1---
2# Source: linkerd-control-plane/templates/namespace.yaml
3---
4# Source: linkerd-control-plane/templates/identity-rbac.yaml
5---
6###
7### Identity Controller Service RBAC
8###
9kind: ClusterRole
10apiVersion: rbac.authorization.k8s.io/v1
11metadata:
12 name: linkerd-linkerd-dev-identity
13 labels:
14 linkerd.io/control-plane-component: identity
15 linkerd.io/control-plane-ns: linkerd-dev
16rules:
17- apiGroups: ["authentication.k8s.io"]
18 resources: ["tokenreviews"]
19 verbs: ["create"]
20# TODO(ver) Restrict this to the Linkerd namespace. See
21# https://github.com/linkerd/linkerd2/issues/9367
22- apiGroups: [""]
23 resources: ["events"]
24 verbs: ["create", "patch"]
25---
26kind: ClusterRoleBinding
27apiVersion: rbac.authorization.k8s.io/v1
28metadata:
29 name: linkerd-linkerd-dev-identity
30 labels:
31 linkerd.io/control-plane-component: identity
32 linkerd.io/control-plane-ns: linkerd-dev
33roleRef:
34 apiGroup: rbac.authorization.k8s.io
35 kind: ClusterRole
36 name: linkerd-linkerd-dev-identity
37subjects:
38- kind: ServiceAccount
39 name: linkerd-identity
40 namespace: linkerd-dev
41---
42kind: ServiceAccount
43apiVersion: v1
44metadata:
45 name: linkerd-identity
46 namespace: linkerd-dev
47 labels:
48 linkerd.io/control-plane-component: identity
49 linkerd.io/control-plane-ns: linkerd-dev
50---
51# Source: linkerd-control-plane/templates/destination-rbac.yaml
52---
53###
54### Destination Controller Service
55###
56kind: ClusterRole
57apiVersion: rbac.authorization.k8s.io/v1
58metadata:
59 name: linkerd-linkerd-dev-destination
60 labels:
61 linkerd.io/control-plane-component: destination
62 linkerd.io/control-plane-ns: linkerd-dev
63rules:
64- apiGroups: ["apps"]
65 resources: ["replicasets"]
66 verbs: ["list", "get", "watch"]
67- apiGroups: ["batch"]
68 resources: ["jobs"]
69 verbs: ["list", "get", "watch"]
70- apiGroups: [""]
71 resources: ["pods", "endpoints", "services", "nodes"]
72 verbs: ["list", "get", "watch"]
73- apiGroups: ["linkerd.io"]
74 resources: ["serviceprofiles"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["workload.linkerd.io"]
77 resources: ["externalworkloads"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: ["coordination.k8s.io"]
80 resources: ["leases"]
81 verbs: ["create", "get", "update", "patch"]
82- apiGroups: ["discovery.k8s.io"]
83 resources: ["endpointslices"]
84 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
85---
86kind: ClusterRoleBinding
87apiVersion: rbac.authorization.k8s.io/v1
88metadata:
89 name: linkerd-linkerd-dev-destination
90 labels:
91 linkerd.io/control-plane-component: destination
92 linkerd.io/control-plane-ns: linkerd-dev
93roleRef:
94 apiGroup: rbac.authorization.k8s.io
95 kind: ClusterRole
96 name: linkerd-linkerd-dev-destination
97subjects:
98- kind: ServiceAccount
99 name: linkerd-destination
100 namespace: linkerd-dev
101---
102kind: ServiceAccount
103apiVersion: v1
104metadata:
105 name: linkerd-destination
106 namespace: linkerd-dev
107 labels:
108 linkerd.io/control-plane-component: destination
109 linkerd.io/control-plane-ns: linkerd-dev
110---
111apiVersion: admissionregistration.k8s.io/v1
112kind: ValidatingWebhookConfiguration
113metadata:
114 name: linkerd-sp-validator-webhook-config
115 labels:
116 linkerd.io/control-plane-component: destination
117 linkerd.io/control-plane-ns: linkerd-dev
118webhooks:
119- name: linkerd-sp-validator.linkerd.io
120 namespaceSelector:
121 matchExpressions:
122 - key: config.linkerd.io/admission-webhooks
123 operator: In
124 values:
125 - enabled
126 clientConfig:
127 service:
128 name: linkerd-sp-validator
129 namespace: linkerd-dev
130 path: "/"
131 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
132 failurePolicy: Fail
133 admissionReviewVersions: ["v1", "v1beta1"]
134 rules:
135 - operations: ["CREATE", "UPDATE"]
136 apiGroups: ["linkerd.io"]
137 apiVersions: ["v1alpha1", "v1alpha2"]
138 resources: ["serviceprofiles"]
139 sideEffects: None
140---
141apiVersion: admissionregistration.k8s.io/v1
142kind: ValidatingWebhookConfiguration
143metadata:
144 name: linkerd-policy-validator-webhook-config
145 labels:
146 linkerd.io/control-plane-component: destination
147 linkerd.io/control-plane-ns: linkerd-dev
148webhooks:
149- name: linkerd-policy-validator.linkerd.io
150 namespaceSelector:
151 matchExpressions:
152 - key: config.linkerd.io/admission-webhooks
153 operator: NotIn
154 values:
155 - disabled
156 clientConfig:
157 service:
158 name: linkerd-policy-validator
159 namespace: linkerd-dev
160 path: "/"
161 caBundle: dGVzdC1wcm9maWxlLXZhbGlkYXRvci1jYS1idW5kbGU=
162 failurePolicy: Fail
163 admissionReviewVersions: ["v1", "v1beta1"]
164 rules:
165 - operations: ["CREATE", "UPDATE"]
166 apiGroups: ["policy.linkerd.io"]
167 apiVersions: ["*"]
168 resources:
169 - authorizationpolicies
170 - httproutes
171 - networkauthentications
172 - meshtlsauthentications
173 - serverauthorizations
174 - servers
175 - operations: ["CREATE", "UPDATE"]
176 apiGroups: ["gateway.networking.k8s.io"]
177 apiVersions: ["*"]
178 resources:
179 - httproutes
180 sideEffects: None
181---
182apiVersion: rbac.authorization.k8s.io/v1
183kind: ClusterRole
184metadata:
185 name: linkerd-policy
186 labels:
187 app.kubernetes.io/part-of: Linkerd
188 linkerd.io/control-plane-component: destination
189 linkerd.io/control-plane-ns: linkerd-dev
190rules:
191 - apiGroups:
192 - ""
193 resources:
194 - pods
195 verbs:
196 - get
197 - list
198 - watch
199 - apiGroups:
200 - apps
201 resources:
202 - deployments
203 verbs:
204 - get
205 - apiGroups:
206 - policy.linkerd.io
207 resources:
208 - authorizationpolicies
209 - httproutes
210 - meshtlsauthentications
211 - networkauthentications
212 - servers
213 - serverauthorizations
214 verbs:
215 - get
216 - list
217 - watch
218 - apiGroups:
219 - gateway.networking.k8s.io
220 resources:
221 - httproutes
222 verbs:
223 - get
224 - list
225 - watch
226 - apiGroups:
227 - policy.linkerd.io
228 resources:
229 - httproutes/status
230 verbs:
231 - patch
232 - apiGroups:
233 - gateway.networking.k8s.io
234 resources:
235 - httproutes/status
236 verbs:
237 - patch
238 - apiGroups:
239 - workload.linkerd.io
240 resources:
241 - externalworkloads
242 verbs:
243 - get
244 - list
245 - watch
246 - apiGroups:
247 - coordination.k8s.io
248 resources:
249 - leases
250 verbs:
251 - create
252 - get
253 - patch
254---
255apiVersion: rbac.authorization.k8s.io/v1
256kind: ClusterRoleBinding
257metadata:
258 name: linkerd-destination-policy
259 labels:
260 app.kubernetes.io/part-of: Linkerd
261 linkerd.io/control-plane-component: destination
262 linkerd.io/control-plane-ns: linkerd-dev
263roleRef:
264 apiGroup: rbac.authorization.k8s.io
265 kind: ClusterRole
266 name: linkerd-policy
267subjects:
268 - kind: ServiceAccount
269 name: linkerd-destination
270 namespace: linkerd-dev
271---
272apiVersion: rbac.authorization.k8s.io/v1
273kind: Role
274metadata:
275 name: remote-discovery
276 namespace: linkerd-dev
277 labels:
278 app.kubernetes.io/part-of: Linkerd
279 linkerd.io/control-plane-component: destination
280 linkerd.io/control-plane-ns: linkerd-dev
281rules:
282 - apiGroups:
283 - ""
284 resources:
285 - secrets
286 verbs:
287 - get
288 - list
289 - watch
290---
291apiVersion: rbac.authorization.k8s.io/v1
292kind: RoleBinding
293metadata:
294 name: linkerd-destination-remote-discovery
295 namespace: linkerd-dev
296 labels:
297 app.kubernetes.io/part-of: Linkerd
298 linkerd.io/control-plane-component: destination
299 linkerd.io/control-plane-ns: linkerd-dev
300roleRef:
301 apiGroup: rbac.authorization.k8s.io
302 kind: Role
303 name: remote-discovery
304subjects:
305 - kind: ServiceAccount
306 name: linkerd-destination
307 namespace: linkerd-dev
308---
309# Source: linkerd-control-plane/templates/heartbeat-rbac.yaml
310---
311###
312### Heartbeat RBAC
313###
314apiVersion: rbac.authorization.k8s.io/v1
315kind: Role
316metadata:
317 name: linkerd-heartbeat
318 namespace: linkerd-dev
319 labels:
320 linkerd.io/control-plane-ns: linkerd-dev
321rules:
322- apiGroups: [""]
323 resources: ["configmaps"]
324 verbs: ["get"]
325 resourceNames: ["linkerd-config"]
326---
327apiVersion: rbac.authorization.k8s.io/v1
328kind: RoleBinding
329metadata:
330 name: linkerd-heartbeat
331 namespace: linkerd-dev
332 labels:
333 linkerd.io/control-plane-ns: linkerd-dev
334roleRef:
335 kind: Role
336 name: linkerd-heartbeat
337 apiGroup: rbac.authorization.k8s.io
338subjects:
339- kind: ServiceAccount
340 name: linkerd-heartbeat
341 namespace: linkerd-dev
342---
343apiVersion: rbac.authorization.k8s.io/v1
344kind: ClusterRole
345metadata:
346 name: linkerd-heartbeat
347 labels:
348 linkerd.io/control-plane-ns: linkerd-dev
349rules:
350- apiGroups: [""]
351 resources: ["namespaces"]
352 verbs: ["list"]
353- apiGroups: ["linkerd.io"]
354 resources: ["serviceprofiles"]
355 verbs: ["list"]
356---
357apiVersion: rbac.authorization.k8s.io/v1
358kind: ClusterRoleBinding
359metadata:
360 name: linkerd-heartbeat
361 labels:
362 linkerd.io/control-plane-ns: linkerd-dev
363roleRef:
364 kind: ClusterRole
365 name: linkerd-heartbeat
366 apiGroup: rbac.authorization.k8s.io
367subjects:
368- kind: ServiceAccount
369 name: linkerd-heartbeat
370 namespace: linkerd-dev
371---
372kind: ServiceAccount
373apiVersion: v1
374metadata:
375 name: linkerd-heartbeat
376 namespace: linkerd-dev
377 labels:
378 linkerd.io/control-plane-component: heartbeat
379 linkerd.io/control-plane-ns: linkerd-dev
380---
381# Source: linkerd-control-plane/templates/podmonitor.yaml
382
383---
384# Source: linkerd-control-plane/templates/proxy-injector-rbac.yaml
385---
386###
387### Proxy Injector RBAC
388###
389kind: ClusterRole
390apiVersion: rbac.authorization.k8s.io/v1
391metadata:
392 name: linkerd-linkerd-dev-proxy-injector
393 labels:
394 linkerd.io/control-plane-component: proxy-injector
395 linkerd.io/control-plane-ns: linkerd-dev
396rules:
397- apiGroups: [""]
398 resources: ["events"]
399 verbs: ["create", "patch"]
400- apiGroups: [""]
401 resources: ["namespaces", "replicationcontrollers"]
402 verbs: ["list", "get", "watch"]
403- apiGroups: [""]
404 resources: ["pods"]
405 verbs: ["list", "watch"]
406- apiGroups: ["extensions", "apps"]
407 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
408 verbs: ["list", "get", "watch"]
409- apiGroups: ["extensions", "batch"]
410 resources: ["cronjobs", "jobs"]
411 verbs: ["list", "get", "watch"]
412---
413kind: ClusterRoleBinding
414apiVersion: rbac.authorization.k8s.io/v1
415metadata:
416 name: linkerd-linkerd-dev-proxy-injector
417 labels:
418 linkerd.io/control-plane-component: proxy-injector
419 linkerd.io/control-plane-ns: linkerd-dev
420subjects:
421- kind: ServiceAccount
422 name: linkerd-proxy-injector
423 namespace: linkerd-dev
424 apiGroup: ""
425roleRef:
426 kind: ClusterRole
427 name: linkerd-linkerd-dev-proxy-injector
428 apiGroup: rbac.authorization.k8s.io
429---
430kind: ServiceAccount
431apiVersion: v1
432metadata:
433 name: linkerd-proxy-injector
434 namespace: linkerd-dev
435 labels:
436 linkerd.io/control-plane-component: proxy-injector
437 linkerd.io/control-plane-ns: linkerd-dev
438---
439apiVersion: admissionregistration.k8s.io/v1
440kind: MutatingWebhookConfiguration
441metadata:
442 name: linkerd-proxy-injector-webhook-config
443 labels:
444 linkerd.io/control-plane-component: proxy-injector
445 linkerd.io/control-plane-ns: linkerd-dev
446webhooks:
447- name: linkerd-proxy-injector.linkerd.io
448 namespaceSelector:
449 matchExpressions:
450 - key: config.linkerd.io/admission-webhooks
451 operator: In
452 values:
453 - enabled
454 objectSelector:
455 null
456 clientConfig:
457 service:
458 name: linkerd-proxy-injector
459 namespace: linkerd-dev
460 path: "/"
461 caBundle: dGVzdC1wcm94eS1pbmplY3Rvci1jYS1idW5kbGU=
462 failurePolicy: Fail
463 admissionReviewVersions: ["v1", "v1beta1"]
464 rules:
465 - operations: [ "CREATE" ]
466 apiGroups: [""]
467 apiVersions: ["v1"]
468 resources: ["pods", "services"]
469 scope: "Namespaced"
470 sideEffects: None
471 timeoutSeconds: 10
472---
473# Source: linkerd-control-plane/templates/psp.yaml
474---
475# Source: linkerd-control-plane/templates/config.yaml
476---
477kind: ConfigMap
478apiVersion: v1
479metadata:
480 name: linkerd-config
481 namespace: linkerd-dev
482 labels:
483 linkerd.io/control-plane-component: controller
484 linkerd.io/control-plane-ns: linkerd-dev
485 annotations:
486 linkerd.io/created-by: linkerd/helm linkerd-version
487data:
488 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
489 values: |
490 cliVersion: ""
491 clusterDomain: cluster.local
492 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
493 cniEnabled: false
494 controlPlaneTracing: false
495 controlPlaneTracingNamespace: linkerd-jaeger
496 controller:
497 podDisruptionBudget:
498 maxUnavailable: 1
499 controllerGID: -1
500 controllerImage: cr.l5d.io/linkerd/controller
501 controllerLogFormat: plain
502 controllerLogLevel: info
503 controllerReplicas: 3
504 controllerUID: 2103
505 debugContainer:
506 image:
507 name: cr.l5d.io/linkerd/debug
508 pullPolicy: ""
509 version: test-debug-version
510 deploymentStrategy:
511 rollingUpdate:
512 maxSurge: 25%
513 maxUnavailable: 1
514 destinationController:
515 meshedHttp2ClientProtobuf:
516 keep_alive:
517 interval:
518 seconds: 10
519 timeout:
520 seconds: 3
521 while_idle: true
522 destinationProxyResources: null
523 destinationResources:
524 cpu:
525 limit: ""
526 request: 100m
527 ephemeral-storage:
528 limit: ""
529 request: ""
530 memory:
531 limit: 250Mi
532 request: 50Mi
533 disableHeartBeat: false
534 disableIPv6: true
535 enableEndpointSlices: true
536 enableH2Upgrade: true
537 enablePodAntiAffinity: true
538 enablePodDisruptionBudget: true
539 heartbeat: null
540 heartbeatResources:
541 cpu:
542 limit: ""
543 request: 100m
544 ephemeral-storage:
545 limit: ""
546 request: ""
547 memory:
548 limit: 250Mi
549 request: 50Mi
550 heartbeatSchedule: 1 2 3 4 5
551 highAvailability: true
552 identity:
553 additionalEnv: null
554 experimentalEnv: null
555 externalCA: false
556 issuer:
557 clockSkewAllowance: 20s
558 issuanceLifetime: 24h0m0s
559 scheme: linkerd.io/tls
560 tls:
561 crtPEM: test-crt-pem
562 kubeAPI:
563 clientBurst: 200
564 clientQPS: 100
565 serviceAccountTokenProjection: true
566 identityProxyResources: null
567 identityResources:
568 cpu:
569 limit: ""
570 request: 100m
571 ephemeral-storage:
572 limit: ""
573 request: ""
574 memory:
575 limit: 250Mi
576 request: 10Mi
577 identityTrustAnchorsPEM: test-trust-anchor
578 identityTrustDomain: test.trust.domain
579 imagePullPolicy: IfNotPresent
580 imagePullSecrets: null
581 linkerdVersion: linkerd-version
582 networkValidator:
583 connectAddr: 1.1.1.1:20001
584 enableSecurityContext: true
585 listenAddr: 0.0.0.0:4140
586 logFormat: plain
587 logLevel: debug
588 timeout: 10s
589 nodeAffinity: null
590 nodeSelector:
591 kubernetes.io/os: linux
592 podAnnotations: {}
593 podLabels: {}
594 podMonitor:
595 controller:
596 enabled: true
597 namespaceSelector: |
598 matchNames:
599 - {{ .Release.Namespace }}
600 - linkerd-viz
601 - linkerd-jaeger
602 enabled: false
603 proxy:
604 enabled: true
605 scrapeInterval: 10s
606 scrapeTimeout: 10s
607 serviceMirror:
608 enabled: true
609 policyController:
610 image:
611 name: cr.l5d.io/linkerd/policy-controller
612 pullPolicy: ""
613 version: ""
614 logLevel: info
615 probeNetworks:
616 - 0.0.0.0/0
617 - ::/0
618 resources:
619 cpu:
620 limit: ""
621 request: ""
622 ephemeral-storage:
623 limit: ""
624 request: ""
625 memory:
626 limit: ""
627 request: ""
628 policyValidator:
629 caBundle: test-profile-validator-ca-bundle
630 crtPEM: ""
631 externalSecret: true
632 injectCaFrom: ""
633 injectCaFromSecret: ""
634 namespaceSelector:
635 matchExpressions:
636 - key: config.linkerd.io/admission-webhooks
637 operator: NotIn
638 values:
639 - disabled
640 priorityClassName: ""
641 profileValidator:
642 caBundle: test-profile-validator-ca-bundle
643 crtPEM: ""
644 externalSecret: true
645 injectCaFrom: ""
646 injectCaFromSecret: ""
647 namespaceSelector:
648 matchExpressions:
649 - key: config.linkerd.io/admission-webhooks
650 operator: In
651 values:
652 - enabled
653 prometheusUrl: ""
654 proxy:
655 accessLog: ""
656 additionalEnv: null
657 await: true
658 capabilities: null
659 control:
660 streams:
661 idleTimeout: 5m
662 initialTimeout: 3s
663 lifetime: 1h
664 defaultInboundPolicy: all-unauthenticated
665 disableInboundProtocolDetectTimeout: false
666 disableOutboundProtocolDetectTimeout: false
667 enableExternalProfiles: false
668 experimentalEnv: null
669 gid: -1
670 image:
671 name: cr.l5d.io/linkerd/proxy
672 pullPolicy: ""
673 version: test-proxy-version
674 inbound:
675 server:
676 http2:
677 keepAliveInterval: 10s
678 keepAliveTimeout: 3s
679 inboundConnectTimeout: 100ms
680 inboundDiscoveryCacheUnusedTimeout: 90s
681 isGateway: false
682 isIngress: false
683 livenessProbe:
684 initialDelaySeconds: 10
685 timeoutSeconds: 1
686 logFormat: plain
687 logLevel: warn,linkerd=info,trust_dns=error
688 nativeSidecar: false
689 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
690 outbound:
691 server:
692 http2:
693 keepAliveInterval: 10s
694 keepAliveTimeout: 3s
695 outboundConnectTimeout: 1000ms
696 outboundDiscoveryCacheUnusedTimeout: 5s
697 podInboundPorts: ""
698 ports:
699 admin: 4191
700 control: 4190
701 inbound: 4143
702 outbound: 4140
703 readinessProbe:
704 initialDelaySeconds: 2
705 timeoutSeconds: 1
706 requireIdentityOnInboundPorts: ""
707 resources:
708 cpu:
709 limit: ""
710 request: 100m
711 ephemeral-storage:
712 limit: ""
713 request: ""
714 memory:
715 limit: 250Mi
716 request: 20Mi
717 saMountPath: null
718 shutdownGracePeriod: ""
719 startupProbe:
720 failureThreshold: 120
721 initialDelaySeconds: 0
722 periodSeconds: 1
723 uid: 2102
724 waitBeforeExitSeconds: 0
725 proxyContainerName: linkerd-proxy
726 proxyInit:
727 capabilities: null
728 closeWaitTimeoutSecs: 0
729 ignoreInboundPorts: "222"
730 ignoreOutboundPorts: "111"
731 image:
732 name: cr.l5d.io/linkerd/proxy-init
733 pullPolicy: ""
734 version: test-proxy-init-version
735 iptablesMode: legacy
736 kubeAPIServerPorts: 443,6443
737 logFormat: ""
738 logLevel: ""
739 privileged: false
740 resources:
741 cpu:
742 limit: 100m
743 request: 100m
744 ephemeral-storage:
745 limit: ""
746 request: ""
747 memory:
748 limit: 20Mi
749 request: 20Mi
750 runAsGroup: 65534
751 runAsRoot: false
752 runAsUser: 65534
753 saMountPath: null
754 skipSubnets: ""
755 xtMountPath:
756 mountPath: /run
757 name: linkerd-proxy-init-xtables-lock
758 readOnly: false
759 proxyInjector:
760 additionalEnv: null
761 caBundle: test-proxy-injector-ca-bundle
762 crtPEM: ""
763 experimentalEnv: null
764 externalSecret: true
765 injectCaFrom: ""
766 injectCaFromSecret: ""
767 namespaceSelector:
768 matchExpressions:
769 - key: config.linkerd.io/admission-webhooks
770 operator: In
771 values:
772 - enabled
773 proxyInjectorProxyResources: null
774 proxyInjectorResources:
775 cpu:
776 limit: ""
777 request: 100m
778 ephemeral-storage:
779 limit: ""
780 request: ""
781 memory:
782 limit: 250Mi
783 request: 50Mi
784 revisionHistoryLimit: 10
785 spValidator: null
786 tap:
787 caBundle: test-tap-ca-bundle
788 externalSecret: true
789 tolerations: null
790 webhookFailurePolicy: Fail
791---
792# Source: linkerd-control-plane/templates/config-rbac.yaml
793---
794apiVersion: rbac.authorization.k8s.io/v1
795kind: Role
796metadata:
797 annotations:
798 linkerd.io/created-by: linkerd/helm linkerd-version
799 name: ext-namespace-metadata-linkerd-config
800 namespace: linkerd-dev
801rules:
802- apiGroups: [""]
803 resources: ["configmaps"]
804 verbs: ["get"]
805 resourceNames: ["linkerd-config"]
806---
807# Source: linkerd-control-plane/templates/identity.yaml
808---
809###
810### Identity Controller Service
811###
812---
813kind: Secret
814apiVersion: v1
815metadata:
816 name: linkerd-identity-issuer
817 namespace: linkerd-dev
818 labels:
819 linkerd.io/control-plane-component: identity
820 linkerd.io/control-plane-ns: linkerd-dev
821 annotations:
822 linkerd.io/created-by: linkerd/helm linkerd-version
823data:
824 crt.pem: dGVzdC1jcnQtcGVt
825 key.pem: dGVzdC1rZXktcGVt
826---
827kind: ConfigMap
828apiVersion: v1
829metadata:
830 name: linkerd-identity-trust-roots
831 namespace: linkerd-dev
832 labels:
833 linkerd.io/control-plane-component: identity
834 linkerd.io/control-plane-ns: linkerd-dev
835 annotations:
836 linkerd.io/created-by: linkerd/helm linkerd-version
837data:
838 ca-bundle.crt: |-
839 test-trust-anchor
840---
841kind: Service
842apiVersion: v1
843metadata:
844 name: linkerd-identity
845 namespace: linkerd-dev
846 labels:
847 linkerd.io/control-plane-component: identity
848 linkerd.io/control-plane-ns: linkerd-dev
849 annotations:
850 linkerd.io/created-by: linkerd/helm linkerd-version
851spec:
852 type: ClusterIP
853 selector:
854 linkerd.io/control-plane-component: identity
855 ports:
856 - name: grpc
857 port: 8080
858 targetPort: 8080
859---
860kind: Service
861apiVersion: v1
862metadata:
863 name: linkerd-identity-headless
864 namespace: linkerd-dev
865 labels:
866 linkerd.io/control-plane-component: identity
867 linkerd.io/control-plane-ns: linkerd-dev
868 annotations:
869 linkerd.io/created-by: linkerd/helm linkerd-version
870spec:
871 clusterIP: None
872 selector:
873 linkerd.io/control-plane-component: identity
874 ports:
875 - name: grpc
876 port: 8080
877 targetPort: 8080
878---
879kind: PodDisruptionBudget
880apiVersion: policy/v1
881metadata:
882 name: linkerd-identity
883 namespace: linkerd-dev
884 labels:
885 linkerd.io/control-plane-component: identity
886 linkerd.io/control-plane-ns: linkerd-dev
887 annotations:
888 linkerd.io/created-by: linkerd/helm linkerd-version
889spec:
890 maxUnavailable: 1
891 selector:
892 matchLabels:
893 linkerd.io/control-plane-component: identity
894---
895apiVersion: apps/v1
896kind: Deployment
897metadata:
898 annotations:
899 linkerd.io/created-by: linkerd/helm linkerd-version
900 labels:
901 app.kubernetes.io/name: identity
902 app.kubernetes.io/part-of: Linkerd
903 app.kubernetes.io/version: linkerd-version
904 linkerd.io/control-plane-component: identity
905 linkerd.io/control-plane-ns: linkerd-dev
906 name: linkerd-identity
907 namespace: linkerd-dev
908spec:
909 replicas: 3
910 revisionHistoryLimit: 10
911 selector:
912 matchLabels:
913 linkerd.io/control-plane-component: identity
914 linkerd.io/control-plane-ns: linkerd-dev
915 linkerd.io/proxy-deployment: linkerd-identity
916 strategy:
917 rollingUpdate:
918 maxSurge: 25%
919 maxUnavailable: 1
920 template:
921 metadata:
922 annotations:
923 linkerd.io/created-by: linkerd/helm linkerd-version
924 linkerd.io/proxy-version: test-proxy-version
925 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
926 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
927 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
928 labels:
929 linkerd.io/control-plane-component: identity
930 linkerd.io/control-plane-ns: linkerd-dev
931 linkerd.io/workload-ns: linkerd-dev
932 linkerd.io/proxy-deployment: linkerd-identity
933 spec:
934 nodeSelector:
935 kubernetes.io/os: linux
936 affinity:
937 podAntiAffinity:
938 preferredDuringSchedulingIgnoredDuringExecution:
939 - podAffinityTerm:
940 labelSelector:
941 matchExpressions:
942 - key: linkerd.io/control-plane-component
943 operator: In
944 values:
945 - identity
946 topologyKey: topology.kubernetes.io/zone
947 weight: 100
948 requiredDuringSchedulingIgnoredDuringExecution:
949 - labelSelector:
950 matchExpressions:
951 - key: linkerd.io/control-plane-component
952 operator: In
953 values:
954 - identity
955 topologyKey: kubernetes.io/hostname
956 containers:
957 - args:
958 - identity
959 - -log-level=info
960 - -log-format=plain
961 - -controller-namespace=linkerd-dev
962 - -identity-trust-domain=test.trust.domain
963 - -identity-issuance-lifetime=24h0m0s
964 - -identity-clock-skew-allowance=20s
965 - -identity-scheme=linkerd.io/tls
966 - -enable-pprof=false
967 - -kube-apiclient-qps=100
968 - -kube-apiclient-burst=200
969 env:
970 - name: LINKERD_DISABLED
971 value: "linkerd-await cannot block the identity controller"
972 image: cr.l5d.io/linkerd/controller:linkerd-version
973 imagePullPolicy: IfNotPresent
974 livenessProbe:
975 httpGet:
976 path: /ping
977 port: 9990
978 initialDelaySeconds: 10
979 name: identity
980 ports:
981 - containerPort: 8080
982 name: grpc
983 - containerPort: 9990
984 name: admin-http
985 readinessProbe:
986 failureThreshold: 7
987 httpGet:
988 path: /ready
989 port: 9990
990 resources:
991 limits:
992 memory: "250Mi"
993 requests:
994 cpu: "100m"
995 memory: "10Mi"
996 securityContext:
997 capabilities:
998 drop:
999 - ALL
1000 readOnlyRootFilesystem: true
1001 runAsNonRoot: true
1002 runAsUser: 2103
1003 allowPrivilegeEscalation: false
1004 seccompProfile:
1005 type: RuntimeDefault
1006 volumeMounts:
1007 - mountPath: /var/run/linkerd/identity/issuer
1008 name: identity-issuer
1009 - mountPath: /var/run/linkerd/identity/trust-roots/
1010 name: trust-roots
1011 - env:
1012 - name: _pod_name
1013 valueFrom:
1014 fieldRef:
1015 fieldPath: metadata.name
1016 - name: _pod_ns
1017 valueFrom:
1018 fieldRef:
1019 fieldPath: metadata.namespace
1020 - name: _pod_nodeName
1021 valueFrom:
1022 fieldRef:
1023 fieldPath: spec.nodeName
1024 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
1025 value: "8080"
1026 - name: LINKERD2_PROXY_LOG
1027 value: "warn,linkerd=info,trust_dns=error"
1028 - name: LINKERD2_PROXY_LOG_FORMAT
1029 value: "plain"
1030 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1031 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1032 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1033 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1034 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1035 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1036 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1037 value: |
1038 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1039 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1040 value: all-unauthenticated
1041 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1042 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1043 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1044 value: "3s"
1045 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1046 value: "5m"
1047 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1048 value: "1h"
1049 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1050 value: "100ms"
1051 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1052 value: "1000ms"
1053 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1054 value: "5s"
1055 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1056 value: "90s"
1057 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1058 value: "[::]:4190"
1059 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1060 value: "[::]:4191"
1061 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1062 value: "127.0.0.1:4140"
1063 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1064 value: "127.0.0.1:4140"
1065 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1066 value: "[::]:4143"
1067 - name: LINKERD2_PROXY_INBOUND_IPS
1068 valueFrom:
1069 fieldRef:
1070 fieldPath: status.podIPs
1071 - name: LINKERD2_PROXY_INBOUND_PORTS
1072 value: "8080,9990"
1073 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1074 value: svc.cluster.local.
1075 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1076 value: 10000ms
1077 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1078 value: 10000ms
1079 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1080 value: "10s"
1081 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1082 value: "3s"
1083 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1084 value: "10s"
1085 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1086 value: "3s"
1087 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1088 value: "25,587,3306,4444,5432,6379,9300,11211"
1089 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1090 value: |
1091 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1092 - name: _pod_sa
1093 valueFrom:
1094 fieldRef:
1095 fieldPath: spec.serviceAccountName
1096 - name: _l5d_ns
1097 value: linkerd-dev
1098 - name: _l5d_trustdomain
1099 value: test.trust.domain
1100 - name: LINKERD2_PROXY_IDENTITY_DIR
1101 value: /var/run/linkerd/identity/end-entity
1102 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1103 valueFrom:
1104 configMapKeyRef:
1105 name: linkerd-identity-trust-roots
1106 key: ca-bundle.crt
1107 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1108 value: /var/run/secrets/tokens/linkerd-identity-token
1109 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1110 value: localhost.:8080
1111 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1112 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1113 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1114 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1115 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1116 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1117 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1118 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1119 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1120 imagePullPolicy: IfNotPresent
1121 livenessProbe:
1122 httpGet:
1123 path: /live
1124 port: 4191
1125 initialDelaySeconds: 10
1126 timeoutSeconds: 1
1127 name: linkerd-proxy
1128 ports:
1129 - containerPort: 4143
1130 name: linkerd-proxy
1131 - containerPort: 4191
1132 name: linkerd-admin
1133 readinessProbe:
1134 httpGet:
1135 path: /ready
1136 port: 4191
1137 initialDelaySeconds: 2
1138 timeoutSeconds: 1
1139 resources:
1140 limits:
1141 memory: "250Mi"
1142 requests:
1143 cpu: "100m"
1144 memory: "20Mi"
1145 securityContext:
1146 allowPrivilegeEscalation: false
1147 capabilities:
1148 drop:
1149 - ALL
1150 readOnlyRootFilesystem: true
1151 runAsNonRoot: true
1152 runAsUser: 2102
1153 seccompProfile:
1154 type: RuntimeDefault
1155 terminationMessagePolicy: FallbackToLogsOnError
1156 volumeMounts:
1157 - mountPath: /var/run/linkerd/identity/end-entity
1158 name: linkerd-identity-end-entity
1159 - mountPath: /var/run/secrets/tokens
1160 name: linkerd-identity-token
1161 initContainers:
1162 - args:
1163 - --ipv6=false
1164 - --incoming-proxy-port
1165 - "4143"
1166 - --outgoing-proxy-port
1167 - "4140"
1168 - --proxy-uid
1169 - "2102"
1170 - --inbound-ports-to-ignore
1171 - "4190,4191,222"
1172 - --outbound-ports-to-ignore
1173 - "443,6443"
1174 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1175 imagePullPolicy: IfNotPresent
1176 name: linkerd-init
1177 resources:
1178 limits:
1179 cpu: "100m"
1180 memory: "20Mi"
1181 requests:
1182 cpu: "100m"
1183 memory: "20Mi"
1184 securityContext:
1185 allowPrivilegeEscalation: false
1186 capabilities:
1187 add:
1188 - NET_ADMIN
1189 - NET_RAW
1190 privileged: false
1191 runAsNonRoot: true
1192 runAsUser: 65534
1193 runAsGroup: 65534
1194 readOnlyRootFilesystem: true
1195 seccompProfile:
1196 type: RuntimeDefault
1197 terminationMessagePolicy: FallbackToLogsOnError
1198 volumeMounts:
1199 - mountPath: /run
1200 name: linkerd-proxy-init-xtables-lock
1201 securityContext:
1202 seccompProfile:
1203 type: RuntimeDefault
1204 serviceAccountName: linkerd-identity
1205 volumes:
1206 - name: identity-issuer
1207 secret:
1208 secretName: linkerd-identity-issuer
1209 - configMap:
1210 name: linkerd-identity-trust-roots
1211 name: trust-roots
1212 - emptyDir: {}
1213 name: linkerd-proxy-init-xtables-lock
1214 - name: linkerd-identity-token
1215 projected:
1216 sources:
1217 - serviceAccountToken:
1218 path: linkerd-identity-token
1219 expirationSeconds: 86400
1220 audience: identity.l5d.io
1221 - emptyDir:
1222 medium: Memory
1223 name: linkerd-identity-end-entity
1224---
1225# Source: linkerd-control-plane/templates/destination.yaml
1226---
1227###
1228### Destination Controller Service
1229###
1230kind: Service
1231apiVersion: v1
1232metadata:
1233 name: linkerd-dst
1234 namespace: linkerd-dev
1235 labels:
1236 linkerd.io/control-plane-component: destination
1237 linkerd.io/control-plane-ns: linkerd-dev
1238 annotations:
1239 linkerd.io/created-by: linkerd/helm linkerd-version
1240spec:
1241 type: ClusterIP
1242 selector:
1243 linkerd.io/control-plane-component: destination
1244 ports:
1245 - name: grpc
1246 port: 8086
1247 targetPort: 8086
1248---
1249kind: Service
1250apiVersion: v1
1251metadata:
1252 name: linkerd-dst-headless
1253 namespace: linkerd-dev
1254 labels:
1255 linkerd.io/control-plane-component: destination
1256 linkerd.io/control-plane-ns: linkerd-dev
1257 annotations:
1258 linkerd.io/created-by: linkerd/helm linkerd-version
1259spec:
1260 clusterIP: None
1261 selector:
1262 linkerd.io/control-plane-component: destination
1263 ports:
1264 - name: grpc
1265 port: 8086
1266 targetPort: 8086
1267---
1268kind: Service
1269apiVersion: v1
1270metadata:
1271 name: linkerd-sp-validator
1272 namespace: linkerd-dev
1273 labels:
1274 linkerd.io/control-plane-component: destination
1275 linkerd.io/control-plane-ns: linkerd-dev
1276 annotations:
1277 linkerd.io/created-by: linkerd/helm linkerd-version
1278spec:
1279 type: ClusterIP
1280 selector:
1281 linkerd.io/control-plane-component: destination
1282 ports:
1283 - name: sp-validator
1284 port: 443
1285 targetPort: sp-validator
1286---
1287kind: Service
1288apiVersion: v1
1289metadata:
1290 name: linkerd-policy
1291 namespace: linkerd-dev
1292 labels:
1293 linkerd.io/control-plane-component: destination
1294 linkerd.io/control-plane-ns: linkerd-dev
1295 annotations:
1296 linkerd.io/created-by: linkerd/helm linkerd-version
1297spec:
1298 clusterIP: None
1299 selector:
1300 linkerd.io/control-plane-component: destination
1301 ports:
1302 - name: grpc
1303 port: 8090
1304 targetPort: 8090
1305---
1306kind: Service
1307apiVersion: v1
1308metadata:
1309 name: linkerd-policy-validator
1310 namespace: linkerd-dev
1311 labels:
1312 linkerd.io/control-plane-component: destination
1313 linkerd.io/control-plane-ns: linkerd-dev
1314 annotations:
1315 linkerd.io/created-by: linkerd/helm linkerd-version
1316spec:
1317 type: ClusterIP
1318 selector:
1319 linkerd.io/control-plane-component: destination
1320 ports:
1321 - name: policy-https
1322 port: 443
1323 targetPort: policy-https
1324---
1325kind: PodDisruptionBudget
1326apiVersion: policy/v1
1327metadata:
1328 name: linkerd-dst
1329 namespace: linkerd-dev
1330 labels:
1331 linkerd.io/control-plane-component: destination
1332 linkerd.io/control-plane-ns: linkerd-dev
1333 annotations:
1334 linkerd.io/created-by: linkerd/helm linkerd-version
1335spec:
1336 maxUnavailable: 1
1337 selector:
1338 matchLabels:
1339 linkerd.io/control-plane-component: destination
1340---
1341apiVersion: apps/v1
1342kind: Deployment
1343metadata:
1344 annotations:
1345 linkerd.io/created-by: linkerd/helm linkerd-version
1346 labels:
1347 app.kubernetes.io/name: destination
1348 app.kubernetes.io/part-of: Linkerd
1349 app.kubernetes.io/version: linkerd-version
1350 linkerd.io/control-plane-component: destination
1351 linkerd.io/control-plane-ns: linkerd-dev
1352 name: linkerd-destination
1353 namespace: linkerd-dev
1354spec:
1355 replicas: 3
1356 revisionHistoryLimit: 10
1357 selector:
1358 matchLabels:
1359 linkerd.io/control-plane-component: destination
1360 linkerd.io/control-plane-ns: linkerd-dev
1361 linkerd.io/proxy-deployment: linkerd-destination
1362 strategy:
1363 rollingUpdate:
1364 maxSurge: 25%
1365 maxUnavailable: 1
1366 template:
1367 metadata:
1368 annotations:
1369 checksum/config: 467bcfd10f346970575701d5199fde803e9f61e9039e05d4c765d3c5524804b4
1370 linkerd.io/created-by: linkerd/helm linkerd-version
1371 linkerd.io/proxy-version: test-proxy-version
1372 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1373 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1374 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1375 labels:
1376 linkerd.io/control-plane-component: destination
1377 linkerd.io/control-plane-ns: linkerd-dev
1378 linkerd.io/workload-ns: linkerd-dev
1379 linkerd.io/proxy-deployment: linkerd-destination
1380 spec:
1381 nodeSelector:
1382 kubernetes.io/os: linux
1383 affinity:
1384 podAntiAffinity:
1385 preferredDuringSchedulingIgnoredDuringExecution:
1386 - podAffinityTerm:
1387 labelSelector:
1388 matchExpressions:
1389 - key: linkerd.io/control-plane-component
1390 operator: In
1391 values:
1392 - destination
1393 topologyKey: topology.kubernetes.io/zone
1394 weight: 100
1395 requiredDuringSchedulingIgnoredDuringExecution:
1396 - labelSelector:
1397 matchExpressions:
1398 - key: linkerd.io/control-plane-component
1399 operator: In
1400 values:
1401 - destination
1402 topologyKey: kubernetes.io/hostname
1403 containers:
1404 - env:
1405 - name: _pod_name
1406 valueFrom:
1407 fieldRef:
1408 fieldPath: metadata.name
1409 - name: _pod_ns
1410 valueFrom:
1411 fieldRef:
1412 fieldPath: metadata.namespace
1413 - name: _pod_nodeName
1414 valueFrom:
1415 fieldRef:
1416 fieldPath: spec.nodeName
1417 - name: LINKERD2_PROXY_LOG
1418 value: "warn,linkerd=info,trust_dns=error"
1419 - name: LINKERD2_PROXY_LOG_FORMAT
1420 value: "plain"
1421 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1422 value: localhost.:8086
1423 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1424 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1425 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1426 value: localhost.:8090
1427 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1428 value: |
1429 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1430 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1431 value: all-unauthenticated
1432 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1433 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1434 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1435 value: "3s"
1436 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1437 value: "5m"
1438 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1439 value: "1h"
1440 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1441 value: "100ms"
1442 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1443 value: "1000ms"
1444 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1445 value: "5s"
1446 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1447 value: "90s"
1448 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1449 value: "[::]:4190"
1450 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1451 value: "[::]:4191"
1452 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1453 value: "127.0.0.1:4140"
1454 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1455 value: "127.0.0.1:4140"
1456 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1457 value: "[::]:4143"
1458 - name: LINKERD2_PROXY_INBOUND_IPS
1459 valueFrom:
1460 fieldRef:
1461 fieldPath: status.podIPs
1462 - name: LINKERD2_PROXY_INBOUND_PORTS
1463 value: "8086,8090,8443,9443,9990,9996,9997"
1464 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1465 value: svc.cluster.local.
1466 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1467 value: 10000ms
1468 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1469 value: 10000ms
1470 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1471 value: "10s"
1472 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1473 value: "3s"
1474 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1475 value: "10s"
1476 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1477 value: "3s"
1478 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1479 value: "25,587,3306,4444,5432,6379,9300,11211"
1480 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1481 value: |
1482 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1483 - name: _pod_sa
1484 valueFrom:
1485 fieldRef:
1486 fieldPath: spec.serviceAccountName
1487 - name: _l5d_ns
1488 value: linkerd-dev
1489 - name: _l5d_trustdomain
1490 value: test.trust.domain
1491 - name: LINKERD2_PROXY_IDENTITY_DIR
1492 value: /var/run/linkerd/identity/end-entity
1493 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1494 valueFrom:
1495 configMapKeyRef:
1496 name: linkerd-identity-trust-roots
1497 key: ca-bundle.crt
1498 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1499 value: /var/run/secrets/tokens/linkerd-identity-token
1500 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1501 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
1502 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1503 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1504 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1505 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1506 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1507 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1508 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1509 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1510 image: cr.l5d.io/linkerd/proxy:test-proxy-version
1511 imagePullPolicy: IfNotPresent
1512 livenessProbe:
1513 httpGet:
1514 path: /live
1515 port: 4191
1516 initialDelaySeconds: 10
1517 timeoutSeconds: 1
1518 name: linkerd-proxy
1519 ports:
1520 - containerPort: 4143
1521 name: linkerd-proxy
1522 - containerPort: 4191
1523 name: linkerd-admin
1524 readinessProbe:
1525 httpGet:
1526 path: /ready
1527 port: 4191
1528 initialDelaySeconds: 2
1529 timeoutSeconds: 1
1530 resources:
1531 limits:
1532 memory: "250Mi"
1533 requests:
1534 cpu: "100m"
1535 memory: "20Mi"
1536 securityContext:
1537 allowPrivilegeEscalation: false
1538 capabilities:
1539 drop:
1540 - ALL
1541 readOnlyRootFilesystem: true
1542 runAsNonRoot: true
1543 runAsUser: 2102
1544 seccompProfile:
1545 type: RuntimeDefault
1546 terminationMessagePolicy: FallbackToLogsOnError
1547 lifecycle:
1548 postStart:
1549 exec:
1550 command:
1551 - /usr/lib/linkerd/linkerd-await
1552 - --timeout=2m
1553 - --port=4191
1554 volumeMounts:
1555 - mountPath: /var/run/linkerd/identity/end-entity
1556 name: linkerd-identity-end-entity
1557 - mountPath: /var/run/secrets/tokens
1558 name: linkerd-identity-token
1559 - args:
1560 - destination
1561 - -addr=:8086
1562 - -controller-namespace=linkerd-dev
1563 - -enable-h2-upgrade=true
1564 - -log-level=info
1565 - -log-format=plain
1566 - -enable-endpoint-slices=true
1567 - -cluster-domain=cluster.local
1568 - -identity-trust-domain=test.trust.domain
1569 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1570 - -enable-ipv6=false
1571 - -enable-pprof=false
1572 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1573 image: cr.l5d.io/linkerd/controller:linkerd-version
1574 imagePullPolicy: IfNotPresent
1575 livenessProbe:
1576 httpGet:
1577 path: /ping
1578 port: 9996
1579 initialDelaySeconds: 10
1580 name: destination
1581 ports:
1582 - containerPort: 8086
1583 name: grpc
1584 - containerPort: 9996
1585 name: admin-http
1586 readinessProbe:
1587 failureThreshold: 7
1588 httpGet:
1589 path: /ready
1590 port: 9996
1591 resources:
1592 limits:
1593 memory: "250Mi"
1594 requests:
1595 cpu: "100m"
1596 memory: "50Mi"
1597 securityContext:
1598 capabilities:
1599 drop:
1600 - ALL
1601 readOnlyRootFilesystem: true
1602 runAsNonRoot: true
1603 runAsUser: 2103
1604 allowPrivilegeEscalation: false
1605 seccompProfile:
1606 type: RuntimeDefault
1607 - args:
1608 - sp-validator
1609 - -log-level=info
1610 - -log-format=plain
1611 - -enable-pprof=false
1612 image: cr.l5d.io/linkerd/controller:linkerd-version
1613 imagePullPolicy: IfNotPresent
1614 livenessProbe:
1615 httpGet:
1616 path: /ping
1617 port: 9997
1618 initialDelaySeconds: 10
1619 name: sp-validator
1620 ports:
1621 - containerPort: 8443
1622 name: sp-validator
1623 - containerPort: 9997
1624 name: admin-http
1625 readinessProbe:
1626 failureThreshold: 7
1627 httpGet:
1628 path: /ready
1629 port: 9997
1630 securityContext:
1631 capabilities:
1632 drop:
1633 - ALL
1634 readOnlyRootFilesystem: true
1635 runAsNonRoot: true
1636 runAsUser: 2103
1637 allowPrivilegeEscalation: false
1638 seccompProfile:
1639 type: RuntimeDefault
1640 volumeMounts:
1641 - mountPath: /var/run/linkerd/tls
1642 name: sp-tls
1643 readOnly: true
1644 - args:
1645 - --admin-addr=[::]:9990
1646 - --control-plane-namespace=linkerd-dev
1647 - --grpc-addr=[::]:8090
1648 - --server-addr=[::]:9443
1649 - --server-tls-key=/var/run/linkerd/tls/tls.key
1650 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1651 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1652 - --identity-domain=test.trust.domain
1653 - --cluster-domain=cluster.local
1654 - --default-policy=all-unauthenticated
1655 - --log-level=info
1656 - --log-format=plain
1657 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1658 - --probe-networks=0.0.0.0/0,::/0
1659 image: cr.l5d.io/linkerd/policy-controller:linkerd-version
1660 imagePullPolicy: IfNotPresent
1661 livenessProbe:
1662 httpGet:
1663 path: /live
1664 port: admin-http
1665 name: policy
1666 ports:
1667 - containerPort: 8090
1668 name: grpc
1669 - containerPort: 9990
1670 name: admin-http
1671 - containerPort: 9443
1672 name: policy-https
1673 readinessProbe:
1674 failureThreshold: 7
1675 httpGet:
1676 path: /ready
1677 port: admin-http
1678 initialDelaySeconds: 10
1679 resources:
1680 securityContext:
1681 capabilities:
1682 drop:
1683 - ALL
1684 readOnlyRootFilesystem: true
1685 runAsNonRoot: true
1686 runAsUser: 2103
1687 allowPrivilegeEscalation: false
1688 seccompProfile:
1689 type: RuntimeDefault
1690 volumeMounts:
1691 - mountPath: /var/run/linkerd/tls
1692 name: policy-tls
1693 readOnly: true
1694 initContainers:
1695 - args:
1696 - --ipv6=false
1697 - --incoming-proxy-port
1698 - "4143"
1699 - --outgoing-proxy-port
1700 - "4140"
1701 - --proxy-uid
1702 - "2102"
1703 - --inbound-ports-to-ignore
1704 - "4190,4191,222"
1705 - --outbound-ports-to-ignore
1706 - "443,6443"
1707 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
1708 imagePullPolicy: IfNotPresent
1709 name: linkerd-init
1710 resources:
1711 limits:
1712 cpu: "100m"
1713 memory: "20Mi"
1714 requests:
1715 cpu: "100m"
1716 memory: "20Mi"
1717 securityContext:
1718 allowPrivilegeEscalation: false
1719 capabilities:
1720 add:
1721 - NET_ADMIN
1722 - NET_RAW
1723 privileged: false
1724 runAsNonRoot: true
1725 runAsUser: 65534
1726 runAsGroup: 65534
1727 readOnlyRootFilesystem: true
1728 seccompProfile:
1729 type: RuntimeDefault
1730 terminationMessagePolicy: FallbackToLogsOnError
1731 volumeMounts:
1732 - mountPath: /run
1733 name: linkerd-proxy-init-xtables-lock
1734 securityContext:
1735 seccompProfile:
1736 type: RuntimeDefault
1737 serviceAccountName: linkerd-destination
1738 volumes:
1739 - name: sp-tls
1740 secret:
1741 secretName: linkerd-sp-validator-k8s-tls
1742 - name: policy-tls
1743 secret:
1744 secretName: linkerd-policy-validator-k8s-tls
1745 - emptyDir: {}
1746 name: linkerd-proxy-init-xtables-lock
1747 - name: linkerd-identity-token
1748 projected:
1749 sources:
1750 - serviceAccountToken:
1751 path: linkerd-identity-token
1752 expirationSeconds: 86400
1753 audience: identity.l5d.io
1754 - emptyDir:
1755 medium: Memory
1756 name: linkerd-identity-end-entity
1757---
1758# Source: linkerd-control-plane/templates/heartbeat.yaml
1759---
1760###
1761### Heartbeat
1762###
1763apiVersion: batch/v1
1764kind: CronJob
1765metadata:
1766 name: linkerd-heartbeat
1767 namespace: linkerd-dev
1768 labels:
1769 app.kubernetes.io/name: heartbeat
1770 app.kubernetes.io/part-of: Linkerd
1771 app.kubernetes.io/version: linkerd-version
1772 linkerd.io/control-plane-component: heartbeat
1773 linkerd.io/control-plane-ns: linkerd-dev
1774 annotations:
1775 linkerd.io/created-by: linkerd/helm linkerd-version
1776spec:
1777 concurrencyPolicy: Replace
1778 schedule: "1 2 3 4 5"
1779 successfulJobsHistoryLimit: 0
1780 jobTemplate:
1781 spec:
1782 template:
1783 metadata:
1784 labels:
1785 linkerd.io/control-plane-component: heartbeat
1786 linkerd.io/workload-ns: linkerd-dev
1787 annotations:
1788 linkerd.io/created-by: linkerd/helm linkerd-version
1789 spec:
1790 nodeSelector:
1791 kubernetes.io/os: linux
1792 securityContext:
1793 seccompProfile:
1794 type: RuntimeDefault
1795 serviceAccountName: linkerd-heartbeat
1796 restartPolicy: Never
1797 containers:
1798 - name: heartbeat
1799 image: cr.l5d.io/linkerd/controller:linkerd-version
1800 imagePullPolicy: IfNotPresent
1801 env:
1802 - name: LINKERD_DISABLED
1803 value: "the heartbeat controller does not use the proxy"
1804 args:
1805 - "heartbeat"
1806 - "-controller-namespace=linkerd-dev"
1807 - "-log-level=info"
1808 - "-log-format=plain"
1809 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1810 resources:
1811 limits:
1812 memory: "250Mi"
1813 requests:
1814 cpu: "100m"
1815 memory: "50Mi"
1816 securityContext:
1817 capabilities:
1818 drop:
1819 - ALL
1820 readOnlyRootFilesystem: true
1821 runAsNonRoot: true
1822 runAsUser: 2103
1823 allowPrivilegeEscalation: false
1824 seccompProfile:
1825 type: RuntimeDefault
1826---
1827# Source: linkerd-control-plane/templates/proxy-injector.yaml
1828---
1829###
1830### Proxy Injector
1831###
1832apiVersion: apps/v1
1833kind: Deployment
1834metadata:
1835 annotations:
1836 linkerd.io/created-by: linkerd/helm linkerd-version
1837 labels:
1838 app.kubernetes.io/name: proxy-injector
1839 app.kubernetes.io/part-of: Linkerd
1840 app.kubernetes.io/version: linkerd-version
1841 linkerd.io/control-plane-component: proxy-injector
1842 linkerd.io/control-plane-ns: linkerd-dev
1843 name: linkerd-proxy-injector
1844 namespace: linkerd-dev
1845spec:
1846 replicas: 3
1847 revisionHistoryLimit: 10
1848 selector:
1849 matchLabels:
1850 linkerd.io/control-plane-component: proxy-injector
1851 strategy:
1852 rollingUpdate:
1853 maxSurge: 25%
1854 maxUnavailable: 1
1855 template:
1856 metadata:
1857 annotations:
1858 checksum/config: a6eb8c6e7cbd674a1b0e776a942c6c72fe93c478344911e8326d5bf739560a5e
1859 linkerd.io/created-by: linkerd/helm linkerd-version
1860 linkerd.io/proxy-version: test-proxy-version
1861 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1862 linkerd.io/trust-root-sha256: f8ebf807fa1cf5bf3b40e94680a5fc91593782385f28c96eae7bb6672dba375e
1863 config.linkerd.io/opaque-ports: "8443"
1864 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1865 labels:
1866 linkerd.io/control-plane-component: proxy-injector
1867 linkerd.io/control-plane-ns: linkerd-dev
1868 linkerd.io/workload-ns: linkerd-dev
1869 linkerd.io/proxy-deployment: linkerd-proxy-injector
1870 spec:
1871 nodeSelector:
1872 kubernetes.io/os: linux
1873 affinity:
1874 podAntiAffinity:
1875 preferredDuringSchedulingIgnoredDuringExecution:
1876 - podAffinityTerm:
1877 labelSelector:
1878 matchExpressions:
1879 - key: linkerd.io/control-plane-component
1880 operator: In
1881 values:
1882 - proxy-injector
1883 topologyKey: topology.kubernetes.io/zone
1884 weight: 100
1885 requiredDuringSchedulingIgnoredDuringExecution:
1886 - labelSelector:
1887 matchExpressions:
1888 - key: linkerd.io/control-plane-component
1889 operator: In
1890 values:
1891 - proxy-injector
1892 topologyKey: kubernetes.io/hostname
1893 containers:
1894 - env:
1895 - name: _pod_name
1896 valueFrom:
1897 fieldRef:
1898 fieldPath: metadata.name
1899 - name: _pod_ns
1900 valueFrom:
1901 fieldRef:
1902 fieldPath: metadata.namespace
1903 - name: _pod_nodeName
1904 valueFrom:
1905 fieldRef:
1906 fieldPath: spec.nodeName
1907 - name: LINKERD2_PROXY_LOG
1908 value: "warn,linkerd=info,trust_dns=error"
1909 - name: LINKERD2_PROXY_LOG_FORMAT
1910 value: "plain"
1911 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1912 value: linkerd-dst-headless.linkerd-dev.svc.cluster.local.:8086
1913 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1914 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1915 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1916 value: linkerd-policy.linkerd-dev.svc.cluster.local.:8090
1917 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1918 value: |
1919 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1920 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1921 value: all-unauthenticated
1922 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1923 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1924 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1925 value: "3s"
1926 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1927 value: "5m"
1928 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1929 value: "1h"
1930 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1931 value: "100ms"
1932 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1933 value: "1000ms"
1934 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1935 value: "5s"
1936 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1937 value: "90s"
1938 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1939 value: "[::]:4190"
1940 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1941 value: "[::]:4191"
1942 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1943 value: "127.0.0.1:4140"
1944 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1945 value: "127.0.0.1:4140"
1946 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1947 value: "[::]:4143"
1948 - name: LINKERD2_PROXY_INBOUND_IPS
1949 valueFrom:
1950 fieldRef:
1951 fieldPath: status.podIPs
1952 - name: LINKERD2_PROXY_INBOUND_PORTS
1953 value: "8443,9995"
1954 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1955 value: svc.cluster.local.
1956 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1957 value: 10000ms
1958 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1959 value: 10000ms
1960 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1961 value: "10s"
1962 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1963 value: "3s"
1964 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1965 value: "10s"
1966 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1967 value: "3s"
1968 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1969 value: "25,587,3306,4444,5432,6379,9300,11211"
1970 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1971 value: |
1972 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1973 - name: _pod_sa
1974 valueFrom:
1975 fieldRef:
1976 fieldPath: spec.serviceAccountName
1977 - name: _l5d_ns
1978 value: linkerd-dev
1979 - name: _l5d_trustdomain
1980 value: test.trust.domain
1981 - name: LINKERD2_PROXY_IDENTITY_DIR
1982 value: /var/run/linkerd/identity/end-entity
1983 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1984 valueFrom:
1985 configMapKeyRef:
1986 name: linkerd-identity-trust-roots
1987 key: ca-bundle.crt
1988 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1989 value: /var/run/secrets/tokens/linkerd-identity-token
1990 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1991 value: linkerd-identity-headless.linkerd-dev.svc.cluster.local.:8080
1992 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1993 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd-dev.test.trust.domain
1994 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1995 value: linkerd-identity.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1996 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1997 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
1998 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1999 value: linkerd-destination.linkerd-dev.serviceaccount.identity.linkerd-dev.test.trust.domain
2000 image: cr.l5d.io/linkerd/proxy:test-proxy-version
2001 imagePullPolicy: IfNotPresent
2002 livenessProbe:
2003 httpGet:
2004 path: /live
2005 port: 4191
2006 initialDelaySeconds: 10
2007 timeoutSeconds: 1
2008 name: linkerd-proxy
2009 ports:
2010 - containerPort: 4143
2011 name: linkerd-proxy
2012 - containerPort: 4191
2013 name: linkerd-admin
2014 readinessProbe:
2015 httpGet:
2016 path: /ready
2017 port: 4191
2018 initialDelaySeconds: 2
2019 timeoutSeconds: 1
2020 resources:
2021 limits:
2022 memory: "250Mi"
2023 requests:
2024 cpu: "100m"
2025 memory: "20Mi"
2026 securityContext:
2027 allowPrivilegeEscalation: false
2028 capabilities:
2029 drop:
2030 - ALL
2031 readOnlyRootFilesystem: true
2032 runAsNonRoot: true
2033 runAsUser: 2102
2034 seccompProfile:
2035 type: RuntimeDefault
2036 terminationMessagePolicy: FallbackToLogsOnError
2037 lifecycle:
2038 postStart:
2039 exec:
2040 command:
2041 - /usr/lib/linkerd/linkerd-await
2042 - --timeout=2m
2043 - --port=4191
2044 volumeMounts:
2045 - mountPath: /var/run/linkerd/identity/end-entity
2046 name: linkerd-identity-end-entity
2047 - mountPath: /var/run/secrets/tokens
2048 name: linkerd-identity-token
2049 - args:
2050 - proxy-injector
2051 - -log-level=info
2052 - -log-format=plain
2053 - -linkerd-namespace=linkerd-dev
2054 - -enable-pprof=false
2055 image: cr.l5d.io/linkerd/controller:linkerd-version
2056 imagePullPolicy: IfNotPresent
2057 livenessProbe:
2058 httpGet:
2059 path: /ping
2060 port: 9995
2061 initialDelaySeconds: 10
2062 name: proxy-injector
2063 ports:
2064 - containerPort: 8443
2065 name: proxy-injector
2066 - containerPort: 9995
2067 name: admin-http
2068 readinessProbe:
2069 failureThreshold: 7
2070 httpGet:
2071 path: /ready
2072 port: 9995
2073 resources:
2074 limits:
2075 memory: "250Mi"
2076 requests:
2077 cpu: "100m"
2078 memory: "50Mi"
2079 securityContext:
2080 capabilities:
2081 drop:
2082 - ALL
2083 readOnlyRootFilesystem: true
2084 runAsNonRoot: true
2085 runAsUser: 2103
2086 allowPrivilegeEscalation: false
2087 seccompProfile:
2088 type: RuntimeDefault
2089 volumeMounts:
2090 - mountPath: /var/run/linkerd/config
2091 name: config
2092 - mountPath: /var/run/linkerd/identity/trust-roots
2093 name: trust-roots
2094 - mountPath: /var/run/linkerd/tls
2095 name: tls
2096 readOnly: true
2097 initContainers:
2098 - args:
2099 - --ipv6=false
2100 - --incoming-proxy-port
2101 - "4143"
2102 - --outgoing-proxy-port
2103 - "4140"
2104 - --proxy-uid
2105 - "2102"
2106 - --inbound-ports-to-ignore
2107 - "4190,4191,222"
2108 - --outbound-ports-to-ignore
2109 - "443,6443"
2110 image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
2111 imagePullPolicy: IfNotPresent
2112 name: linkerd-init
2113 resources:
2114 limits:
2115 cpu: "100m"
2116 memory: "20Mi"
2117 requests:
2118 cpu: "100m"
2119 memory: "20Mi"
2120 securityContext:
2121 allowPrivilegeEscalation: false
2122 capabilities:
2123 add:
2124 - NET_ADMIN
2125 - NET_RAW
2126 privileged: false
2127 runAsNonRoot: true
2128 runAsUser: 65534
2129 runAsGroup: 65534
2130 readOnlyRootFilesystem: true
2131 seccompProfile:
2132 type: RuntimeDefault
2133 terminationMessagePolicy: FallbackToLogsOnError
2134 volumeMounts:
2135 - mountPath: /run
2136 name: linkerd-proxy-init-xtables-lock
2137 securityContext:
2138 seccompProfile:
2139 type: RuntimeDefault
2140 serviceAccountName: linkerd-proxy-injector
2141 volumes:
2142 - configMap:
2143 name: linkerd-config
2144 name: config
2145 - configMap:
2146 name: linkerd-identity-trust-roots
2147 name: trust-roots
2148 - name: tls
2149 secret:
2150 secretName: linkerd-proxy-injector-k8s-tls
2151 - emptyDir: {}
2152 name: linkerd-proxy-init-xtables-lock
2153 - name: linkerd-identity-token
2154 projected:
2155 sources:
2156 - serviceAccountToken:
2157 path: linkerd-identity-token
2158 expirationSeconds: 86400
2159 audience: identity.l5d.io
2160 - emptyDir:
2161 medium: Memory
2162 name: linkerd-identity-end-entity
2163---
2164kind: Service
2165apiVersion: v1
2166metadata:
2167 name: linkerd-proxy-injector
2168 namespace: linkerd-dev
2169 labels:
2170 linkerd.io/control-plane-component: proxy-injector
2171 linkerd.io/control-plane-ns: linkerd-dev
2172 annotations:
2173 linkerd.io/created-by: linkerd/helm linkerd-version
2174 config.linkerd.io/opaque-ports: "443"
2175spec:
2176 type: ClusterIP
2177 selector:
2178 linkerd.io/control-plane-component: proxy-injector
2179 ports:
2180 - name: proxy-injector
2181 port: 443
2182 targetPort: proxy-injector
2183---
2184kind: PodDisruptionBudget
2185apiVersion: policy/v1
2186metadata:
2187 name: linkerd-proxy-injector
2188 namespace: linkerd-dev
2189 labels:
2190 linkerd.io/control-plane-component: proxy-injector
2191 linkerd.io/control-plane-ns: linkerd-dev
2192 annotations:
2193 linkerd.io/created-by: linkerd/helm linkerd-version
2194spec:
2195 maxUnavailable: 1
2196 selector:
2197 matchLabels:
2198 linkerd.io/control-plane-component: proxy-injector
View as plain text