 name: linkerd-identity-trust-roots
1124 key: ca-bundle.crt
1125 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1126 value: /var/run/secrets/tokens/linkerd-identity-token
1127 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1128 value: localhost.:8080
1129 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1130 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1131 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1132 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1133 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1134 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1135 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1136 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1137 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1138 imagePullPolicy: IfNotPresent
1139 livenessProbe:
1140 httpGet:
1141 path: /live
1142 port: 4191
1143 initialDelaySeconds: 10
1144 timeoutSeconds: 1
1145 name: linkerd-proxy
1146 ports:
1147 - containerPort: 4143
1148 name: linkerd-proxy
1149 - containerPort: 4191
1150 name: linkerd-admin
1151 readinessProbe:
1152 httpGet:
1153 path: /ready
1154 port: 4191
1155 initialDelaySeconds: 2
1156 timeoutSeconds: 1
1157 resources:
1158 limits:
1159 memory: "250Mi"
1160 requests:
1161 cpu: "100m"
1162 memory: "20Mi"
1163 securityContext:
1164 allowPrivilegeEscalation: false
1165 capabilities:
1166 drop:
1167 - ALL
1168 readOnlyRootFilesystem: true
1169 runAsNonRoot: true
1170 runAsUser: 2102
1171 seccompProfile:
1172 type: RuntimeDefault
1173 terminationMessagePolicy: FallbackToLogsOnError
1174 volumeMounts:
1175 - mountPath: /var/run/linkerd/identity/end-entity
1176 name: linkerd-identity-end-entity
1177 - mountPath: /var/run/secrets/tokens
1178 name: linkerd-identity-token
1179 initContainers:
1180 - args:
1181 - --ipv6=false
1182 - --incoming-proxy-port
1183 - "4143"
1184 - --outgoing-proxy-port
1185 - "4140"
1186 - --proxy-uid
1187 - "2102"
1188 - --inbound-ports-to-ignore
1189 - "4190,4191,444"
1190 - --outbound-ports-to-ignore
1191 - "443,6443"
1192 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1193 imagePullPolicy: IfNotPresent
1194 name: linkerd-init
1195 resources:
1196 limits:
1197 cpu: "100m"
1198 memory: "20Mi"
1199 requests:
1200 cpu: "100m"
1201 memory: "20Mi"
1202 securityContext:
1203 allowPrivilegeEscalation: false
1204 capabilities:
1205 add:
1206 - NET_ADMIN
1207 - NET_RAW
1208 privileged: false
1209 runAsNonRoot: true
1210 runAsUser: 65534
1211 runAsGroup: 65534
1212 readOnlyRootFilesystem: true
1213 seccompProfile:
1214 type: RuntimeDefault
1215 terminationMessagePolicy: FallbackToLogsOnError
1216 volumeMounts:
1217 - mountPath: /run
1218 name: linkerd-proxy-init-xtables-lock
1219 securityContext:
1220 seccompProfile:
1221 type: RuntimeDefault
1222 serviceAccountName: linkerd-identity
1223 volumes:
1224 - name: identity-issuer
1225 secret:
1226 secretName: linkerd-identity-issuer
1227 - configMap:
1228 name: linkerd-identity-trust-roots
1229 name: trust-roots
1230 - emptyDir: {}
1231 name: linkerd-proxy-init-xtables-lock
1232 - name: linkerd-identity-token
1233 projected:
1234 sources:
1235 - serviceAccountToken:
1236 path: linkerd-identity-token
1237 expirationSeconds: 86400
1238 audience: identity.l5d.io
1239 - emptyDir:
1240 medium: Memory
1241 name: linkerd-identity-end-entity
1242---
1243# Source: linkerd-control-plane/templates/destination.yaml
1244---
1245###
1246### Destination Controller Service
1247###
1248kind: Service
1249apiVersion: v1
1250metadata:
1251 name: linkerd-dst
1252 namespace: linkerd-dev
1253 labels:
1254 linkerd.io/control-plane-component: destination
1255 linkerd.io/control-plane-ns: linkerd-dev
1256 annotations:
1257 linkerd.io/created-by: linkerd/helm linkerd-version
1258spec:
1259 type: ClusterIP
1260 selector:
1261 linkerd.io/control-plane-component: destination
1262 ports:
1263 - name: grpc
1264 port: 8086
1265 targetPort: 8086
1266---
1267kind: Service
1268apiVersion: v1
1269metadata:
1270 name: linkerd-dst-headless
1271 namespace: linkerd-dev
1272 labels:
1273 linkerd.io/control-plane-component: destination
1274 linkerd.io/control-plane-ns: linkerd-dev
1275 annotations:
1276 linkerd.io/created-by: linkerd/helm linkerd-version
1277spec:
1278 clusterIP: None
1279 selector:
1280 linkerd.io/control-plane-component: destination
1281 ports:
1282 - name: grpc
1283 port: 8086
1284 targetPort: 8086
1285---
1286kind: Service
1287apiVersion: v1
1288metadata:
1289 name: linkerd-sp-validator
1290 namespace: linkerd-dev
1291 labels:
1292 linkerd.io/control-plane-component: destination
1293 linkerd.io/control-plane-ns: linkerd-dev
1294 annotations:
1295 linkerd.io/created-by: linkerd/helm linkerd-version
1296spec:
1297 type: ClusterIP
1298 selector:
1299 linkerd.io/control-plane-component: destination
1300 ports:
1301 - name: sp-validator
1302 port: 443
1303 targetPort: sp-validator
1304---
1305kind: Service
1306apiVersion: v1
1307metadata:
1308 name: linkerd-policy
1309 namespace: linkerd-dev
1310 labels:
1311 linkerd.io/control-plane-component: destination
1312 linkerd.io/control-plane-ns: linkerd-dev
1313 annotations:
1314 linkerd.io/created-by: linkerd/helm linkerd-version
1315spec:
1316 clusterIP: None
1317 selector:
1318 linkerd.io/control-plane-component: destination
1319 ports:
1320 - name: grpc
1321 port: 8090
1322 targetPort: 8090
1323---
1324kind: Service
1325apiVersion: v1
1326metadata:
1327 name: linkerd-policy-validator
1328 namespace: linkerd-dev
1329 labels:
1330 linkerd.io/control-plane-component: destination
1331 linkerd.io/control-plane-ns: linkerd-dev
1332 annotations:
1333 linkerd.io/created-by: linkerd/helm linkerd-version
1334spec:
1335 type: ClusterIP
1336 selector:
1337 linkerd.io/control-plane-component: destination
1338 ports:
1339 - name: policy-https
1340 port: 443
1341 targetPort: policy-https
1342---
1343kind: PodDisruptionBudget
1344apiVersion: policy/v1
1345metadata:
1346 name: linkerd-dst
1347 namespace: linkerd-dev
1348 labels:
1349 linkerd.io/control-plane-component: destination
1350 linkerd.io/control-plane-ns: linkerd-dev
1351 annotations:
1352 linkerd.io/created-by: linkerd/helm linkerd-version
1353spec:
1354 maxUnavailable: 1
1355 selector:
1356 matchLabels:
1357 linkerd.io/control-plane-component: destination
1358---
1359apiVersion: apps/v1
1360kind: Deployment
1361metadata:
1362 annotations:
1363 linkerd.io/created-by: linkerd/helm linkerd-version
1364 labels:
1365 app.kubernetes.io/name: destination
1366 app.kubernetes.io/part-of: Linkerd
1367 app.kubernetes.io/version: linkerd-version
1368 linkerd.io/control-plane-component: destination
1369 linkerd.io/control-plane-ns: linkerd-dev
1370 name: linkerd-destination
1371 namespace: linkerd-dev
1372spec:
1373 replicas: 3
1374 revisionHistoryLimit: 10
1375 selector:
1376 matchLabels:
1377 linkerd.io/control-plane-component: destination
1378 linkerd.io/control-plane-ns: linkerd-dev
1379 linkerd.io/proxy-deployment: linkerd-destination
1380 strategy:
1381 rollingUpdate:
1382 maxSurge: 25%
1383 maxUnavailable: 1
1384 template:
1385 metadata:
1386 annotations:
1387 checksum/config: b0c26a237398c80aaed48f6954a403fc169549f3b7e927bdd86c71f8d13c8762
1388 linkerd.io/created-by: linkerd/helm linkerd-version
1389 linkerd.io/proxy-version: test-proxy-version
1390 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1391 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1392 asda: fasda
1393 bingo: bongo
1394 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1395 labels:
1396 linkerd.io/control-plane-component: destination
1397 linkerd.io/control-plane-ns: linkerd-dev
1398 linkerd.io/workload-ns: linkerd-dev
1399 linkerd.io/proxy-deployment: linkerd-destination
1400 fiz: buz
1401 foo: bar
1402 spec:
1403 nodeSelector:
1404 kubernetes.io/os: linux
1405 affinity:
1406 podAntiAffinity:
1407 preferredDuringSchedulingIgnoredDuringExecution:
1408 - podAffinityTerm:
1409 labelSelector:
1410 matchExpressions:
1411 - key: linkerd.io/control-plane-component
1412 operator: In
1413 values:
1414 - destination
1415 topologyKey: topology.kubernetes.io/zone
1416 weight: 100
1417 requiredDuringSchedulingIgnoredDuringExecution:
1418 - labelSelector:
1419 matchExpressions:
1420 - key: linkerd.io/control-plane-component
1421 operator: In
1422 values:
1423 - destination
1424 topologyKey: kubernetes.io/hostname
1425 containers:
1426 - env:
1427 - name: _pod_name
1428 valueFrom:
1429 fieldRef:
1430 fieldPath: metadata.name
1431 - name: _pod_ns
1432 valueFrom:
1433 fieldRef:
1434 fieldPath: metadata.namespace
1435 - name: _pod_nodeName
1436 valueFrom:
1437 fieldRef:
1438 fieldPath: spec.nodeName
1439 - name: LINKERD2_PROXY_LOG
1440 value: "warn,linkerd=info,trust_dns=error"
1441 - name: LINKERD2_PROXY_LOG_FORMAT
1442 value: "plain"
1443 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1444 value: localhost.:8086
1445 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1446 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1447 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1448 value: localhost.:8090
1449 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1450 value: |
1451 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1452 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1453 value: all-unauthenticated
1454 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1455 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1456 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1457 value: "3s"
1458 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1459 value: "5m"
1460 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1461 value: "1h"
1462 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1463 value: "100ms"
1464 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1465 value: "1000ms"
1466 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1467 value: "5s"
1468 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1469 value: "90s"
1470 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1471 value: "[::]:4190"
1472 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1473 value: "[::]:4191"
1474 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1475 value: "127.0.0.1:4140"
1476 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1477 value: "127.0.0.1:4140"
1478 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1479 value: "[::]:4143"
1480 - name: LINKERD2_PROXY_INBOUND_IPS
1481 valueFrom:
1482 fieldRef:
1483 fieldPath: status.podIPs
1484 - name: LINKERD2_PROXY_INBOUND_PORTS
1485 value: "8086,8090,8443,9443,9990,9996,9997"
1486 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1487 value: svc.cluster.local.
1488 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1489 value: 10000ms
1490 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1491 value: 10000ms
1492 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1493 value: "10s"
1494 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1495 value: "3s"
1496 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1497 value: "10s"
1498 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1499 value: "3s"
1500 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1501 value: "25,587,3306,4444,5432,6379,9300,11211"
1502 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1503 value: |
1504 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1505 - name: _pod_sa
1506 valueFrom:
1507 fieldRef:
1508 fieldPath: spec.serviceAccountName
1509 - name: _l5d_ns
1510 value: linkerd-dev
1511 - name: _l5d_trustdomain
1512 value: test.trust.domain
1513 - name: LINKERD2_PROXY_IDENTITY_DIR
1514 value: /var/run/linkerd/identity/end-entity
1515 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1516 valueFrom:
1517 configMapKeyRef:
1518 name: linkerd-identity-trust-roots
1519 key: ca-bundle.crt
1520 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1521 value: /var/run/secrets/tokens/linkerd-identity-token
1522 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1523 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
1524 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1525 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1526 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1527 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1528 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1529 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1530 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1531 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1532 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1533 imagePullPolicy: IfNotPresent
1534 livenessProbe:
1535 httpGet:
1536 path: /live
1537 port: 4191
1538 initialDelaySeconds: 10
1539 timeoutSeconds: 1
1540 name: linkerd-proxy
1541 ports:
1542 - containerPort: 4143
1543 name: linkerd-proxy
1544 - containerPort: 4191
1545 name: linkerd-admin
1546 readinessProbe:
1547 httpGet:
1548 path: /ready
1549 port: 4191
1550 initialDelaySeconds: 2
1551 timeoutSeconds: 1
1552 resources:
1553 limits:
1554 memory: "250Mi"
1555 requests:
1556 cpu: "100m"
1557 memory: "20Mi"
1558 securityContext:
1559 allowPrivilegeEscalation: false
1560 capabilities:
1561 drop:
1562 - ALL
1563 readOnlyRootFilesystem: true
1564 runAsNonRoot: true
1565 runAsUser: 2102
1566 seccompProfile:
1567 type: RuntimeDefault
1568 terminationMessagePolicy: FallbackToLogsOnError
1569 lifecycle:
1570 postStart:
1571 exec:
1572 command:
1573 - /usr/lib/linkerd/linkerd-await
1574 - --timeout=2m
1575 - --port=4191
1576 volumeMounts:
1577 - mountPath: /var/run/linkerd/identity/end-entity
1578 name: linkerd-identity-end-entity
1579 - mountPath: /var/run/secrets/tokens
1580 name: linkerd-identity-token
1581 - args:
1582 - destination
1583 - -addr=:8086
1584 - -controller-namespace=linkerd-dev
1585 - -enable-h2-upgrade=true
1586 - -log-level=info
1587 - -log-format=plain
1588 - -enable-endpoint-slices=true
1589 - -cluster-domain=cluster.local
1590 - -identity-trust-domain=test.trust.domain
1591 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1592 - -enable-ipv6=false
1593 - -enable-pprof=false
1594 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1595 image: cr.l5d.io/linkerd/controller:linkerd-version
1596 imagePullPolicy: IfNotPresent
1597 livenessProbe:
1598 httpGet:
1599 path: /ping
1600 port: 9996
1601 initialDelaySeconds: 10
1602 name: destination
1603 ports:
1604 - containerPort: 8086
1605 name: grpc
1606 - containerPort: 9996
1607 name: admin-http
1608 readinessProbe:
1609 failureThreshold: 7
1610 httpGet:
1611 path: /ready
1612 port: 9996
1613 resources:
1614 limits:
1615 memory: "250Mi"
1616 requests:
1617 cpu: "100m"
1618 memory: "50Mi"
1619 securityContext:
1620 capabilities:
1621 drop:
1622 - ALL
1623 readOnlyRootFilesystem: true
1624 runAsNonRoot: true
1625 runAsUser: 2103
1626 allowPrivilegeEscalation: false
1627 seccompProfile:
1628 type: RuntimeDefault
1629 - args:
1630 - sp-validator
1631 - -log-level=info
1632 - -log-format=plain
1633 - -enable-pprof=false
1634 image: cr.l5d.io/linkerd/controller:linkerd-version
1635 imagePullPolicy: IfNotPresent
1636 livenessProbe:
1637 httpGet:
1638 path: /ping
1639 port: 9997
1640 initialDelaySeconds: 10
1641 name: sp-validator
1642 ports:
1643 - containerPort: 8443
1644 name: sp-validator
1645 - containerPort: 9997
1646 name: admin-http
1647 readinessProbe:
1648 failureThreshold: 7
1649 httpGet:
1650 path: /ready
1651 port: 9997
1652 securityContext:
1653 capabilities:
1654 drop:
1655 - ALL
1656 readOnlyRootFilesystem: true
1657 runAsNonRoot: true
1658 runAsUser: 2103
1659 allowPrivilegeEscalation: false
1660 seccompProfile:
1661 type: RuntimeDefault
1662 volumeMounts:
1663 - mountPath: /var/run/linkerd/tls
1664 name: sp-tls
1665 readOnly: true
1666 - args:
1667 - --admin-addr=[::]:9990
1668 - --control-plane-namespace=linkerd-dev
1669 - --grpc-addr=[::]:8090
1670 - --server-addr=[::]:9443
1671 - --server-tls-key=/var/run/linkerd/tls/tls.key
1672 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1673 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1674 - --identity-domain=test.trust.domain
1675 - --cluster-domain=cluster.local
1676 - --default-policy=all-unauthenticated
1677 - --log-level=info
1678 - --log-format=plain
1679 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1680 - --probe-networks=0.0.0.0/0,::/0
1681 image: cr.l5d.io/linkerd/policy-controller:linkerd-version
1682 imagePullPolicy: IfNotPresent
1683 livenessProbe:
1684 httpGet:
1685 path: /live
1686 port: admin-http
1687 name: policy
1688 ports:
1689 - containerPort: 8090
1690 name: grpc
1691 - containerPort: 9990
1692 name: admin-http
1693 - containerPort: 9443
1694 name: policy-https
1695 readinessProbe:
1696 failureThreshold: 7
1697 httpGet:
1698 path: /ready
1699 port: admin-http
1700 initialDelaySeconds: 10
1701 resources:
1702 securityContext:
1703 capabilities:
1704 drop:
1705 - ALL
1706 readOnlyRootFilesystem: true
1707 runAsNonRoot: true
1708 runAsUser: 2103
1709 allowPrivilegeEscalation: false
1710 seccompProfile:
1711 type: RuntimeDefault
1712 volumeMounts:
1713 - mountPath: /var/run/linkerd/tls
1714 name: policy-tls
1715 readOnly: true
1716 initContainers:
1717 - args:
1718 - --ipv6=false
1719 - --incoming-proxy-port
1720 - "4143"
1721 - --outgoing-proxy-port
1722 - "4140"
1723 - --proxy-uid
1724 - "2102"
1725 - --inbound-ports-to-ignore
1726 - "4190,4191,444"
1727 - --outbound-ports-to-ignore
1728 - "443,6443"
1729 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1730 imagePullPolicy: IfNotPresent
1731 name: linkerd-init
1732 resources:
1733 limits:
1734 cpu: "100m"
1735 memory: "20Mi"
1736 requests:
1737 cpu: "100m"
1738 memory: "20Mi"
1739 securityContext:
1740 allowPrivilegeEscalation: false
1741 capabilities:
1742 add:
1743 - NET_ADMIN
1744 - NET_RAW
1745 privileged: false
1746 runAsNonRoot: true
1747 runAsUser: 65534
1748 runAsGroup: 65534
1749 readOnlyRootFilesystem: true
1750 seccompProfile:
1751 type: RuntimeDefault
1752 terminationMessagePolicy: FallbackToLogsOnError
1753 volumeMounts:
1754 - mountPath: /run
1755 name: linkerd-proxy-init-xtables-lock
1756 securityContext:
1757 seccompProfile:
1758 type: RuntimeDefault
1759 serviceAccountName: linkerd-destination
1760 volumes:
1761 - name: sp-tls
1762 secret:
1763 secretName: linkerd-sp-validator-k8s-tls
1764 - name: policy-tls
1765 secret:
1766 secretName: linkerd-policy-validator-k8s-tls
1767 - emptyDir: {}
1768 name: linkerd-proxy-init-xtables-lock
1769 - name: linkerd-identity-token
1770 projected:
1771 sources:
1772 - serviceAccountToken:
1773 path: linkerd-identity-token
1774 expirationSeconds: 86400
1775 audience: identity.l5d.io
1776 - emptyDir:
1777 medium: Memory
1778 name: linkerd-identity-end-entity
1779---
1780# Source: linkerd-control-plane/templates/heartbeat.yaml
1781---
1782###
1783### Heartbeat
1784###
1785apiVersion: batch/v1
1786kind: CronJob
1787metadata:
1788 name: linkerd-heartbeat
1789 namespace: linkerd-dev
1790 labels:
1791 app.kubernetes.io/name: heartbeat
1792 app.kubernetes.io/part-of: Linkerd
1793 app.kubernetes.io/version: linkerd-version
1794 linkerd.io/control-plane-component: heartbeat
1795 linkerd.io/control-plane-ns: linkerd-dev
1796 annotations:
1797 linkerd.io/created-by: linkerd/helm linkerd-version
1798spec:
1799 concurrencyPolicy: Replace
1800 schedule: "1 2 3 4 5"
1801 successfulJobsHistoryLimit: 0
1802 jobTemplate:
1803 spec:
1804 template:
1805 metadata:
1806 labels:
1807 linkerd.io/control-plane-component: heartbeat
1808 linkerd.io/workload-ns: linkerd-dev
1809 fiz: buz
1810 foo: bar
1811 annotations:
1812 linkerd.io/created-by: linkerd/helm linkerd-version
1813 asda: fasda
1814 bingo: bongo
1815 spec:
1816 nodeSelector:
1817 kubernetes.io/os: linux
1818 securityContext:
1819 seccompProfile:
1820 type: RuntimeDefault
1821 serviceAccountName: linkerd-heartbeat
1822 restartPolicy: Never
1823 containers:
1824 - name: heartbeat
1825 image: cr.l5d.io/linkerd/controller:linkerd-version
1826 imagePullPolicy: IfNotPresent
1827 env:
1828 - name: LINKERD_DISABLED
1829 value: "the heartbeat controller does not use the proxy"
1830 args:
1831 - "heartbeat"
1832 - "-controller-namespace=linkerd-dev"
1833 - "-log-level=info"
1834 - "-log-format=plain"
1835 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1836 resources:
1837 limits:
1838 memory: "250Mi"
1839 requests:
1840 cpu: "100m"
1841 memory: "50Mi"
1842 securityContext:
1843 capabilities:
1844 drop:
1845 - ALL
1846 readOnlyRootFilesystem: true
1847 runAsNonRoot: true
1848 runAsUser: 2103
1849 allowPrivilegeEscalation: false
1850 seccompProfile:
1851 type: RuntimeDefault
1852---
1853# Source: linkerd-control-plane/templates/proxy-injector.yaml
1854---
1855###
1856### Proxy Injector
1857###
1858apiVersion: apps/v1
1859kind: Deployment
1860metadata:
1861 annotations:
1862 linkerd.io/created-by: linkerd/helm linkerd-version
1863 labels:
1864 app.kubernetes.io/name: proxy-injector
1865 app.kubernetes.io/part-of: Linkerd
1866 app.kubernetes.io/version: linkerd-version
1867 linkerd.io/control-plane-component: proxy-injector
1868 linkerd.io/control-plane-ns: linkerd-dev
1869 name: linkerd-proxy-injector
1870 namespace: linkerd-dev
1871spec:
1872 replicas: 3
1873 revisionHistoryLimit: 10
1874 selector:
1875 matchLabels:
1876 linkerd.io/control-plane-component: proxy-injector
1877 strategy:
1878 rollingUpdate:
1879 maxSurge: 25%
1880 maxUnavailable: 1
1881 template:
1882 metadata:
1883 annotations:
1884 checksum/config: fd3a1b10afd0c6c39c7c63f51aece4a849b0e47ba992a6612a1a5fa99211b084
1885 linkerd.io/created-by: linkerd/helm linkerd-version
1886 linkerd.io/proxy-version: test-proxy-version
1887 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1888 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1889 asda: fasda
1890 bingo: bongo
1891 config.linkerd.io/opaque-ports: "8443"
1892 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1893 labels:
1894 linkerd.io/control-plane-component: proxy-injector
1895 linkerd.io/control-plane-ns: linkerd-dev
1896 linkerd.io/workload-ns: linkerd-dev
1897 linkerd.io/proxy-deployment: linkerd-proxy-injector
1898 fiz: buz
1899 foo: bar
1900 spec:
1901 nodeSelector:
1902 kubernetes.io/os: linux
1903 affinity:
1904 podAntiAffinity:
1905 preferredDuringSchedulingIgnoredDuringExecution:
1906 - podAffinityTerm:
1907 labelSelector:
1908 matchExpressions:
1909 - key: linkerd.io/control-plane-component
1910 operator: In
1911 values:
1912 - proxy-injector
1913 topologyKey: topology.kubernetes.io/zone
1914 weight: 100
1915 requiredDuringSchedulingIgnoredDuringExecution:
1916 - labelSelector:
1917 matchExpressions:
1918 - key: linkerd.io/control-plane-component
1919 operator: In
1920 values:
1921 - proxy-injector
1922 topologyKey: kubernetes.io/hostname
1923 containers:
1924 - env:
1925 - name: _pod_name
1926 valueFrom:
1927 fieldRef:
1928 fieldPath: metadata.name
1929 - name: _pod_ns
1930 valueFrom:
1931 fieldRef:
1932 fieldPath: metadata.namespace
1933 - name: _pod_nodeName
1934 valueFrom:
1935 fieldRef:
1936 fieldPath: spec.nodeName
1937 - name: LINKERD2_PROXY_LOG
1938 value: "warn,linkerd=info,trust_dns=error"
1939 - name: LINKERD2_PROXY_LOG_FORMAT
1940 value: "plain"
1941 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1942 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1943 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1944 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1945 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1946 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1947 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1948 value: |
1949 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1950 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1951 value: all-unauthenticated
1952 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1953 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1954 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1955 value: "3s"
1956 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1957 value: "5m"
1958 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1959 value: "1h"
1960 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1961 value: "100ms"
1962 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1963 value: "1000ms"
1964 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1965 value: "5s"
1966 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1967 value: "90s"
1968 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1969 value: "[::]:4190"
1970 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1971 value: "[::]:4191"
1972 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1973 value: "127.0.0.1:4140"
1974 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1975 value: "127.0.0.1:4140"
1976 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1977 value: "[::]:4143"
1978 - name: LINKERD2_PROXY_INBOUND_IPS
1979 valueFrom:
1980 fieldRef:
1981 fieldPath: status.podIPs
1982 - name: LINKERD2_PROXY_INBOUND_PORTS
1983 value: "8443,9995"
1984 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1985 value: svc.cluster.local.
1986 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1987 value: 10000ms
1988 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1989 value: 10000ms
1990 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1991 value: "10s"
1992 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1993 value: "3s"
1994 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1995 value: "10s"
1996 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1997 value: "3s"
1998 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1999 value: "25,587,3306,4444,5432,6379,9300,11211"
2000 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
2001 value: |
2002 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
2003 - name: _pod_sa
2004 valueFrom:
2005 fieldRef:
2006 fieldPath: spec.serviceAccountName
2007 - name: _l5d_ns
2008 value: linkerd-dev
2009 - name: _l5d_trustdomain
2010 value: test.trust.domain
2011 - name: LINKERD2_PROXY_IDENTITY_DIR
2012 value: /var/run/linkerd/identity/end-entity
2013 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
2014 valueFrom:
2015 configMapKeyRef:
2016 name: linkerd-identity-trust-roots
2017 key: ca-bundle.crt
2018 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
2019 value: /var/run/secrets/tokens/linkerd-identity-token
2020 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
2021 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
2022 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
2023 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
2024 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
2025 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2026 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
2027 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2028 - name: LINKERD2_PROXY_POLICY_SVC_NAME
2029 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2030 image: cr.l5d.io/linkerd/proxy:test-proxy-version
2031 imagePullPolicy: IfNotPresent
2032 livenessProbe:
2033 httpGet:
2034 path: /live
2035 port: 4191
2036 initialDelaySeconds: 10
2037 timeoutSeconds: 1
2038 name: linkerd-proxy
2039 ports:
2040 - containerPort: 4143
2041 name: linkerd-proxy
2042 - containerPort: 4191
2043 name: linkerd-admin
2044 readinessProbe:
2045 httpGet:
2046 path: /ready
2047 port: 4191
2048 initialDelaySeconds: 2
2049 timeoutSeconds: 1
2050 resources:
2051 limits:
2052 memory: "250Mi"
2053 requests:
2054 cpu: "100m"
2055 memory: "20Mi"
2056 securityContext:
2057 allowPrivilegeEscalation: false
2058 capabilities:
2059 drop:
2060 - ALL
2061 readOnlyRootFilesystem: true
2062 runAsNonRoot: true
2063 runAsUser: 2102
2064 seccompProfile:
2065 type: RuntimeDefault
2066 terminationMessagePolicy: FallbackToLogsOnError
2067 lifecycle:
2068 postStart:
2069 exec:
2070 command:
2071 - /usr/lib/linkerd/linkerd-await
2072 - --timeout=2m
2073 - --port=4191
2074 volumeMounts:
2075 - mountPath: /var/run/linkerd/identity/end-entity
2076 name: linkerd-identity-end-entity
2077 - mountPath: /var/run/secrets/tokens
2078 name: linkerd-identity-token
2079 - args:
2080 - proxy-injector
2081 - -log-level=info
2082 - -log-format=plain
2083 - -linkerd-namespace=linkerd-dev
2084 - -enable-pprof=false
2085 image: cr.l5d.io/linkerd/controller:linkerd-version
2086 imagePullPolicy: IfNotPresent
2087 livenessProbe:
2088 httpGet:
2089 path: /ping
2090 port: 9995
2091 initialDelaySeconds: 10
2092 name: proxy-injector
2093 ports:
2094 - containerPort: 8443
2095 name: proxy-injector
2096 - containerPort: 9995
2097 name: admin-http
2098 readinessProbe:
2099 failureThreshold: 7
2100 httpGet:
2101 path: /ready
2102 port: 9995
2103 resources:
2104 limits:
2105 memory: "250Mi"
2106 requests:
2107 cpu: "100m"
2108 memory: "50Mi"
2109 securityContext:
2110 capabilities:
2111 drop:
2112 - ALL
2113 readOnlyRootFilesystem: true
2114 runAsNonRoot: true
2115 runAsUser: 2103
2116 allowPrivilegeEscalation: false
2117 seccompProfile:
2118 type: RuntimeDefault
2119 volumeMounts:
2120 - mountPath: /var/run/linkerd/config
2121 name: config
2122 - mountPath: /var/run/linkerd/identity/trust-roots
2123 name: trust-roots
2124 - mountPath: /var/run/linkerd/tls
2125 name: tls
2126 readOnly: true
2127 initContainers:
2128 - args:
2129 - --ipv6=false
2130 - --incoming-proxy-port
2131 - "4143"
2132 - --outgoing-proxy-port
2133 - "4140"
2134 - --proxy-uid
2135 - "2102"
2136 - --inbound-ports-to-ignore
2137 - "4190,4191,444"
2138 - --outbound-ports-to-ignore
2139 - "443,6443"
2140 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
2141 imagePullPolicy: IfNotPresent
2142 name: linkerd-init
2143 resources:
2144 limits:
2145 cpu: "100m"
2146 memory: "20Mi"
2147 requests:
2148 cpu: "100m"
2149 memory: "20Mi"
2150 securityContext:
2151 allowPrivilegeEscalation: false
2152 capabilities:
2153 add:
2154 - NET_ADMIN
2155 - NET_RAW
2156 privileged: false
2157 runAsNonRoot: true
2158 runAsUser: 65534
2159 runAsGroup: 65534
2160 readOnlyRootFilesystem: true
2161 seccompProfile:
2162 type: RuntimeDefault
2163 terminationMessagePolicy: FallbackToLogsOnError
2164 volumeMounts:
2165 - mountPath: /run
2166 name: linkerd-proxy-init-xtables-lock
2167 securityContext:
2168 seccompProfile:
2169 type: RuntimeDefault
2170 serviceAccountName: linkerd-proxy-injector
2171 volumes:
2172 - configMap:
2173 name: linkerd-config
2174 name: config
2175 - configMap:
2176 name: linkerd-identity-trust-roots
2177 name: trust-roots
2178 - name: tls
2179 secret:
2180 secretName: linkerd-proxy-injector-k8s-tls
2181 - emptyDir: {}
2182 name: linkerd-proxy-init-xtables-lock
2183 - name: linkerd-identity-token
2184 projected:
2185 sources:
2186 - serviceAccountToken:
2187 path: linkerd-identity-token
2188 expirationSeconds: 86400
2189 audience: identity.l5d.io
2190 - emptyDir:
2191 medium: Memory
2192 name: linkerd-identity-end-entity
2193---
2194kind: Service
2195apiVersion: v1
2196metadata:
2197 name: linkerd-proxy-injector
2198 namespace: linkerd-dev
2199 labels:
2200 linkerd.io/control-plane-component: proxy-injector
2201 linkerd.io/control-plane-ns: linkerd-dev
2202 annotations:
2203 linkerd.io/created-by: linkerd/helm linkerd-version
2204 config.linkerd.io/opaque-ports: "443"
2205spec:
2206 type: ClusterIP
2207 selector:
2208 linkerd.io/control-plane-component: proxy-injector
2209 ports:
2210 - name: proxy-injector
2211 port: 443
2212 targetPort: proxy-injector
2213---
2214kind: PodDisruptionBudget
2215apiVersion: policy/v1
2216metadata:
2217 name: linkerd-proxy-injector
2218 namespace: linkerd-dev
2219 labels:
2220 linkerd.io/control-plane-component: proxy-injector
2221 linkerd.io/control-plane-ns: linkerd-dev
2222 annotations:
2223 linkerd.io/created-by: linkerd/helm linkerd-version
2224spec:
2225 maxUnavailable: 1
2226 selector:
2227 matchLabels:
2228 linkerd.io/control-plane-component: proxy-injector
View as plain text