1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: restricted
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91- apiGroups: ["discovery.k8s.io"]
92 resources: ["endpointslices"]
93 verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
94---
95kind: ClusterRoleBinding
96apiVersion: rbac.authorization.k8s.io/v1
97metadata:
98 name: linkerd-linkerd-destination
99 labels:
100 linkerd.io/control-plane-component: destination
101 linkerd.io/control-plane-ns: linkerd
102roleRef:
103 apiGroup: rbac.authorization.k8s.io
104 kind: ClusterRole
105 name: linkerd-linkerd-destination
106subjects:
107- kind: ServiceAccount
108 name: linkerd-destination
109 namespace: linkerd
110---
111kind: ServiceAccount
112apiVersion: v1
113metadata:
114 name: linkerd-destination
115 namespace: linkerd
116 labels:
117 linkerd.io/control-plane-component: destination
118 linkerd.io/control-plane-ns: linkerd
119---
120apiVersion: admissionregistration.k8s.io/v1
121kind: ValidatingWebhookConfiguration
122metadata:
123 name: linkerd-sp-validator-webhook-config
124 labels:
125 linkerd.io/control-plane-component: destination
126 linkerd.io/control-plane-ns: linkerd
127webhooks:
128- name: linkerd-sp-validator.linkerd.io
129 namespaceSelector:
130 matchExpressions:
131 - key: config.linkerd.io/admission-webhooks
132 operator: NotIn
133 values:
134 - disabled
135 clientConfig:
136 service:
137 name: linkerd-sp-validator
138 namespace: linkerd
139 path: "/"
140 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
141 failurePolicy: Ignore
142 admissionReviewVersions: ["v1", "v1beta1"]
143 rules:
144 - operations: ["CREATE", "UPDATE"]
145 apiGroups: ["linkerd.io"]
146 apiVersions: ["v1alpha1", "v1alpha2"]
147 resources: ["serviceprofiles"]
148 sideEffects: None
149---
150apiVersion: admissionregistration.k8s.io/v1
151kind: ValidatingWebhookConfiguration
152metadata:
153 name: linkerd-policy-validator-webhook-config
154 labels:
155 linkerd.io/control-plane-component: destination
156 linkerd.io/control-plane-ns: linkerd
157webhooks:
158- name: linkerd-policy-validator.linkerd.io
159 namespaceSelector:
160 matchExpressions:
161 - key: config.linkerd.io/admission-webhooks
162 operator: NotIn
163 values:
164 - disabled
165 clientConfig:
166 service:
167 name: linkerd-policy-validator
168 namespace: linkerd
169 path: "/"
170 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
171 failurePolicy: Ignore
172 admissionReviewVersions: ["v1", "v1beta1"]
173 rules:
174 - operations: ["CREATE", "UPDATE"]
175 apiGroups: ["policy.linkerd.io"]
176 apiVersions: ["*"]
177 resources:
178 - authorizationpolicies
179 - httproutes
180 - networkauthentications
181 - meshtlsauthentications
182 - serverauthorizations
183 - servers
184 - operations: ["CREATE", "UPDATE"]
185 apiGroups: ["gateway.networking.k8s.io"]
186 apiVersions: ["*"]
187 resources:
188 - httproutes
189 sideEffects: None
190---
191apiVersion: rbac.authorization.k8s.io/v1
192kind: ClusterRole
193metadata:
194 name: linkerd-policy
195 labels:
196 app.kubernetes.io/part-of: Linkerd
197 linkerd.io/control-plane-component: destination
198 linkerd.io/control-plane-ns: linkerd
199rules:
200 - apiGroups:
201 - ""
202 resources:
203 - pods
204 verbs:
205 - get
206 - list
207 - watch
208 - apiGroups:
209 - apps
210 resources:
211 - deployments
212 verbs:
213 - get
214 - apiGroups:
215 - policy.linkerd.io
216 resources:
217 - authorizationpolicies
218 - httproutes
219 - meshtlsauthentications
220 - networkauthentications
221 - servers
222 - serverauthorizations
223 verbs:
224 - get
225 - list
226 - watch
227 - apiGroups:
228 - gateway.networking.k8s.io
229 resources:
230 - httproutes
231 verbs:
232 - get
233 - list
234 - watch
235 - apiGroups:
236 - policy.linkerd.io
237 resources:
238 - httproutes/status
239 verbs:
240 - patch
241 - apiGroups:
242 - gateway.networking.k8s.io
243 resources:
244 - httproutes/status
245 verbs:
246 - patch
247 - apiGroups:
248 - workload.linkerd.io
249 resources:
250 - externalworkloads
251 verbs:
252 - get
253 - list
254 - watch
255 - apiGroups:
256 - coordination.k8s.io
257 resources:
258 - leases
259 verbs:
260 - create
261 - get
262 - patch
263---
264apiVersion: rbac.authorization.k8s.io/v1
265kind: ClusterRoleBinding
266metadata:
267 name: linkerd-destination-policy
268 labels:
269 app.kubernetes.io/part-of: Linkerd
270 linkerd.io/control-plane-component: destination
271 linkerd.io/control-plane-ns: linkerd
272roleRef:
273 apiGroup: rbac.authorization.k8s.io
274 kind: ClusterRole
275 name: linkerd-policy
276subjects:
277 - kind: ServiceAccount
278 name: linkerd-destination
279 namespace: linkerd
280---
281apiVersion: rbac.authorization.k8s.io/v1
282kind: Role
283metadata:
284 name: remote-discovery
285 namespace: linkerd
286 labels:
287 app.kubernetes.io/part-of: Linkerd
288 linkerd.io/control-plane-component: destination
289 linkerd.io/control-plane-ns: linkerd
290rules:
291 - apiGroups:
292 - ""
293 resources:
294 - secrets
295 verbs:
296 - get
297 - list
298 - watch
299---
300apiVersion: rbac.authorization.k8s.io/v1
301kind: RoleBinding
302metadata:
303 name: linkerd-destination-remote-discovery
304 namespace: linkerd
305 labels:
306 app.kubernetes.io/part-of: Linkerd
307 linkerd.io/control-plane-component: destination
308 linkerd.io/control-plane-ns: linkerd
309roleRef:
310 apiGroup: rbac.authorization.k8s.io
311 kind: Role
312 name: remote-discovery
313subjects:
314 - kind: ServiceAccount
315 name: linkerd-destination
316 namespace: linkerd
317---
318###
319### Heartbeat RBAC
320###
321apiVersion: rbac.authorization.k8s.io/v1
322kind: Role
323metadata:
324 name: linkerd-heartbeat
325 namespace: linkerd
326 labels:
327 linkerd.io/control-plane-ns: linkerd
328rules:
329- apiGroups: [""]
330 resources: ["configmaps"]
331 verbs: ["get"]
332 resourceNames: ["linkerd-config"]
333---
334apiVersion: rbac.authorization.k8s.io/v1
335kind: RoleBinding
336metadata:
337 name: linkerd-heartbeat
338 namespace: linkerd
339 labels:
340 linkerd.io/control-plane-ns: linkerd
341roleRef:
342 kind: Role
343 name: linkerd-heartbeat
344 apiGroup: rbac.authorization.k8s.io
345subjects:
346- kind: ServiceAccount
347 name: linkerd-heartbeat
348 namespace: linkerd
349---
350apiVersion: rbac.authorization.k8s.io/v1
351kind: ClusterRole
352metadata:
353 name: linkerd-heartbeat
354 labels:
355 linkerd.io/control-plane-ns: linkerd
356rules:
357- apiGroups: [""]
358 resources: ["namespaces"]
359 verbs: ["list"]
360- apiGroups: ["linkerd.io"]
361 resources: ["serviceprofiles"]
362 verbs: ["list"]
363---
364apiVersion: rbac.authorization.k8s.io/v1
365kind: ClusterRoleBinding
366metadata:
367 name: linkerd-heartbeat
368 labels:
369 linkerd.io/control-plane-ns: linkerd
370roleRef:
371 kind: ClusterRole
372 name: linkerd-heartbeat
373 apiGroup: rbac.authorization.k8s.io
374subjects:
375- kind: ServiceAccount
376 name: linkerd-heartbeat
377 namespace: linkerd
378---
379kind: ServiceAccount
380apiVersion: v1
381metadata:
382 name: linkerd-heartbeat
383 namespace: linkerd
384 labels:
385 linkerd.io/control-plane-component: heartbeat
386 linkerd.io/control-plane-ns: linkerd
387
388---
389###
390### Proxy Injector RBAC
391###
392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: linkerd-linkerd-proxy-injector
396 labels:
397 linkerd.io/control-plane-component: proxy-injector
398 linkerd.io/control-plane-ns: linkerd
399rules:
400- apiGroups: [""]
401 resources: ["events"]
402 verbs: ["create", "patch"]
403- apiGroups: [""]
404 resources: ["namespaces", "replicationcontrollers"]
405 verbs: ["list", "get", "watch"]
406- apiGroups: [""]
407 resources: ["pods"]
408 verbs: ["list", "watch"]
409- apiGroups: ["extensions", "apps"]
410 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
411 verbs: ["list", "get", "watch"]
412- apiGroups: ["extensions", "batch"]
413 resources: ["cronjobs", "jobs"]
414 verbs: ["list", "get", "watch"]
415---
416kind: ClusterRoleBinding
417apiVersion: rbac.authorization.k8s.io/v1
418metadata:
419 name: linkerd-linkerd-proxy-injector
420 labels:
421 linkerd.io/control-plane-component: proxy-injector
422 linkerd.io/control-plane-ns: linkerd
423subjects:
424- kind: ServiceAccount
425 name: linkerd-proxy-injector
426 namespace: linkerd
427 apiGroup: ""
428roleRef:
429 kind: ClusterRole
430 name: linkerd-linkerd-proxy-injector
431 apiGroup: rbac.authorization.k8s.io
432---
433kind: ServiceAccount
434apiVersion: v1
435metadata:
436 name: linkerd-proxy-injector
437 namespace: linkerd
438 labels:
439 linkerd.io/control-plane-component: proxy-injector
440 linkerd.io/control-plane-ns: linkerd
441---
442apiVersion: admissionregistration.k8s.io/v1
443kind: MutatingWebhookConfiguration
444metadata:
445 name: linkerd-proxy-injector-webhook-config
446 labels:
447 linkerd.io/control-plane-component: proxy-injector
448 linkerd.io/control-plane-ns: linkerd
449webhooks:
450- name: linkerd-proxy-injector.linkerd.io
451 namespaceSelector:
452 matchExpressions:
453 - key: config.linkerd.io/admission-webhooks
454 operator: NotIn
455 values:
456 - disabled
457 - key: kubernetes.io/metadata.name
458 operator: NotIn
459 values:
460 - kube-system
461 - cert-manager
462 objectSelector:
463 null
464 clientConfig:
465 service:
466 name: linkerd-proxy-injector
467 namespace: linkerd
468 path: "/"
469 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
470 failurePolicy: Ignore
471 admissionReviewVersions: ["v1", "v1beta1"]
472 rules:
473 - operations: [ "CREATE" ]
474 apiGroups: [""]
475 apiVersions: ["v1"]
476 resources: ["pods", "services"]
477 scope: "Namespaced"
478 sideEffects: None
479 timeoutSeconds: 10
480---
481kind: ConfigMap
482apiVersion: v1
483metadata:
484 name: linkerd-config
485 namespace: linkerd
486 labels:
487 linkerd.io/control-plane-component: controller
488 linkerd.io/control-plane-ns: linkerd
489 annotations:
490 linkerd.io/created-by: linkerd/cli dev-undefined
491data:
492 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
493 values: |
494 cliVersion: linkerd/cli dev-undefined
495 clusterDomain: cluster.local
496 clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
497 cniEnabled: true
498 controlPlaneTracing: false
499 controlPlaneTracingNamespace: linkerd-jaeger
500 controller:
501 podDisruptionBudget:
502 maxUnavailable: 1
503 controllerGID: -1
504 controllerImage: cr.l5d.io/linkerd/controller
505 controllerLogFormat: plain
506 controllerLogLevel: info
507 controllerReplicas: 1
508 controllerUID: 2103
509 debugContainer:
510 image:
511 name: cr.l5d.io/linkerd/debug
512 pullPolicy: ""
513 version: install-debug-version
514 deploymentStrategy:
515 rollingUpdate:
516 maxSurge: 25%
517 maxUnavailable: 25%
518 destinationController:
519 meshedHttp2ClientProtobuf:
520 keep_alive:
521 interval:
522 seconds: 10
523 timeout:
524 seconds: 3
525 while_idle: true
526 destinationProxyResources: null
527 destinationResources: null
528 disableHeartBeat: false
529 disableIPv6: true
530 enableEndpointSlices: true
531 enableH2Upgrade: true
532 enablePodAntiAffinity: false
533 enablePodDisruptionBudget: false
534 heartbeat: null
535 heartbeatResources: null
536 heartbeatSchedule: 1 2 3 4 5
537 highAvailability: false
538 identity:
539 additionalEnv: null
540 experimentalEnv: null
541 externalCA: false
542 issuer:
543 clockSkewAllowance: 20s
544 issuanceLifetime: 24h0m0s
545 scheme: linkerd.io/tls
546 tls:
547 crtPEM: |
548 -----BEGIN CERTIFICATE-----
549 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
550 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
551 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
552 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
553 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
554 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
555 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
556 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
557 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
558 51tdrmkHEZRr0qlLSJdHYgEfMzk=
559 -----END CERTIFICATE-----
560 kubeAPI:
561 clientBurst: 200
562 clientQPS: 100
563 serviceAccountTokenProjection: true
564 identityProxyResources: null
565 identityResources: null
566 identityTrustAnchorsPEM: |
567 -----BEGIN CERTIFICATE-----
568 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
569 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
570 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
571 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
572 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
573 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
574 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
575 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
576 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
577 vgUC0d2/9FMueIVMb+46WTCOjsqr
578 -----END CERTIFICATE-----
579 identityTrustDomain: cluster.local
580 imagePullPolicy: IfNotPresent
581 imagePullSecrets: []
582 linkerdVersion: install-control-plane-version
583 networkValidator:
584 connectAddr: 1.1.1.1:20001
585 enableSecurityContext: true
586 listenAddr: 0.0.0.0:4140
587 logFormat: plain
588 logLevel: debug
589 timeout: 10s
590 nodeAffinity: null
591 nodeSelector:
592 kubernetes.io/os: linux
593 podAnnotations: {}
594 podLabels: {}
595 podMonitor:
596 controller:
597 enabled: true
598 namespaceSelector: |
599 matchNames:
600 - {{ .Release.Namespace }}
601 - linkerd-viz
602 - linkerd-jaeger
603 enabled: false
604 proxy:
605 enabled: true
606 scrapeInterval: 10s
607 scrapeTimeout: 10s
608 serviceMirror:
609 enabled: true
610 policyController:
611 image:
612 name: cr.l5d.io/linkerd/policy-controller
613 pullPolicy: ""
614 version: ""
615 logLevel: info
616 probeNetworks:
617 - 0.0.0.0/0
618 - ::/0
619 resources:
620 cpu:
621 limit: ""
622 request: ""
623 ephemeral-storage:
624 limit: ""
625 request: ""
626 memory:
627 limit: ""
628 request: ""
629 policyValidator:
630 caBundle: policy validator CA bundle
631 crtPEM: ""
632 externalSecret: true
633 injectCaFrom: ""
634 injectCaFromSecret: ""
635 namespaceSelector:
636 matchExpressions:
637 - key: config.linkerd.io/admission-webhooks
638 operator: NotIn
639 values:
640 - disabled
641 priorityClassName: ""
642 profileValidator:
643 caBundle: profile validator CA bundle
644 crtPEM: ""
645 externalSecret: true
646 injectCaFrom: ""
647 injectCaFromSecret: ""
648 namespaceSelector:
649 matchExpressions:
650 - key: config.linkerd.io/admission-webhooks
651 operator: NotIn
652 values:
653 - disabled
654 prometheusUrl: ""
655 proxy:
656 accessLog: ""
657 additionalEnv: null
658 await: true
659 capabilities: null
660 control:
661 streams:
662 idleTimeout: 5m
663 initialTimeout: 3s
664 lifetime: 1h
665 defaultInboundPolicy: all-unauthenticated
666 disableInboundProtocolDetectTimeout: false
667 disableOutboundProtocolDetectTimeout: false
668 enableExternalProfiles: false
669 experimentalEnv: null
670 gid: -1
671 image:
672 name: cr.l5d.io/linkerd/proxy
673 pullPolicy: ""
674 version: install-proxy-version
675 inbound:
676 server:
677 http2:
678 keepAliveInterval: 10s
679 keepAliveTimeout: 3s
680 inboundConnectTimeout: 100ms
681 inboundDiscoveryCacheUnusedTimeout: 90s
682 isGateway: false
683 isIngress: false
684 livenessProbe:
685 initialDelaySeconds: 10
686 timeoutSeconds: 1
687 logFormat: plain
688 logLevel: warn,linkerd=info,trust_dns=error
689 nativeSidecar: false
690 opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
691 outbound:
692 server:
693 http2:
694 keepAliveInterval: 10s
695 keepAliveTimeout: 3s
696 outboundConnectTimeout: 1000ms
697 outboundDiscoveryCacheUnusedTimeout: 5s
698 podInboundPorts: ""
699 ports:
700 admin: 4191
701 control: 4190
702 inbound: 4143
703 outbound: 4140
704 readinessProbe:
705 initialDelaySeconds: 2
706 timeoutSeconds: 1
707 requireIdentityOnInboundPorts: ""
708 resources:
709 cpu:
710 limit: ""
711 request: ""
712 ephemeral-storage:
713 limit: ""
714 request: ""
715 memory:
716 limit: ""
717 request: ""
718 saMountPath: null
719 shutdownGracePeriod: ""
720 startupProbe:
721 failureThreshold: 120
722 initialDelaySeconds: 0
723 periodSeconds: 1
724 uid: 2102
725 waitBeforeExitSeconds: 0
726 proxyContainerName: linkerd-proxy
727 proxyInit:
728 capabilities: null
729 closeWaitTimeoutSecs: 0
730 ignoreInboundPorts: 4567,4568
731 ignoreOutboundPorts: 4567,4568
732 image:
733 name: cr.l5d.io/linkerd/proxy-init
734 pullPolicy: ""
735 version: v2.4.0
736 iptablesMode: legacy
737 kubeAPIServerPorts: 443,6443
738 logFormat: ""
739 logLevel: ""
740 privileged: false
741 resources:
742 cpu:
743 limit: 100m
744 request: 100m
745 ephemeral-storage:
746 limit: ""
747 request: ""
748 memory:
749 limit: 20Mi
750 request: 20Mi
751 runAsGroup: 65534
752 runAsRoot: false
753 runAsUser: 65534
754 saMountPath: null
755 skipSubnets: ""
756 xtMountPath:
757 mountPath: /run
758 name: linkerd-proxy-init-xtables-lock
759 readOnly: false
760 proxyInjector:
761 additionalEnv: null
762 caBundle: proxy injector CA bundle
763 crtPEM: ""
764 experimentalEnv: null
765 externalSecret: true
766 injectCaFrom: ""
767 injectCaFromSecret: ""
768 namespaceSelector:
769 matchExpressions:
770 - key: config.linkerd.io/admission-webhooks
771 operator: NotIn
772 values:
773 - disabled
774 - key: kubernetes.io/metadata.name
775 operator: NotIn
776 values:
777 - kube-system
778 - cert-manager
779 proxyInjectorProxyResources: null
780 proxyInjectorResources: null
781 revisionHistoryLimit: 10
782 spValidator: null
783 tolerations: null
784 webhookFailurePolicy: Ignore
785---
786apiVersion: rbac.authorization.k8s.io/v1
787kind: Role
788metadata:
789 annotations:
790 linkerd.io/created-by: linkerd/cli dev-undefined
791 name: ext-namespace-metadata-linkerd-config
792 namespace: linkerd
793rules:
794- apiGroups: [""]
795 resources: ["configmaps"]
796 verbs: ["get"]
797 resourceNames: ["linkerd-config"]
798---
799###
800### Identity Controller Service
801###
802---
803kind: Secret
804apiVersion: v1
805metadata:
806 name: linkerd-identity-issuer
807 namespace: linkerd
808 labels:
809 linkerd.io/control-plane-component: identity
810 linkerd.io/control-plane-ns: linkerd
811 annotations:
812 linkerd.io/created-by: linkerd/cli dev-undefined
813data:
814 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
815 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
816---
817kind: ConfigMap
818apiVersion: v1
819metadata:
820 name: linkerd-identity-trust-roots
821 namespace: linkerd
822 labels:
823 linkerd.io/control-plane-component: identity
824 linkerd.io/control-plane-ns: linkerd
825 annotations:
826 linkerd.io/created-by: linkerd/cli dev-undefined
827data:
828 ca-bundle.crt: |-
829 -----BEGIN CERTIFICATE-----
830 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
831 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
832 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
833 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
834 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
835 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
836 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
837 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
838 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
839 vgUC0d2/9FMueIVMb+46WTCOjsqr
840 -----END CERTIFICATE-----
841---
842kind: Service
843apiVersion: v1
844metadata:
845 name: linkerd-identity
846 namespace: linkerd
847 labels:
848 linkerd.io/control-plane-component: identity
849 linkerd.io/control-plane-ns: linkerd
850 annotations:
851 linkerd.io/created-by: linkerd/cli dev-undefined
852spec:
853 type: ClusterIP
854 selector:
855 linkerd.io/control-plane-component: identity
856 ports:
857 - name: grpc
858 port: 8080
859 targetPort: 8080
860---
861kind: Service
862apiVersion: v1
863metadata:
864 name: linkerd-identity-headless
865 namespace: linkerd
866 labels:
867 linkerd.io/control-plane-component: identity
868 linkerd.io/control-plane-ns: linkerd
869 annotations:
870 linkerd.io/created-by: linkerd/cli dev-undefined
871spec:
872 clusterIP: None
873 selector:
874 linkerd.io/control-plane-component: identity
875 ports:
876 - name: grpc
877 port: 8080
878 targetPort: 8080
879---
880apiVersion: apps/v1
881kind: Deployment
882metadata:
883 annotations:
884 linkerd.io/created-by: linkerd/cli dev-undefined
885 labels:
886 app.kubernetes.io/name: identity
887 app.kubernetes.io/part-of: Linkerd
888 app.kubernetes.io/version: install-control-plane-version
889 linkerd.io/control-plane-component: identity
890 linkerd.io/control-plane-ns: linkerd
891 name: linkerd-identity
892 namespace: linkerd
893spec:
894 replicas: 1
895 revisionHistoryLimit: 10
896 selector:
897 matchLabels:
898 linkerd.io/control-plane-component: identity
899 linkerd.io/control-plane-ns: linkerd
900 linkerd.io/proxy-deployment: linkerd-identity
901 strategy:
902 rollingUpdate:
903 maxSurge: 25%
904 maxUnavailable: 25%
905 template:
906 metadata:
907 annotations:
908 linkerd.io/created-by: linkerd/cli dev-undefined
909 linkerd.io/proxy-version: install-proxy-version
910 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
911 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
912 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
913 labels:
914 linkerd.io/control-plane-component: identity
915 linkerd.io/control-plane-ns: linkerd
916 linkerd.io/workload-ns: linkerd
917 linkerd.io/proxy-deployment: linkerd-identity
918 spec:
919 nodeSelector:
920 kubernetes.io/os: linux
921
922 containers:
923 - args:
924 - identity
925 - -log-level=info
926 - -log-format=plain
927 - -controller-namespace=linkerd
928 - -identity-trust-domain=cluster.local
929 - -identity-issuance-lifetime=24h0m0s
930 - -identity-clock-skew-allowance=20s
931 - -identity-scheme=linkerd.io/tls
932 - -enable-pprof=false
933 - -kube-apiclient-qps=100
934 - -kube-apiclient-burst=200
935 env:
936 - name: LINKERD_DISABLED
937 value: "linkerd-await cannot block the identity controller"
938 image: cr.l5d.io/linkerd/controller:install-control-plane-version
939 imagePullPolicy: IfNotPresent
940 livenessProbe:
941 httpGet:
942 path: /ping
943 port: 9990
944 initialDelaySeconds: 10
945 name: identity
946 ports:
947 - containerPort: 8080
948 name: grpc
949 - containerPort: 9990
950 name: admin-http
951 readinessProbe:
952 failureThreshold: 7
953 httpGet:
954 path: /ready
955 port: 9990
956 securityContext:
957 capabilities:
958 drop:
959 - ALL
960 readOnlyRootFilesystem: true
961 runAsNonRoot: true
962 runAsUser: 2103
963 allowPrivilegeEscalation: false
964 seccompProfile:
965 type: RuntimeDefault
966 volumeMounts:
967 - mountPath: /var/run/linkerd/identity/issuer
968 name: identity-issuer
969 - mountPath: /var/run/linkerd/identity/trust-roots/
970 name: trust-roots
971 - env:
972 - name: _pod_name
973 valueFrom:
974 fieldRef:
975 fieldPath: metadata.name
976 - name: _pod_ns
977 valueFrom:
978 fieldRef:
979 fieldPath: metadata.namespace
980 - name: _pod_nodeName
981 valueFrom:
982 fieldRef:
983 fieldPath: spec.nodeName
984 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
985 value: "8080"
986 - name: LINKERD2_PROXY_LOG
987 value: "warn,linkerd=info,trust_dns=error"
988 - name: LINKERD2_PROXY_LOG_FORMAT
989 value: "plain"
990 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
991 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
992 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
993 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
994 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
995 value: linkerd-policy.linkerd.svc.cluster.local.:8090
996 - name: LINKERD2_PROXY_POLICY_WORKLOAD
997 value: |
998 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
999 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1000 value: all-unauthenticated
1001 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1002 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1003 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1004 value: "3s"
1005 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1006 value: "5m"
1007 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1008 value: "1h"
1009 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1010 value: "100ms"
1011 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1012 value: "1000ms"
1013 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1014 value: "5s"
1015 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1016 value: "90s"
1017 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1018 value: "[::]:4190"
1019 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1020 value: "[::]:4191"
1021 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1022 value: "127.0.0.1:4140"
1023 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1024 value: "127.0.0.1:4140"
1025 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1026 value: "[::]:4143"
1027 - name: LINKERD2_PROXY_INBOUND_IPS
1028 valueFrom:
1029 fieldRef:
1030 fieldPath: status.podIPs
1031 - name: LINKERD2_PROXY_INBOUND_PORTS
1032 value: "8080,9990"
1033 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1034 value: svc.cluster.local.
1035 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1036 value: 10000ms
1037 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1038 value: 10000ms
1039 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1040 value: "10s"
1041 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1042 value: "3s"
1043 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1044 value: "10s"
1045 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1046 value: "3s"
1047 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1048 value: "25,587,3306,4444,5432,6379,9300,11211"
1049 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1050 value: |
1051 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1052 - name: _pod_sa
1053 valueFrom:
1054 fieldRef:
1055 fieldPath: spec.serviceAccountName
1056 - name: _l5d_ns
1057 value: linkerd
1058 - name: _l5d_trustdomain
1059 value: cluster.local
1060 - name: LINKERD2_PROXY_IDENTITY_DIR
1061 value: /var/run/linkerd/identity/end-entity
1062 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1063 valueFrom:
1064 configMapKeyRef:
1065 name: linkerd-identity-trust-roots
1066 key: ca-bundle.crt
1067 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1068 value: /var/run/secrets/tokens/linkerd-identity-token
1069 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1070 value: localhost.:8080
1071 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1072 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1073 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1074 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1075 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1076 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1077 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1078 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1079 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1080 imagePullPolicy: IfNotPresent
1081 livenessProbe:
1082 httpGet:
1083 path: /live
1084 port: 4191
1085 initialDelaySeconds: 10
1086 timeoutSeconds: 1
1087 name: linkerd-proxy
1088 ports:
1089 - containerPort: 4143
1090 name: linkerd-proxy
1091 - containerPort: 4191
1092 name: linkerd-admin
1093 readinessProbe:
1094 httpGet:
1095 path: /ready
1096 port: 4191
1097 initialDelaySeconds: 2
1098 timeoutSeconds: 1
1099 resources:
1100 securityContext:
1101 allowPrivilegeEscalation: false
1102 capabilities:
1103 drop:
1104 - ALL
1105 readOnlyRootFilesystem: true
1106 runAsNonRoot: true
1107 runAsUser: 2102
1108 seccompProfile:
1109 type: RuntimeDefault
1110 terminationMessagePolicy: FallbackToLogsOnError
1111 volumeMounts:
1112 - mountPath: /var/run/linkerd/identity/end-entity
1113 name: linkerd-identity-end-entity
1114 - mountPath: /var/run/secrets/tokens
1115 name: linkerd-identity-token
1116 initContainers:
1117 - name: linkerd-network-validator
1118 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1119 imagePullPolicy: IfNotPresent
1120 resources:
1121 limits:
1122 cpu: "100m"
1123 memory: "20Mi"
1124 requests:
1125 cpu: "100m"
1126 memory: "20Mi"
1127 securityContext:
1128 allowPrivilegeEscalation: false
1129 capabilities:
1130 drop:
1131 - ALL
1132 readOnlyRootFilesystem: true
1133 runAsGroup: 65534
1134 runAsNonRoot: true
1135 runAsUser: 65534
1136 seccompProfile:
1137 type: RuntimeDefault
1138 command:
1139 - /usr/lib/linkerd/linkerd2-network-validator
1140 args:
1141 - --log-format
1142 - plain
1143 - --log-level
1144 - debug
1145 - --connect-addr
1146 - 1.1.1.1:20001
1147 - --listen-addr
1148 - 0.0.0.0:4140
1149 - --timeout
1150 - 10s
1151 securityContext:
1152 seccompProfile:
1153 type: RuntimeDefault
1154 serviceAccountName: linkerd-identity
1155 volumes:
1156 - name: identity-issuer
1157 secret:
1158 secretName: linkerd-identity-issuer
1159 - configMap:
1160 name: linkerd-identity-trust-roots
1161 name: trust-roots
1162 - name: linkerd-identity-token
1163 projected:
1164 sources:
1165 - serviceAccountToken:
1166 path: linkerd-identity-token
1167 expirationSeconds: 86400
1168 audience: identity.l5d.io
1169 - emptyDir:
1170 medium: Memory
1171 name: linkerd-identity-end-entity
1172---
1173###
1174### Destination Controller Service
1175###
1176kind: Service
1177apiVersion: v1
1178metadata:
1179 name: linkerd-dst
1180 namespace: linkerd
1181 labels:
1182 linkerd.io/control-plane-component: destination
1183 linkerd.io/control-plane-ns: linkerd
1184 annotations:
1185 linkerd.io/created-by: linkerd/cli dev-undefined
1186spec:
1187 type: ClusterIP
1188 selector:
1189 linkerd.io/control-plane-component: destination
1190 ports:
1191 - name: grpc
1192 port: 8086
1193 targetPort: 8086
1194---
1195kind: Service
1196apiVersion: v1
1197metadata:
1198 name: linkerd-dst-headless
1199 namespace: linkerd
1200 labels:
1201 linkerd.io/control-plane-component: destination
1202 linkerd.io/control-plane-ns: linkerd
1203 annotations:
1204 linkerd.io/created-by: linkerd/cli dev-undefined
1205spec:
1206 clusterIP: None
1207 selector:
1208 linkerd.io/control-plane-component: destination
1209 ports:
1210 - name: grpc
1211 port: 8086
1212 targetPort: 8086
1213---
1214kind: Service
1215apiVersion: v1
1216metadata:
1217 name: linkerd-sp-validator
1218 namespace: linkerd
1219 labels:
1220 linkerd.io/control-plane-component: destination
1221 linkerd.io/control-plane-ns: linkerd
1222 annotations:
1223 linkerd.io/created-by: linkerd/cli dev-undefined
1224spec:
1225 type: ClusterIP
1226 selector:
1227 linkerd.io/control-plane-component: destination
1228 ports:
1229 - name: sp-validator
1230 port: 443
1231 targetPort: sp-validator
1232---
1233kind: Service
1234apiVersion: v1
1235metadata:
1236 name: linkerd-policy
1237 namespace: linkerd
1238 labels:
1239 linkerd.io/control-plane-component: destination
1240 linkerd.io/control-plane-ns: linkerd
1241 annotations:
1242 linkerd.io/created-by: linkerd/cli dev-undefined
1243spec:
1244 clusterIP: None
1245 selector:
1246 linkerd.io/control-plane-component: destination
1247 ports:
1248 - name: grpc
1249 port: 8090
1250 targetPort: 8090
1251---
1252kind: Service
1253apiVersion: v1
1254metadata:
1255 name: linkerd-policy-validator
1256 namespace: linkerd
1257 labels:
1258 linkerd.io/control-plane-component: destination
1259 linkerd.io/control-plane-ns: linkerd
1260 annotations:
1261 linkerd.io/created-by: linkerd/cli dev-undefined
1262spec:
1263 type: ClusterIP
1264 selector:
1265 linkerd.io/control-plane-component: destination
1266 ports:
1267 - name: policy-https
1268 port: 443
1269 targetPort: policy-https
1270---
1271apiVersion: apps/v1
1272kind: Deployment
1273metadata:
1274 annotations:
1275 linkerd.io/created-by: linkerd/cli dev-undefined
1276 labels:
1277 app.kubernetes.io/name: destination
1278 app.kubernetes.io/part-of: Linkerd
1279 app.kubernetes.io/version: install-control-plane-version
1280 linkerd.io/control-plane-component: destination
1281 linkerd.io/control-plane-ns: linkerd
1282 name: linkerd-destination
1283 namespace: linkerd
1284spec:
1285 replicas: 1
1286 revisionHistoryLimit: 10
1287 selector:
1288 matchLabels:
1289 linkerd.io/control-plane-component: destination
1290 linkerd.io/control-plane-ns: linkerd
1291 linkerd.io/proxy-deployment: linkerd-destination
1292 strategy:
1293 rollingUpdate:
1294 maxSurge: 25%
1295 maxUnavailable: 25%
1296 template:
1297 metadata:
1298 annotations:
1299 checksum/config: 579a2f931900ccee9dc86afedf01af0e4ca273ef6ec649b2630c358daa1e067f
1300 linkerd.io/created-by: linkerd/cli dev-undefined
1301 linkerd.io/proxy-version: install-proxy-version
1302 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1303 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1304 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1305 labels:
1306 linkerd.io/control-plane-component: destination
1307 linkerd.io/control-plane-ns: linkerd
1308 linkerd.io/workload-ns: linkerd
1309 linkerd.io/proxy-deployment: linkerd-destination
1310 spec:
1311 nodeSelector:
1312 kubernetes.io/os: linux
1313
1314 containers:
1315 - env:
1316 - name: _pod_name
1317 valueFrom:
1318 fieldRef:
1319 fieldPath: metadata.name
1320 - name: _pod_ns
1321 valueFrom:
1322 fieldRef:
1323 fieldPath: metadata.namespace
1324 - name: _pod_nodeName
1325 valueFrom:
1326 fieldRef:
1327 fieldPath: spec.nodeName
1328 - name: LINKERD2_PROXY_LOG
1329 value: "warn,linkerd=info,trust_dns=error"
1330 - name: LINKERD2_PROXY_LOG_FORMAT
1331 value: "plain"
1332 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1333 value: localhost.:8086
1334 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1335 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1336 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1337 value: localhost.:8090
1338 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1339 value: |
1340 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1341 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1342 value: all-unauthenticated
1343 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1344 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1345 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1346 value: "3s"
1347 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1348 value: "5m"
1349 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1350 value: "1h"
1351 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1352 value: "100ms"
1353 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1354 value: "1000ms"
1355 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1356 value: "5s"
1357 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1358 value: "90s"
1359 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1360 value: "[::]:4190"
1361 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1362 value: "[::]:4191"
1363 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1364 value: "127.0.0.1:4140"
1365 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1366 value: "127.0.0.1:4140"
1367 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1368 value: "[::]:4143"
1369 - name: LINKERD2_PROXY_INBOUND_IPS
1370 valueFrom:
1371 fieldRef:
1372 fieldPath: status.podIPs
1373 - name: LINKERD2_PROXY_INBOUND_PORTS
1374 value: "8086,8090,8443,9443,9990,9996,9997"
1375 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1376 value: svc.cluster.local.
1377 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1378 value: 10000ms
1379 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1380 value: 10000ms
1381 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1382 value: "10s"
1383 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1384 value: "3s"
1385 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1386 value: "10s"
1387 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1388 value: "3s"
1389 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1390 value: "25,587,3306,4444,5432,6379,9300,11211"
1391 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1392 value: |
1393 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1394 - name: _pod_sa
1395 valueFrom:
1396 fieldRef:
1397 fieldPath: spec.serviceAccountName
1398 - name: _l5d_ns
1399 value: linkerd
1400 - name: _l5d_trustdomain
1401 value: cluster.local
1402 - name: LINKERD2_PROXY_IDENTITY_DIR
1403 value: /var/run/linkerd/identity/end-entity
1404 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1405 valueFrom:
1406 configMapKeyRef:
1407 name: linkerd-identity-trust-roots
1408 key: ca-bundle.crt
1409 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1410 value: /var/run/secrets/tokens/linkerd-identity-token
1411 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1412 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1413 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1414 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1415 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1416 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1417 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1418 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1419 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1420 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1421 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1422 imagePullPolicy: IfNotPresent
1423 livenessProbe:
1424 httpGet:
1425 path: /live
1426 port: 4191
1427 initialDelaySeconds: 10
1428 timeoutSeconds: 1
1429 name: linkerd-proxy
1430 ports:
1431 - containerPort: 4143
1432 name: linkerd-proxy
1433 - containerPort: 4191
1434 name: linkerd-admin
1435 readinessProbe:
1436 httpGet:
1437 path: /ready
1438 port: 4191
1439 initialDelaySeconds: 2
1440 timeoutSeconds: 1
1441 resources:
1442 securityContext:
1443 allowPrivilegeEscalation: false
1444 capabilities:
1445 drop:
1446 - ALL
1447 readOnlyRootFilesystem: true
1448 runAsNonRoot: true
1449 runAsUser: 2102
1450 seccompProfile:
1451 type: RuntimeDefault
1452 terminationMessagePolicy: FallbackToLogsOnError
1453 lifecycle:
1454 postStart:
1455 exec:
1456 command:
1457 - /usr/lib/linkerd/linkerd-await
1458 - --timeout=2m
1459 - --port=4191
1460 volumeMounts:
1461 - mountPath: /var/run/linkerd/identity/end-entity
1462 name: linkerd-identity-end-entity
1463 - mountPath: /var/run/secrets/tokens
1464 name: linkerd-identity-token
1465 - args:
1466 - destination
1467 - -addr=:8086
1468 - -controller-namespace=linkerd
1469 - -enable-h2-upgrade=true
1470 - -log-level=info
1471 - -log-format=plain
1472 - -enable-endpoint-slices=true
1473 - -cluster-domain=cluster.local
1474 - -identity-trust-domain=cluster.local
1475 - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1476 - -enable-ipv6=false
1477 - -enable-pprof=false
1478 - --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
1479 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1480 imagePullPolicy: IfNotPresent
1481 livenessProbe:
1482 httpGet:
1483 path: /ping
1484 port: 9996
1485 initialDelaySeconds: 10
1486 name: destination
1487 ports:
1488 - containerPort: 8086
1489 name: grpc
1490 - containerPort: 9996
1491 name: admin-http
1492 readinessProbe:
1493 failureThreshold: 7
1494 httpGet:
1495 path: /ready
1496 port: 9996
1497 securityContext:
1498 capabilities:
1499 drop:
1500 - ALL
1501 readOnlyRootFilesystem: true
1502 runAsNonRoot: true
1503 runAsUser: 2103
1504 allowPrivilegeEscalation: false
1505 seccompProfile:
1506 type: RuntimeDefault
1507 - args:
1508 - sp-validator
1509 - -log-level=info
1510 - -log-format=plain
1511 - -enable-pprof=false
1512 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1513 imagePullPolicy: IfNotPresent
1514 livenessProbe:
1515 httpGet:
1516 path: /ping
1517 port: 9997
1518 initialDelaySeconds: 10
1519 name: sp-validator
1520 ports:
1521 - containerPort: 8443
1522 name: sp-validator
1523 - containerPort: 9997
1524 name: admin-http
1525 readinessProbe:
1526 failureThreshold: 7
1527 httpGet:
1528 path: /ready
1529 port: 9997
1530 securityContext:
1531 capabilities:
1532 drop:
1533 - ALL
1534 readOnlyRootFilesystem: true
1535 runAsNonRoot: true
1536 runAsUser: 2103
1537 allowPrivilegeEscalation: false
1538 seccompProfile:
1539 type: RuntimeDefault
1540 volumeMounts:
1541 - mountPath: /var/run/linkerd/tls
1542 name: sp-tls
1543 readOnly: true
1544 - args:
1545 - --admin-addr=[::]:9990
1546 - --control-plane-namespace=linkerd
1547 - --grpc-addr=[::]:8090
1548 - --server-addr=[::]:9443
1549 - --server-tls-key=/var/run/linkerd/tls/tls.key
1550 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1551 - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
1552 - --identity-domain=cluster.local
1553 - --cluster-domain=cluster.local
1554 - --default-policy=all-unauthenticated
1555 - --log-level=info
1556 - --log-format=plain
1557 - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
1558 - --probe-networks=0.0.0.0/0,::/0
1559 image: cr.l5d.io/linkerd/policy-controller:install-control-plane-version
1560 imagePullPolicy: IfNotPresent
1561 livenessProbe:
1562 httpGet:
1563 path: /live
1564 port: admin-http
1565 name: policy
1566 ports:
1567 - containerPort: 8090
1568 name: grpc
1569 - containerPort: 9990
1570 name: admin-http
1571 - containerPort: 9443
1572 name: policy-https
1573 readinessProbe:
1574 failureThreshold: 7
1575 httpGet:
1576 path: /ready
1577 port: admin-http
1578 initialDelaySeconds: 10
1579 resources:
1580 securityContext:
1581 capabilities:
1582 drop:
1583 - ALL
1584 readOnlyRootFilesystem: true
1585 runAsNonRoot: true
1586 runAsUser: 2103
1587 allowPrivilegeEscalation: false
1588 seccompProfile:
1589 type: RuntimeDefault
1590 volumeMounts:
1591 - mountPath: /var/run/linkerd/tls
1592 name: policy-tls
1593 readOnly: true
1594 initContainers:
1595 - name: linkerd-network-validator
1596 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1597 imagePullPolicy: IfNotPresent
1598 resources:
1599 limits:
1600 cpu: "100m"
1601 memory: "20Mi"
1602 requests:
1603 cpu: "100m"
1604 memory: "20Mi"
1605 securityContext:
1606 allowPrivilegeEscalation: false
1607 capabilities:
1608 drop:
1609 - ALL
1610 readOnlyRootFilesystem: true
1611 runAsGroup: 65534
1612 runAsNonRoot: true
1613 runAsUser: 65534
1614 seccompProfile:
1615 type: RuntimeDefault
1616 command:
1617 - /usr/lib/linkerd/linkerd2-network-validator
1618 args:
1619 - --log-format
1620 - plain
1621 - --log-level
1622 - debug
1623 - --connect-addr
1624 - 1.1.1.1:20001
1625 - --listen-addr
1626 - 0.0.0.0:4140
1627 - --timeout
1628 - 10s
1629 securityContext:
1630 seccompProfile:
1631 type: RuntimeDefault
1632 serviceAccountName: linkerd-destination
1633 volumes:
1634 - name: sp-tls
1635 secret:
1636 secretName: linkerd-sp-validator-k8s-tls
1637 - name: policy-tls
1638 secret:
1639 secretName: linkerd-policy-validator-k8s-tls
1640 - name: linkerd-identity-token
1641 projected:
1642 sources:
1643 - serviceAccountToken:
1644 path: linkerd-identity-token
1645 expirationSeconds: 86400
1646 audience: identity.l5d.io
1647 - emptyDir:
1648 medium: Memory
1649 name: linkerd-identity-end-entity
1650---
1651###
1652### Heartbeat
1653###
1654apiVersion: batch/v1
1655kind: CronJob
1656metadata:
1657 name: linkerd-heartbeat
1658 namespace: linkerd
1659 labels:
1660 app.kubernetes.io/name: heartbeat
1661 app.kubernetes.io/part-of: Linkerd
1662 app.kubernetes.io/version: install-control-plane-version
1663 linkerd.io/control-plane-component: heartbeat
1664 linkerd.io/control-plane-ns: linkerd
1665 annotations:
1666 linkerd.io/created-by: linkerd/cli dev-undefined
1667spec:
1668 concurrencyPolicy: Replace
1669 schedule: "1 2 3 4 5"
1670 successfulJobsHistoryLimit: 0
1671 jobTemplate:
1672 spec:
1673 template:
1674 metadata:
1675 labels:
1676 linkerd.io/control-plane-component: heartbeat
1677 linkerd.io/workload-ns: linkerd
1678 annotations:
1679 linkerd.io/created-by: linkerd/cli dev-undefined
1680 spec:
1681 nodeSelector:
1682 kubernetes.io/os: linux
1683 securityContext:
1684 seccompProfile:
1685 type: RuntimeDefault
1686 serviceAccountName: linkerd-heartbeat
1687 restartPolicy: Never
1688 containers:
1689 - name: heartbeat
1690 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1691 imagePullPolicy: IfNotPresent
1692 env:
1693 - name: LINKERD_DISABLED
1694 value: "the heartbeat controller does not use the proxy"
1695 args:
1696 - "heartbeat"
1697 - "-controller-namespace=linkerd"
1698 - "-log-level=info"
1699 - "-log-format=plain"
1700 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1701 securityContext:
1702 capabilities:
1703 drop:
1704 - ALL
1705 readOnlyRootFilesystem: true
1706 runAsNonRoot: true
1707 runAsUser: 2103
1708 allowPrivilegeEscalation: false
1709 seccompProfile:
1710 type: RuntimeDefault
1711---
1712###
1713### Proxy Injector
1714###
1715apiVersion: apps/v1
1716kind: Deployment
1717metadata:
1718 annotations:
1719 linkerd.io/created-by: linkerd/cli dev-undefined
1720 labels:
1721 app.kubernetes.io/name: proxy-injector
1722 app.kubernetes.io/part-of: Linkerd
1723 app.kubernetes.io/version: install-control-plane-version
1724 linkerd.io/control-plane-component: proxy-injector
1725 linkerd.io/control-plane-ns: linkerd
1726 name: linkerd-proxy-injector
1727 namespace: linkerd
1728spec:
1729 replicas: 1
1730 revisionHistoryLimit: 10
1731 selector:
1732 matchLabels:
1733 linkerd.io/control-plane-component: proxy-injector
1734 strategy:
1735 rollingUpdate:
1736 maxSurge: 25%
1737 maxUnavailable: 25%
1738 template:
1739 metadata:
1740 annotations:
1741 checksum/config: cd0cf730780be444ab96a4a835a244033ffb7c8cf4a8796d0e6ae5c72aa9ff31
1742 linkerd.io/created-by: linkerd/cli dev-undefined
1743 linkerd.io/proxy-version: install-proxy-version
1744 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1745 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1746 config.linkerd.io/opaque-ports: "8443"
1747 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1748 labels:
1749 linkerd.io/control-plane-component: proxy-injector
1750 linkerd.io/control-plane-ns: linkerd
1751 linkerd.io/workload-ns: linkerd
1752 linkerd.io/proxy-deployment: linkerd-proxy-injector
1753 spec:
1754 nodeSelector:
1755 kubernetes.io/os: linux
1756
1757 containers:
1758 - env:
1759 - name: _pod_name
1760 valueFrom:
1761 fieldRef:
1762 fieldPath: metadata.name
1763 - name: _pod_ns
1764 valueFrom:
1765 fieldRef:
1766 fieldPath: metadata.namespace
1767 - name: _pod_nodeName
1768 valueFrom:
1769 fieldRef:
1770 fieldPath: spec.nodeName
1771 - name: LINKERD2_PROXY_LOG
1772 value: "warn,linkerd=info,trust_dns=error"
1773 - name: LINKERD2_PROXY_LOG_FORMAT
1774 value: "plain"
1775 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1776 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1777 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1778 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1779 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1780 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1781 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1782 value: |
1783 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1784 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1785 value: all-unauthenticated
1786 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1787 value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
1788 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1789 value: "3s"
1790 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1791 value: "5m"
1792 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1793 value: "1h"
1794 - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
1795 value: "100ms"
1796 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
1797 value: "1000ms"
1798 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1799 value: "5s"
1800 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1801 value: "90s"
1802 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1803 value: "[::]:4190"
1804 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1805 value: "[::]:4191"
1806 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1807 value: "127.0.0.1:4140"
1808 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1809 value: "127.0.0.1:4140"
1810 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1811 value: "[::]:4143"
1812 - name: LINKERD2_PROXY_INBOUND_IPS
1813 valueFrom:
1814 fieldRef:
1815 fieldPath: status.podIPs
1816 - name: LINKERD2_PROXY_INBOUND_PORTS
1817 value: "8443,9995"
1818 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1819 value: svc.cluster.local.
1820 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1821 value: 10000ms
1822 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1823 value: 10000ms
1824 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1825 value: "10s"
1826 - name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1827 value: "3s"
1828 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
1829 value: "10s"
1830 - name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
1831 value: "3s"
1832 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1833 value: "25,587,3306,4444,5432,6379,9300,11211"
1834 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1835 value: |
1836 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1837 - name: _pod_sa
1838 valueFrom:
1839 fieldRef:
1840 fieldPath: spec.serviceAccountName
1841 - name: _l5d_ns
1842 value: linkerd
1843 - name: _l5d_trustdomain
1844 value: cluster.local
1845 - name: LINKERD2_PROXY_IDENTITY_DIR
1846 value: /var/run/linkerd/identity/end-entity
1847 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1848 valueFrom:
1849 configMapKeyRef:
1850 name: linkerd-identity-trust-roots
1851 key: ca-bundle.crt
1852 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1853 value: /var/run/secrets/tokens/linkerd-identity-token
1854 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1855 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1856 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1857 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1858 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1859 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1860 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1861 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1862 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1863 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1864 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1865 imagePullPolicy: IfNotPresent
1866 livenessProbe:
1867 httpGet:
1868 path: /live
1869 port: 4191
1870 initialDelaySeconds: 10
1871 timeoutSeconds: 1
1872 name: linkerd-proxy
1873 ports:
1874 - containerPort: 4143
1875 name: linkerd-proxy
1876 - containerPort: 4191
1877 name: linkerd-admin
1878 readinessProbe:
1879 httpGet:
1880 path: /ready
1881 port: 4191
1882 initialDelaySeconds: 2
1883 timeoutSeconds: 1
1884 resources:
1885 securityContext:
1886 allowPrivilegeEscalation: false
1887 capabilities:
1888 drop:
1889 - ALL
1890 readOnlyRootFilesystem: true
1891 runAsNonRoot: true
1892 runAsUser: 2102
1893 seccompProfile:
1894 type: RuntimeDefault
1895 terminationMessagePolicy: FallbackToLogsOnError
1896 lifecycle:
1897 postStart:
1898 exec:
1899 command:
1900 - /usr/lib/linkerd/linkerd-await
1901 - --timeout=2m
1902 - --port=4191
1903 volumeMounts:
1904 - mountPath: /var/run/linkerd/identity/end-entity
1905 name: linkerd-identity-end-entity
1906 - mountPath: /var/run/secrets/tokens
1907 name: linkerd-identity-token
1908 - args:
1909 - proxy-injector
1910 - -log-level=info
1911 - -log-format=plain
1912 - -linkerd-namespace=linkerd
1913 - -enable-pprof=false
1914 image: cr.l5d.io/linkerd/controller:install-control-plane-version
1915 imagePullPolicy: IfNotPresent
1916 livenessProbe:
1917 httpGet:
1918 path: /ping
1919 port: 9995
1920 initialDelaySeconds: 10
1921 name: proxy-injector
1922 ports:
1923 - containerPort: 8443
1924 name: proxy-injector
1925 - containerPort: 9995
1926 name: admin-http
1927 readinessProbe:
1928 failureThreshold: 7
1929 httpGet:
1930 path: /ready
1931 port: 9995
1932 securityContext:
1933 capabilities:
1934 drop:
1935 - ALL
1936 readOnlyRootFilesystem: true
1937 runAsNonRoot: true
1938 runAsUser: 2103
1939 allowPrivilegeEscalation: false
1940 seccompProfile:
1941 type: RuntimeDefault
1942 volumeMounts:
1943 - mountPath: /var/run/linkerd/config
1944 name: config
1945 - mountPath: /var/run/linkerd/identity/trust-roots
1946 name: trust-roots
1947 - mountPath: /var/run/linkerd/tls
1948 name: tls
1949 readOnly: true
1950 initContainers:
1951 - name: linkerd-network-validator
1952 image: cr.l5d.io/linkerd/proxy:install-proxy-version
1953 imagePullPolicy: IfNotPresent
1954 resources:
1955 limits:
1956 cpu: "100m"
1957 memory: "20Mi"
1958 requests:
1959 cpu: "100m"
1960 memory: "20Mi"
1961 securityContext:
1962 allowPrivilegeEscalation: false
1963 capabilities:
1964 drop:
1965 - ALL
1966 readOnlyRootFilesystem: true
1967 runAsGroup: 65534
1968 runAsNonRoot: true
1969 runAsUser: 65534
1970 seccompProfile:
1971 type: RuntimeDefault
1972 command:
1973 - /usr/lib/linkerd/linkerd2-network-validator
1974 args:
1975 - --log-format
1976 - plain
1977 - --log-level
1978 - debug
1979 - --connect-addr
1980 - 1.1.1.1:20001
1981 - --listen-addr
1982 - 0.0.0.0:4140
1983 - --timeout
1984 - 10s
1985 securityContext:
1986 seccompProfile:
1987 type: RuntimeDefault
1988 serviceAccountName: linkerd-proxy-injector
1989 volumes:
1990 - configMap:
1991 name: linkerd-config
1992 name: config
1993 - configMap:
1994 name: linkerd-identity-trust-roots
1995 name: trust-roots
1996 - name: tls
1997 secret:
1998 secretName: linkerd-proxy-injector-k8s-tls
1999 - name: linkerd-identity-token
2000 projected:
2001 sources:
2002 - serviceAccountToken:
2003 path: linkerd-identity-token
2004 expirationSeconds: 86400
2005 audience: identity.l5d.io
2006 - emptyDir:
2007 medium: Memory
2008 name: linkerd-identity-end-entity
2009---
2010kind: Service
2011apiVersion: v1
2012metadata:
2013 name: linkerd-proxy-injector
2014 namespace: linkerd
2015 labels:
2016 linkerd.io/control-plane-component: proxy-injector
2017 linkerd.io/control-plane-ns: linkerd
2018 annotations:
2019 linkerd.io/created-by: linkerd/cli dev-undefined
2020 config.linkerd.io/opaque-ports: "443"
2021spec:
2022 type: ClusterIP
2023 selector:
2024 linkerd.io/control-plane-component: proxy-injector
2025 ports:
2026 - name: proxy-injector
2027 port: 443
2028 targetPort: proxy-injector
2029---
2030apiVersion: v1
2031data:
2032 linkerd-config-overrides: Y25pRW5hYmxlZDogdHJ1ZQpkZWJ1Z0NvbnRhaW5lcjoKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtZGVidWctdmVyc2lvbgpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIHRsczoKICAgICAgY3J0UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgICAgTUlJQndEQ0NBV2VnQXdJQkFnSVJBSlJJZ1o4UnRPOEV3ZzFYZXBmOFQ0NHdDZ1lJS29aSXpqMEVBd0l3S1RFbgogICAgICAgIE1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQjRYRFRJd01EZ3kKICAgICAgICBPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CiAgICAgICAgYTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMS9GcAogICAgICAgIGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MmRRdlJhWWFudXhEMzZEdDEKICAgICAgICAyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCiAgICAgICAgQWY4Q0FRQXdIUVlEVlIwT0JCWUVGSTFXbnJxTVlLYUhIT28renB5aWlEcTJwTzBLTUNrR0ExVWRFUVFpTUNDQwogICAgICAgIEhtbGtaVzUwYVhSNUxteHBibXRsY21RdVkyeDFjM1JsY2k1c2IyTmhiREFLQmdncWhrak9QUVFEQWdOSEFEQkUKICAgICAgICBBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CiAgICAgICAgNTF0ZHJta0hFWlJyMHFsTFNKZEhZZ0VmTXprPQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJQUFlOG5mYnpadTljL09CMis4eEpNMEZ6N05Vd1RRYXp1bGtGTnM0VEk1K29Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRTEvRnBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzIKICAgICAgICBkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQndUQ0NBV2FnQXdJQkFnSVFlRFpwNWxEYUl5Z1E1VWZNS1pyRkFUQUtCZ2dxaGtqT1BRUURBakFwTVNjdwogIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVJxYzcwWgogIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgL3dJQkFUQWRCZ05WSFE0RUZnUVU1WXRqVlZQZmQ3STdOTEhzbjJDMjZFQnlHVjB3S1FZRFZSMFJCQ0l3SUlJZQogIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgdmdVQzBkMi85Rk11ZUlWTWIrNDZXVENPanNxcgogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KbGlua2VyZFZlcnNpb246IGluc3RhbGwtY29udHJvbC1wbGFuZS12ZXJzaW9uCnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcm94eToKICBpbWFnZToKICAgIHZlcnNpb246IGluc3RhbGwtcHJveHktdmVyc2lvbgpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQo=
2033kind: Secret
2034metadata:
2035 creationTimestamp: null
2036 labels:
2037 linkerd.io/control-plane-ns: linkerd
2038 name: linkerd-config-overrides
2039 namespace: linkerd
View as plain text