1---
2###
3### Linkerd Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd
9 annotations:
10 linkerd.io/inject: disabled
11 labels:
12 linkerd.io/is-control-plane: "true"
13 config.linkerd.io/admission-webhooks: disabled
14 linkerd.io/control-plane-ns: linkerd
15 pod-security.kubernetes.io/enforce: privileged
16---
17###
18### Identity Controller Service RBAC
19###
20kind: ClusterRole
21apiVersion: rbac.authorization.k8s.io/v1
22metadata:
23 name: linkerd-linkerd-identity
24 labels:
25 linkerd.io/control-plane-component: identity
26 linkerd.io/control-plane-ns: linkerd
27rules:
28- apiGroups: ["authentication.k8s.io"]
29 resources: ["tokenreviews"]
30 verbs: ["create"]
31# TODO(ver) Restrict this to the Linkerd namespace. See
32# https://github.com/linkerd/linkerd2/issues/9367
33- apiGroups: [""]
34 resources: ["events"]
35 verbs: ["create", "patch"]
36---
37kind: ClusterRoleBinding
38apiVersion: rbac.authorization.k8s.io/v1
39metadata:
40 name: linkerd-linkerd-identity
41 labels:
42 linkerd.io/control-plane-component: identity
43 linkerd.io/control-plane-ns: linkerd
44roleRef:
45 apiGroup: rbac.authorization.k8s.io
46 kind: ClusterRole
47 name: linkerd-linkerd-identity
48subjects:
49- kind: ServiceAccount
50 name: linkerd-identity
51 namespace: linkerd
52---
53kind: ServiceAccount
54apiVersion: v1
55metadata:
56 name: linkerd-identity
57 namespace: linkerd
58 labels:
59 linkerd.io/control-plane-component: identity
60 linkerd.io/control-plane-ns: linkerd
61---
62###
63### Destination Controller Service
64###
65kind: ClusterRole
66apiVersion: rbac.authorization.k8s.io/v1
67metadata:
68 name: linkerd-linkerd-destination
69 labels:
70 linkerd.io/control-plane-component: destination
71 linkerd.io/control-plane-ns: linkerd
72rules:
73- apiGroups: ["apps"]
74 resources: ["replicasets"]
75 verbs: ["list", "get", "watch"]
76- apiGroups: ["batch"]
77 resources: ["jobs"]
78 verbs: ["list", "get", "watch"]
79- apiGroups: [""]
80 resources: ["pods", "endpoints", "services", "nodes"]
81 verbs: ["list", "get", "watch"]
82- apiGroups: ["linkerd.io"]
83 resources: ["serviceprofiles"]
84 verbs: ["list", "get", "watch"]
85- apiGroups: ["workload.linkerd.io"]
86 resources: ["externalworkloads"]
87 verbs: ["list", "get", "watch"]
88- apiGroups: ["coordination.k8s.io"]
89 resources: ["leases"]
90 verbs: ["create", "get", "update", "patch"]
91---
92kind: ClusterRoleBinding
93apiVersion: rbac.authorization.k8s.io/v1
94metadata:
95 name: linkerd-linkerd-destination
96 labels:
97 linkerd.io/control-plane-component: destination
98 linkerd.io/control-plane-ns: linkerd
99roleRef:
100 apiGroup: rbac.authorization.k8s.io
101 kind: ClusterRole
102 name: linkerd-linkerd-destination
103subjects:
104- kind: ServiceAccount
105 name: linkerd-destination
106 namespace: linkerd
107---
108kind: ServiceAccount
109apiVersion: v1
110metadata:
111 name: linkerd-destination
112 namespace: linkerd
113 labels:
114 linkerd.io/control-plane-component: destination
115 linkerd.io/control-plane-ns: linkerd
116---
117apiVersion: admissionregistration.k8s.io/v1
118kind: ValidatingWebhookConfiguration
119metadata:
120 name: linkerd-sp-validator-webhook-config
121 labels:
122 linkerd.io/control-plane-component: destination
123 linkerd.io/control-plane-ns: linkerd
124webhooks:
125- name: linkerd-sp-validator.linkerd.io
126 namespaceSelector:
127 matchExpressions:
128 - key: config.linkerd.io/admission-webhooks
129 operator: NotIn
130 values:
131 - disabled
132 clientConfig:
133 service:
134 name: linkerd-sp-validator
135 namespace: linkerd
136 path: "/"
137 caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
138 failurePolicy: WebhookFailurePolicy
139 admissionReviewVersions: ["v1", "v1beta1"]
140 rules:
141 - operations: ["CREATE", "UPDATE"]
142 apiGroups: ["linkerd.io"]
143 apiVersions: ["v1alpha1", "v1alpha2"]
144 resources: ["serviceprofiles"]
145 sideEffects: None
146---
147apiVersion: admissionregistration.k8s.io/v1
148kind: ValidatingWebhookConfiguration
149metadata:
150 name: linkerd-policy-validator-webhook-config
151 labels:
152 linkerd.io/control-plane-component: destination
153 linkerd.io/control-plane-ns: linkerd
154webhooks:
155- name: linkerd-policy-validator.linkerd.io
156 namespaceSelector:
157 matchExpressions:
158 - key: config.linkerd.io/admission-webhooks
159 operator: NotIn
160 values:
161 - disabled
162 clientConfig:
163 service:
164 name: linkerd-policy-validator
165 namespace: linkerd
166 path: "/"
167 caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
168 failurePolicy: WebhookFailurePolicy
169 admissionReviewVersions: ["v1", "v1beta1"]
170 rules:
171 - operations: ["CREATE", "UPDATE"]
172 apiGroups: ["policy.linkerd.io"]
173 apiVersions: ["*"]
174 resources:
175 - authorizationpolicies
176 - httproutes
177 - networkauthentications
178 - meshtlsauthentications
179 - serverauthorizations
180 - servers
181 - operations: ["CREATE", "UPDATE"]
182 apiGroups: ["gateway.networking.k8s.io"]
183 apiVersions: ["*"]
184 resources:
185 - httproutes
186 sideEffects: None
187---
188apiVersion: rbac.authorization.k8s.io/v1
189kind: ClusterRole
190metadata:
191 name: linkerd-policy
192 labels:
193 app.kubernetes.io/part-of: Linkerd
194 linkerd.io/control-plane-component: destination
195 linkerd.io/control-plane-ns: linkerd
196rules:
197 - apiGroups:
198 - ""
199 resources:
200 - pods
201 verbs:
202 - get
203 - list
204 - watch
205 - apiGroups:
206 - apps
207 resources:
208 - deployments
209 verbs:
210 - get
211 - apiGroups:
212 - policy.linkerd.io
213 resources:
214 - authorizationpolicies
215 - httproutes
216 - meshtlsauthentications
217 - networkauthentications
218 - servers
219 - serverauthorizations
220 verbs:
221 - get
222 - list
223 - watch
224 - apiGroups:
225 - gateway.networking.k8s.io
226 resources:
227 - httproutes
228 verbs:
229 - get
230 - list
231 - watch
232 - apiGroups:
233 - policy.linkerd.io
234 resources:
235 - httproutes/status
236 verbs:
237 - patch
238 - apiGroups:
239 - gateway.networking.k8s.io
240 resources:
241 - httproutes/status
242 verbs:
243 - patch
244 - apiGroups:
245 - workload.linkerd.io
246 resources:
247 - externalworkloads
248 verbs:
249 - get
250 - list
251 - watch
252 - apiGroups:
253 - coordination.k8s.io
254 resources:
255 - leases
256 verbs:
257 - create
258 - get
259 - patch
260---
261apiVersion: rbac.authorization.k8s.io/v1
262kind: ClusterRoleBinding
263metadata:
264 name: linkerd-destination-policy
265 labels:
266 app.kubernetes.io/part-of: Linkerd
267 linkerd.io/control-plane-component: destination
268 linkerd.io/control-plane-ns: linkerd
269roleRef:
270 apiGroup: rbac.authorization.k8s.io
271 kind: ClusterRole
272 name: linkerd-policy
273subjects:
274 - kind: ServiceAccount
275 name: linkerd-destination
276 namespace: linkerd
277---
278apiVersion: rbac.authorization.k8s.io/v1
279kind: Role
280metadata:
281 name: remote-discovery
282 namespace: linkerd
283 labels:
284 app.kubernetes.io/part-of: Linkerd
285 linkerd.io/control-plane-component: destination
286 linkerd.io/control-plane-ns: linkerd
287rules:
288 - apiGroups:
289 - ""
290 resources:
291 - secrets
292 verbs:
293 - get
294 - list
295 - watch
296---
297apiVersion: rbac.authorization.k8s.io/v1
298kind: RoleBinding
299metadata:
300 name: linkerd-destination-remote-discovery
301 namespace: linkerd
302 labels:
303 app.kubernetes.io/part-of: Linkerd
304 linkerd.io/control-plane-component: destination
305 linkerd.io/control-plane-ns: linkerd
306roleRef:
307 apiGroup: rbac.authorization.k8s.io
308 kind: Role
309 name: remote-discovery
310subjects:
311 - kind: ServiceAccount
312 name: linkerd-destination
313 namespace: linkerd
314---
315###
316### Heartbeat RBAC
317###
318apiVersion: rbac.authorization.k8s.io/v1
319kind: Role
320metadata:
321 name: linkerd-heartbeat
322 namespace: linkerd
323 labels:
324 linkerd.io/control-plane-ns: linkerd
325rules:
326- apiGroups: [""]
327 resources: ["configmaps"]
328 verbs: ["get"]
329 resourceNames: ["linkerd-config"]
330---
331apiVersion: rbac.authorization.k8s.io/v1
332kind: RoleBinding
333metadata:
334 name: linkerd-heartbeat
335 namespace: linkerd
336 labels:
337 linkerd.io/control-plane-ns: linkerd
338roleRef:
339 kind: Role
340 name: linkerd-heartbeat
341 apiGroup: rbac.authorization.k8s.io
342subjects:
343- kind: ServiceAccount
344 name: linkerd-heartbeat
345 namespace: linkerd
346---
347apiVersion: rbac.authorization.k8s.io/v1
348kind: ClusterRole
349metadata:
350 name: linkerd-heartbeat
351 labels:
352 linkerd.io/control-plane-ns: linkerd
353rules:
354- apiGroups: [""]
355 resources: ["namespaces"]
356 verbs: ["list"]
357- apiGroups: ["linkerd.io"]
358 resources: ["serviceprofiles"]
359 verbs: ["list"]
360---
361apiVersion: rbac.authorization.k8s.io/v1
362kind: ClusterRoleBinding
363metadata:
364 name: linkerd-heartbeat
365 labels:
366 linkerd.io/control-plane-ns: linkerd
367roleRef:
368 kind: ClusterRole
369 name: linkerd-heartbeat
370 apiGroup: rbac.authorization.k8s.io
371subjects:
372- kind: ServiceAccount
373 name: linkerd-heartbeat
374 namespace: linkerd
375---
376kind: ServiceAccount
377apiVersion: v1
378metadata:
379 name: linkerd-heartbeat
380 namespace: linkerd
381 labels:
382 linkerd.io/control-plane-component: heartbeat
383 linkerd.io/control-plane-ns: linkerd
384
385---
386###
387### Proxy Injector RBAC
388###
389kind: ClusterRole
390apiVersion: rbac.authorization.k8s.io/v1
391metadata:
392 name: linkerd-linkerd-proxy-injector
393 labels:
394 linkerd.io/control-plane-component: proxy-injector
395 linkerd.io/control-plane-ns: linkerd
396rules:
397- apiGroups: [""]
398 resources: ["events"]
399 verbs: ["create", "patch"]
400- apiGroups: [""]
401 resources: ["namespaces", "replicationcontrollers"]
402 verbs: ["list", "get", "watch"]
403- apiGroups: [""]
404 resources: ["pods"]
405 verbs: ["list", "watch"]
406- apiGroups: ["extensions", "apps"]
407 resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
408 verbs: ["list", "get", "watch"]
409- apiGroups: ["extensions", "batch"]
410 resources: ["cronjobs", "jobs"]
411 verbs: ["list", "get", "watch"]
412---
413kind: ClusterRoleBinding
414apiVersion: rbac.authorization.k8s.io/v1
415metadata:
416 name: linkerd-linkerd-proxy-injector
417 labels:
418 linkerd.io/control-plane-component: proxy-injector
419 linkerd.io/control-plane-ns: linkerd
420subjects:
421- kind: ServiceAccount
422 name: linkerd-proxy-injector
423 namespace: linkerd
424 apiGroup: ""
425roleRef:
426 kind: ClusterRole
427 name: linkerd-linkerd-proxy-injector
428 apiGroup: rbac.authorization.k8s.io
429---
430kind: ServiceAccount
431apiVersion: v1
432metadata:
433 name: linkerd-proxy-injector
434 namespace: linkerd
435 labels:
436 linkerd.io/control-plane-component: proxy-injector
437 linkerd.io/control-plane-ns: linkerd
438---
439apiVersion: admissionregistration.k8s.io/v1
440kind: MutatingWebhookConfiguration
441metadata:
442 name: linkerd-proxy-injector-webhook-config
443 labels:
444 linkerd.io/control-plane-component: proxy-injector
445 linkerd.io/control-plane-ns: linkerd
446webhooks:
447- name: linkerd-proxy-injector.linkerd.io
448 namespaceSelector:
449 matchExpressions:
450 - key: config.linkerd.io/admission-webhooks
451 operator: NotIn
452 values:
453 - disabled
454 - key: kubernetes.io/metadata.name
455 operator: NotIn
456 values:
457 - kube-system
458 - cert-manager
459 objectSelector:
460 null
461 clientConfig:
462 service:
463 name: linkerd-proxy-injector
464 namespace: linkerd
465 path: "/"
466 caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
467 failurePolicy: WebhookFailurePolicy
468 admissionReviewVersions: ["v1", "v1beta1"]
469 rules:
470 - operations: [ "CREATE" ]
471 apiGroups: [""]
472 apiVersions: ["v1"]
473 resources: ["pods", "services"]
474 scope: "Namespaced"
475 sideEffects: None
476 timeoutSeconds: 10
477---
478kind: ConfigMap
479apiVersion: v1
480metadata:
481 name: linkerd-config
482 namespace: linkerd
483 labels:
484 linkerd.io/control-plane-component: controller
485 linkerd.io/control-plane-ns: linkerd
486 annotations:
487 linkerd.io/created-by: CliVersion
488data:
489 linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
490 values: |
491 cliVersion: CliVersion
492 clusterDomain: cluster.local
493 clusterNetworks: ClusterNetworks
494 cniEnabled: false
495 controlPlaneTracing: false
496 controlPlaneTracingNamespace: ""
497 controller: null
498 controllerGID: 2103
499 controllerImage: ControllerImage
500 controllerLogFormat: ControllerLogFormat
501 controllerLogLevel: ControllerLogLevel
502 controllerReplicas: 1
503 controllerUID: 2103
504 debugContainer:
505 image:
506 name: DebugImageName
507 pullPolicy: DebugImagePullPolicy
508 version: DebugVersion
509 destinationController: null
510 destinationProxyResources: null
511 destinationResources: null
512 disableHeartBeat: false
513 disableIPv6: false
514 enableEndpointSlices: false
515 enableH2Upgrade: true
516 enablePodAntiAffinity: false
517 enablePodDisruptionBudget: false
518 heartbeat: null
519 heartbeatResources: null
520 heartbeatSchedule: 1 2 3 4 5
521 highAvailability: false
522 identity:
523 additionalEnv: null
524 experimentalEnv: null
525 externalCA: false
526 issuer:
527 clockSkewAllowance: 20s
528 issuanceLifetime: 24h0m0s
529 scheme: linkerd.io/tls
530 tls:
531 crtPEM: |
532 -----BEGIN CERTIFICATE-----
533 MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
534 MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
535 ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
536 a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
537 fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
538 2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
539 Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
540 HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
541 AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
542 51tdrmkHEZRr0qlLSJdHYgEfMzk=
543 -----END CERTIFICATE-----
544 kubeAPI:
545 clientBurst: 200
546 clientQPS: 100
547 serviceAccountTokenProjection: true
548 identityProxyResources: null
549 identityResources: null
550 identityTrustAnchorsPEM: |
551 -----BEGIN CERTIFICATE-----
552 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
553 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
554 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
555 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
556 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
557 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
558 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
559 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
560 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
561 vgUC0d2/9FMueIVMb+46WTCOjsqr
562 -----END CERTIFICATE-----
563 identityTrustDomain: cluster.local
564 imagePullPolicy: ImagePullPolicy
565 imagePullSecrets: null
566 linkerdVersion: LinkerdVersion
567 networkValidator:
568 connectAddr: 1.1.1.1:20001
569 enableSecurityContext: false
570 listenAddr: 0.0.0.0:4140
571 logFormat: plain
572 logLevel: debug
573 timeout: 10s
574 nodeAffinity: null
575 nodeSelector:
576 kubernetes.io/os: linux
577 podAnnotations: {}
578 podLabels: {}
579 podMonitor: null
580 policyController:
581 image:
582 name: PolicyControllerImageName
583 pullPolicy: ImagePullPolicy
584 version: PolicyControllerVersion
585 logLevel: log-level
586 probeNetworks:
587 - 1.0.0.0/0
588 - 2.0.0.0/0
589 resources:
590 cpu:
591 limit: cpu-limit
592 request: cpu-request
593 ephemeral-storage:
594 limit: ""
595 request: ""
596 memory:
597 limit: memory-limit
598 request: memory-request
599 policyValidator:
600 caBundle: policy validator CA bundle
601 crtPEM: ""
602 externalSecret: true
603 injectCaFrom: ""
604 injectCaFromSecret: ""
605 namespaceSelector:
606 matchExpressions:
607 - key: config.linkerd.io/admission-webhooks
608 operator: NotIn
609 values:
610 - disabled
611 priorityClassName: PriorityClassName
612 profileValidator:
613 caBundle: profile validator CA bundle
614 crtPEM: ""
615 externalSecret: true
616 injectCaFrom: ""
617 injectCaFromSecret: ""
618 namespaceSelector:
619 matchExpressions:
620 - key: config.linkerd.io/admission-webhooks
621 operator: NotIn
622 values:
623 - disabled
624 prometheusUrl: ""
625 proxy:
626 accessLog: ""
627 additionalEnv: null
628 await: true
629 capabilities: null
630 control: null
631 defaultInboundPolicy: default-allow-policy
632 disableInboundProtocolDetectTimeout: false
633 disableOutboundProtocolDetectTimeout: false
634 enableExternalProfiles: false
635 experimentalEnv: null
636 gid: 2102
637 image:
638 name: ProxyImageName
639 pullPolicy: ImagePullPolicy
640 version: ProxyVersion
641 inboundConnectTimeout: ""
642 inboundDiscoveryCacheUnusedTimeout: ""
643 isGateway: false
644 isIngress: false
645 livenessProbe:
646 initialDelaySeconds: 10
647 timeoutSeconds: 1
648 logFormat: plain
649 logLevel: warn,linkerd=info
650 nativeSidecar: false
651 opaquePorts: 25,443,587,3306,5432,11211
652 outboundConnectTimeout: ""
653 outboundDiscoveryCacheUnusedTimeout: ""
654 podInboundPorts: ""
655 ports:
656 admin: 4191
657 control: 4190
658 inbound: 4143
659 outbound: 4140
660 readinessProbe:
661 initialDelaySeconds: 2
662 timeoutSeconds: 1
663 requireIdentityOnInboundPorts: ""
664 resources:
665 cpu:
666 limit: cpu-limit
667 request: cpu-request
668 ephemeral-storage:
669 limit: ""
670 request: ""
671 memory:
672 limit: memory-limit
673 request: memory-request
674 saMountPath: null
675 shutdownGracePeriod: ""
676 startupProbe: null
677 uid: 2102
678 waitBeforeExitSeconds: 0
679 proxyContainerName: ProxyContainerName
680 proxyInit:
681 capabilities: null
682 closeWaitTimeoutSecs: 0
683 ignoreInboundPorts: ""
684 ignoreOutboundPorts: "443"
685 image:
686 name: ProxyInitImageName
687 pullPolicy: ImagePullPolicy
688 version: ProxyInitVersion
689 iptablesMode: legacy
690 kubeAPIServerPorts: ""
691 logFormat: ""
692 logLevel: ""
693 privileged: false
694 resources:
695 cpu:
696 limit: 100m
697 request: 10m
698 ephemeral-storage:
699 limit: ""
700 request: ""
701 memory:
702 limit: 50Mi
703 request: 10Mi
704 runAsGroup: 65534
705 runAsRoot: false
706 runAsUser: 65534
707 saMountPath: null
708 skipSubnets: ""
709 xtMountPath:
710 mountPath: /run
711 name: linkerd-proxy-init-xtables-lock
712 readOnly: false
713 proxyInjector:
714 additionalEnv: null
715 caBundle: proxy injector CA bundle
716 crtPEM: ""
717 experimentalEnv: null
718 externalSecret: true
719 injectCaFrom: ""
720 injectCaFromSecret: ""
721 namespaceSelector:
722 matchExpressions:
723 - key: config.linkerd.io/admission-webhooks
724 operator: NotIn
725 values:
726 - disabled
727 - key: kubernetes.io/metadata.name
728 operator: NotIn
729 values:
730 - kube-system
731 - cert-manager
732 proxyInjectorProxyResources: null
733 proxyInjectorResources: null
734 revisionHistoryLimit: 10
735 spValidator: null
736 tolerations: null
737 webhookFailurePolicy: WebhookFailurePolicy
738---
739apiVersion: rbac.authorization.k8s.io/v1
740kind: Role
741metadata:
742 annotations:
743 linkerd.io/created-by: CliVersion
744 name: ext-namespace-metadata-linkerd-config
745 namespace: linkerd
746rules:
747- apiGroups: [""]
748 resources: ["configmaps"]
749 verbs: ["get"]
750 resourceNames: ["linkerd-config"]
751---
752###
753### Identity Controller Service
754###
755---
756kind: Secret
757apiVersion: v1
758metadata:
759 name: linkerd-identity-issuer
760 namespace: linkerd
761 labels:
762 linkerd.io/control-plane-component: identity
763 linkerd.io/control-plane-ns: linkerd
764 annotations:
765 linkerd.io/created-by: CliVersion
766data:
767 crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
768 key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
769---
770kind: ConfigMap
771apiVersion: v1
772metadata:
773 name: linkerd-identity-trust-roots
774 namespace: linkerd
775 labels:
776 linkerd.io/control-plane-component: identity
777 linkerd.io/control-plane-ns: linkerd
778 annotations:
779 linkerd.io/created-by: CliVersion
780data:
781 ca-bundle.crt: |-
782 -----BEGIN CERTIFICATE-----
783 MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
784 JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
785 MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
786 ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
787 l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
788 uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
789 /wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
790 aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
791 IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
792 vgUC0d2/9FMueIVMb+46WTCOjsqr
793 -----END CERTIFICATE-----
794---
795kind: Service
796apiVersion: v1
797metadata:
798 name: linkerd-identity
799 namespace: linkerd
800 labels:
801 linkerd.io/control-plane-component: identity
802 linkerd.io/control-plane-ns: linkerd
803 annotations:
804 linkerd.io/created-by: CliVersion
805spec:
806 type: ClusterIP
807 selector:
808 linkerd.io/control-plane-component: identity
809 ports:
810 - name: grpc
811 port: 8080
812 targetPort: 8080
813---
814kind: Service
815apiVersion: v1
816metadata:
817 name: linkerd-identity-headless
818 namespace: linkerd
819 labels:
820 linkerd.io/control-plane-component: identity
821 linkerd.io/control-plane-ns: linkerd
822 annotations:
823 linkerd.io/created-by: CliVersion
824spec:
825 clusterIP: None
826 selector:
827 linkerd.io/control-plane-component: identity
828 ports:
829 - name: grpc
830 port: 8080
831 targetPort: 8080
832---
833apiVersion: apps/v1
834kind: Deployment
835metadata:
836 annotations:
837 linkerd.io/created-by: CliVersion
838 labels:
839 app.kubernetes.io/name: identity
840 app.kubernetes.io/part-of: Linkerd
841 app.kubernetes.io/version: LinkerdVersion
842 linkerd.io/control-plane-component: identity
843 linkerd.io/control-plane-ns: linkerd
844 name: linkerd-identity
845 namespace: linkerd
846spec:
847 replicas: 1
848 revisionHistoryLimit: 10
849 selector:
850 matchLabels:
851 linkerd.io/control-plane-component: identity
852 linkerd.io/control-plane-ns: linkerd
853 linkerd.io/proxy-deployment: linkerd-identity
854 template:
855 metadata:
856 annotations:
857 linkerd.io/created-by: CliVersion
858 linkerd.io/proxy-version: ProxyVersion
859 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
860 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
861 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
862 labels:
863 linkerd.io/control-plane-component: identity
864 linkerd.io/control-plane-ns: linkerd
865 linkerd.io/workload-ns: linkerd
866 linkerd.io/proxy-deployment: linkerd-identity
867 spec:
868 nodeSelector:
869 kubernetes.io/os: linux
870
871 containers:
872 - args:
873 - identity
874 - -log-level=ControllerLogLevel
875 - -log-format=ControllerLogFormat
876 - -controller-namespace=linkerd
877 - -identity-trust-domain=cluster.local
878 - -identity-issuance-lifetime=24h0m0s
879 - -identity-clock-skew-allowance=20s
880 - -identity-scheme=linkerd.io/tls
881 - -enable-pprof=false
882 - -kube-apiclient-qps=100
883 - -kube-apiclient-burst=200
884 env:
885 - name: LINKERD_DISABLED
886 value: "linkerd-await cannot block the identity controller"
887 image: ControllerImage:LinkerdVersion
888 imagePullPolicy: ImagePullPolicy
889 livenessProbe:
890 httpGet:
891 path: /ping
892 port: 9990
893 initialDelaySeconds: 10
894 name: identity
895 ports:
896 - containerPort: 8080
897 name: grpc
898 - containerPort: 9990
899 name: admin-http
900 readinessProbe:
901 failureThreshold: 7
902 httpGet:
903 path: /ready
904 port: 9990
905 securityContext:
906 capabilities:
907 drop:
908 - ALL
909 readOnlyRootFilesystem: true
910 runAsNonRoot: true
911 runAsUser: 2103
912 runAsGroup: 2103
913 allowPrivilegeEscalation: false
914 seccompProfile:
915 type: RuntimeDefault
916 volumeMounts:
917 - mountPath: /var/run/linkerd/identity/issuer
918 name: identity-issuer
919 - mountPath: /var/run/linkerd/identity/trust-roots/
920 name: trust-roots
921 - env:
922 - name: _pod_name
923 valueFrom:
924 fieldRef:
925 fieldPath: metadata.name
926 - name: _pod_ns
927 valueFrom:
928 fieldRef:
929 fieldPath: metadata.namespace
930 - name: _pod_nodeName
931 valueFrom:
932 fieldRef:
933 fieldPath: spec.nodeName
934 - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
935 value: "8080"
936 - name: LINKERD2_PROXY_LOG
937 value: "warn,linkerd=info"
938 - name: LINKERD2_PROXY_LOG_FORMAT
939 value: "plain"
940 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
941 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
942 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
943 value: "ClusterNetworks"
944 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
945 value: linkerd-policy.linkerd.svc.cluster.local.:8090
946 - name: LINKERD2_PROXY_POLICY_WORKLOAD
947 value: |
948 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
949 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
950 value: all-unauthenticated
951 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
952 value: "ClusterNetworks"
953 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
954 value: ""
955 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
956 value: ""
957 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
958 value: ""
959 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
960 value: "5s"
961 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
962 value: "90s"
963 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
964 value: "[::]:4190"
965 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
966 value: "[::]:4191"
967 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
968 value: "127.0.0.1:4140"
969 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
970 value: "127.0.0.1:4140,[::1]:4140"
971 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
972 value: "[::]:4143"
973 - name: LINKERD2_PROXY_INBOUND_IPS
974 valueFrom:
975 fieldRef:
976 fieldPath: status.podIPs
977 - name: LINKERD2_PROXY_INBOUND_PORTS
978 value: "8080,9990"
979 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
980 value: svc.cluster.local.
981 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
982 value: 10000ms
983 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
984 value: 10000ms
985 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
986 value: "25,443,587,3306,5432,11211"
987 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
988 value: |
989 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
990 - name: _pod_sa
991 valueFrom:
992 fieldRef:
993 fieldPath: spec.serviceAccountName
994 - name: _l5d_ns
995 value: linkerd
996 - name: _l5d_trustdomain
997 value: cluster.local
998 - name: LINKERD2_PROXY_IDENTITY_DIR
999 value: /var/run/linkerd/identity/end-entity
1000 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1001 valueFrom:
1002 configMapKeyRef:
1003 name: linkerd-identity-trust-roots
1004 key: ca-bundle.crt
1005 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1006 value: /var/run/secrets/tokens/linkerd-identity-token
1007 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1008 value: localhost.:8080
1009 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1010 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1011 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1012 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1013 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1014 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1015 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1016 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1017 image: ProxyImageName:ProxyVersion
1018 imagePullPolicy: ImagePullPolicy
1019 livenessProbe:
1020 httpGet:
1021 path: /live
1022 port: 4191
1023 initialDelaySeconds: 10
1024 timeoutSeconds: 1
1025 name: linkerd-proxy
1026 ports:
1027 - containerPort: 4143
1028 name: linkerd-proxy
1029 - containerPort: 4191
1030 name: linkerd-admin
1031 readinessProbe:
1032 httpGet:
1033 path: /ready
1034 port: 4191
1035 initialDelaySeconds: 2
1036 timeoutSeconds: 1
1037 resources:
1038 limits:
1039 cpu: "cpu-limit"
1040 memory: "memory-limit"
1041 requests:
1042 cpu: "cpu-request"
1043 memory: "memory-request"
1044 securityContext:
1045 allowPrivilegeEscalation: false
1046 capabilities:
1047 drop:
1048 - ALL
1049 readOnlyRootFilesystem: true
1050 runAsNonRoot: true
1051 runAsUser: 2102
1052 runAsGroup: 2102
1053 seccompProfile:
1054 type: RuntimeDefault
1055 terminationMessagePolicy: FallbackToLogsOnError
1056 volumeMounts:
1057 - mountPath: /var/run/linkerd/identity/end-entity
1058 name: linkerd-identity-end-entity
1059 - mountPath: /var/run/secrets/tokens
1060 name: linkerd-identity-token
1061 initContainers:
1062 - args:
1063 - --incoming-proxy-port
1064 - "4143"
1065 - --outgoing-proxy-port
1066 - "4140"
1067 - --proxy-uid
1068 - "2102"
1069 - --proxy-gid
1070 - "2102"
1071 - --inbound-ports-to-ignore
1072 - "4190,4191"
1073 image: ProxyInitImageName:ProxyInitVersion
1074 imagePullPolicy: ImagePullPolicy
1075 name: linkerd-init
1076 resources:
1077 limits:
1078 cpu: "100m"
1079 memory: "50Mi"
1080 requests:
1081 cpu: "10m"
1082 memory: "10Mi"
1083 securityContext:
1084 allowPrivilegeEscalation: false
1085 capabilities:
1086 add:
1087 - NET_ADMIN
1088 - NET_RAW
1089 privileged: false
1090 runAsNonRoot: true
1091 runAsUser: 65534
1092 runAsGroup: 65534
1093 readOnlyRootFilesystem: true
1094 seccompProfile:
1095 type: RuntimeDefault
1096 terminationMessagePolicy: FallbackToLogsOnError
1097 volumeMounts:
1098 - mountPath: /run
1099 name: linkerd-proxy-init-xtables-lock
1100 priorityClassName: PriorityClassName
1101 securityContext:
1102 seccompProfile:
1103 type: RuntimeDefault
1104 serviceAccountName: linkerd-identity
1105 volumes:
1106 - name: identity-issuer
1107 secret:
1108 secretName: linkerd-identity-issuer
1109 - configMap:
1110 name: linkerd-identity-trust-roots
1111 name: trust-roots
1112 - emptyDir: {}
1113 name: linkerd-proxy-init-xtables-lock
1114 - name: linkerd-identity-token
1115 projected:
1116 sources:
1117 - serviceAccountToken:
1118 path: linkerd-identity-token
1119 expirationSeconds: 86400
1120 audience: identity.l5d.io
1121 - emptyDir:
1122 medium: Memory
1123 name: linkerd-identity-end-entity
1124---
1125###
1126### Destination Controller Service
1127###
1128kind: Service
1129apiVersion: v1
1130metadata:
1131 name: linkerd-dst
1132 namespace: linkerd
1133 labels:
1134 linkerd.io/control-plane-component: destination
1135 linkerd.io/control-plane-ns: linkerd
1136 annotations:
1137 linkerd.io/created-by: CliVersion
1138spec:
1139 type: ClusterIP
1140 selector:
1141 linkerd.io/control-plane-component: destination
1142 ports:
1143 - name: grpc
1144 port: 8086
1145 targetPort: 8086
1146---
1147kind: Service
1148apiVersion: v1
1149metadata:
1150 name: linkerd-dst-headless
1151 namespace: linkerd
1152 labels:
1153 linkerd.io/control-plane-component: destination
1154 linkerd.io/control-plane-ns: linkerd
1155 annotations:
1156 linkerd.io/created-by: CliVersion
1157spec:
1158 clusterIP: None
1159 selector:
1160 linkerd.io/control-plane-component: destination
1161 ports:
1162 - name: grpc
1163 port: 8086
1164 targetPort: 8086
1165---
1166kind: Service
1167apiVersion: v1
1168metadata:
1169 name: linkerd-sp-validator
1170 namespace: linkerd
1171 labels:
1172 linkerd.io/control-plane-component: destination
1173 linkerd.io/control-plane-ns: linkerd
1174 annotations:
1175 linkerd.io/created-by: CliVersion
1176spec:
1177 type: ClusterIP
1178 selector:
1179 linkerd.io/control-plane-component: destination
1180 ports:
1181 - name: sp-validator
1182 port: 443
1183 targetPort: sp-validator
1184---
1185kind: Service
1186apiVersion: v1
1187metadata:
1188 name: linkerd-policy
1189 namespace: linkerd
1190 labels:
1191 linkerd.io/control-plane-component: destination
1192 linkerd.io/control-plane-ns: linkerd
1193 annotations:
1194 linkerd.io/created-by: CliVersion
1195spec:
1196 clusterIP: None
1197 selector:
1198 linkerd.io/control-plane-component: destination
1199 ports:
1200 - name: grpc
1201 port: 8090
1202 targetPort: 8090
1203---
1204kind: Service
1205apiVersion: v1
1206metadata:
1207 name: linkerd-policy-validator
1208 namespace: linkerd
1209 labels:
1210 linkerd.io/control-plane-component: destination
1211 linkerd.io/control-plane-ns: linkerd
1212 annotations:
1213 linkerd.io/created-by: CliVersion
1214spec:
1215 type: ClusterIP
1216 selector:
1217 linkerd.io/control-plane-component: destination
1218 ports:
1219 - name: policy-https
1220 port: 443
1221 targetPort: policy-https
1222---
1223apiVersion: apps/v1
1224kind: Deployment
1225metadata:
1226 annotations:
1227 linkerd.io/created-by: CliVersion
1228 labels:
1229 app.kubernetes.io/name: destination
1230 app.kubernetes.io/part-of: Linkerd
1231 app.kubernetes.io/version: LinkerdVersion
1232 linkerd.io/control-plane-component: destination
1233 linkerd.io/control-plane-ns: linkerd
1234 name: linkerd-destination
1235 namespace: linkerd
1236spec:
1237 replicas: 1
1238 revisionHistoryLimit: 10
1239 selector:
1240 matchLabels:
1241 linkerd.io/control-plane-component: destination
1242 linkerd.io/control-plane-ns: linkerd
1243 linkerd.io/proxy-deployment: linkerd-destination
1244 template:
1245 metadata:
1246 annotations:
1247 checksum/config: 91d0273ac7d213bf95872f62c460ba146a459106e21d12f75e2ebe6ad7562b7f
1248 linkerd.io/created-by: CliVersion
1249 linkerd.io/proxy-version: ProxyVersion
1250 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1251 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1252 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1253 labels:
1254 linkerd.io/control-plane-component: destination
1255 linkerd.io/control-plane-ns: linkerd
1256 linkerd.io/workload-ns: linkerd
1257 linkerd.io/proxy-deployment: linkerd-destination
1258 spec:
1259 nodeSelector:
1260 kubernetes.io/os: linux
1261
1262 containers:
1263 - env:
1264 - name: _pod_name
1265 valueFrom:
1266 fieldRef:
1267 fieldPath: metadata.name
1268 - name: _pod_ns
1269 valueFrom:
1270 fieldRef:
1271 fieldPath: metadata.namespace
1272 - name: _pod_nodeName
1273 valueFrom:
1274 fieldRef:
1275 fieldPath: spec.nodeName
1276 - name: LINKERD2_PROXY_LOG
1277 value: "warn,linkerd=info"
1278 - name: LINKERD2_PROXY_LOG_FORMAT
1279 value: "plain"
1280 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1281 value: localhost.:8086
1282 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1283 value: "ClusterNetworks"
1284 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1285 value: localhost.:8090
1286 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1287 value: |
1288 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1289 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1290 value: all-unauthenticated
1291 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1292 value: "ClusterNetworks"
1293 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1294 value: ""
1295 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1296 value: ""
1297 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1298 value: ""
1299 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1300 value: "5s"
1301 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1302 value: "90s"
1303 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1304 value: "[::]:4190"
1305 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1306 value: "[::]:4191"
1307 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1308 value: "127.0.0.1:4140"
1309 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1310 value: "127.0.0.1:4140,[::1]:4140"
1311 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1312 value: "[::]:4143"
1313 - name: LINKERD2_PROXY_INBOUND_IPS
1314 valueFrom:
1315 fieldRef:
1316 fieldPath: status.podIPs
1317 - name: LINKERD2_PROXY_INBOUND_PORTS
1318 value: "8086,8090,8443,9443,9990,9996,9997"
1319 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1320 value: svc.cluster.local.
1321 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1322 value: 10000ms
1323 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1324 value: 10000ms
1325 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1326 value: "25,443,587,3306,5432,11211"
1327 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1328 value: |
1329 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1330 - name: _pod_sa
1331 valueFrom:
1332 fieldRef:
1333 fieldPath: spec.serviceAccountName
1334 - name: _l5d_ns
1335 value: linkerd
1336 - name: _l5d_trustdomain
1337 value: cluster.local
1338 - name: LINKERD2_PROXY_IDENTITY_DIR
1339 value: /var/run/linkerd/identity/end-entity
1340 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1341 valueFrom:
1342 configMapKeyRef:
1343 name: linkerd-identity-trust-roots
1344 key: ca-bundle.crt
1345 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1346 value: /var/run/secrets/tokens/linkerd-identity-token
1347 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1348 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1349 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1350 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1351 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1352 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1353 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1354 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1355 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1356 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1357 image: ProxyImageName:ProxyVersion
1358 imagePullPolicy: ImagePullPolicy
1359 livenessProbe:
1360 httpGet:
1361 path: /live
1362 port: 4191
1363 initialDelaySeconds: 10
1364 timeoutSeconds: 1
1365 name: linkerd-proxy
1366 ports:
1367 - containerPort: 4143
1368 name: linkerd-proxy
1369 - containerPort: 4191
1370 name: linkerd-admin
1371 readinessProbe:
1372 httpGet:
1373 path: /ready
1374 port: 4191
1375 initialDelaySeconds: 2
1376 timeoutSeconds: 1
1377 resources:
1378 limits:
1379 cpu: "cpu-limit"
1380 memory: "memory-limit"
1381 requests:
1382 cpu: "cpu-request"
1383 memory: "memory-request"
1384 securityContext:
1385 allowPrivilegeEscalation: false
1386 capabilities:
1387 drop:
1388 - ALL
1389 readOnlyRootFilesystem: true
1390 runAsNonRoot: true
1391 runAsUser: 2102
1392 runAsGroup: 2102
1393 seccompProfile:
1394 type: RuntimeDefault
1395 terminationMessagePolicy: FallbackToLogsOnError
1396 lifecycle:
1397 postStart:
1398 exec:
1399 command:
1400 - /usr/lib/linkerd/linkerd-await
1401 - --timeout=2m
1402 - --port=4191
1403 volumeMounts:
1404 - mountPath: /var/run/linkerd/identity/end-entity
1405 name: linkerd-identity-end-entity
1406 - mountPath: /var/run/secrets/tokens
1407 name: linkerd-identity-token
1408 - args:
1409 - destination
1410 - -addr=:8086
1411 - -controller-namespace=linkerd
1412 - -enable-h2-upgrade=true
1413 - -log-level=ControllerLogLevel
1414 - -log-format=ControllerLogFormat
1415 - -enable-endpoint-slices=false
1416 - -cluster-domain=cluster.local
1417 - -identity-trust-domain=cluster.local
1418 - -default-opaque-ports=25,443,587,3306,5432,11211
1419 - -enable-ipv6=true
1420 - -enable-pprof=false
1421 image: ControllerImage:LinkerdVersion
1422 imagePullPolicy: ImagePullPolicy
1423 livenessProbe:
1424 httpGet:
1425 path: /ping
1426 port: 9996
1427 initialDelaySeconds: 10
1428 name: destination
1429 ports:
1430 - containerPort: 8086
1431 name: grpc
1432 - containerPort: 9996
1433 name: admin-http
1434 readinessProbe:
1435 failureThreshold: 7
1436 httpGet:
1437 path: /ready
1438 port: 9996
1439 securityContext:
1440 capabilities:
1441 drop:
1442 - ALL
1443 readOnlyRootFilesystem: true
1444 runAsNonRoot: true
1445 runAsUser: 2103
1446 runAsGroup: 2103
1447 allowPrivilegeEscalation: false
1448 seccompProfile:
1449 type: RuntimeDefault
1450 - args:
1451 - sp-validator
1452 - -log-level=ControllerLogLevel
1453 - -log-format=ControllerLogFormat
1454 - -enable-pprof=false
1455 image: ControllerImage:LinkerdVersion
1456 imagePullPolicy: ImagePullPolicy
1457 livenessProbe:
1458 httpGet:
1459 path: /ping
1460 port: 9997
1461 initialDelaySeconds: 10
1462 name: sp-validator
1463 ports:
1464 - containerPort: 8443
1465 name: sp-validator
1466 - containerPort: 9997
1467 name: admin-http
1468 readinessProbe:
1469 failureThreshold: 7
1470 httpGet:
1471 path: /ready
1472 port: 9997
1473 securityContext:
1474 capabilities:
1475 drop:
1476 - ALL
1477 readOnlyRootFilesystem: true
1478 runAsNonRoot: true
1479 runAsUser: 2103
1480 runAsGroup: 2103
1481 allowPrivilegeEscalation: false
1482 seccompProfile:
1483 type: RuntimeDefault
1484 volumeMounts:
1485 - mountPath: /var/run/linkerd/tls
1486 name: sp-tls
1487 readOnly: true
1488 - args:
1489 - --admin-addr=[::]:9990
1490 - --control-plane-namespace=linkerd
1491 - --grpc-addr=[::]:8090
1492 - --server-addr=[::]:9443
1493 - --server-tls-key=/var/run/linkerd/tls/tls.key
1494 - --server-tls-certs=/var/run/linkerd/tls/tls.crt
1495 - --cluster-networks=ClusterNetworks
1496 - --identity-domain=cluster.local
1497 - --cluster-domain=cluster.local
1498 - --default-policy=default-allow-policy
1499 - --log-level=log-level
1500 - --log-format=ControllerLogFormat
1501 - --default-opaque-ports=25,443,587,3306,5432,11211
1502 - --probe-networks=1.0.0.0/0,2.0.0.0/0
1503 image: PolicyControllerImageName:PolicyControllerVersion
1504 imagePullPolicy: ImagePullPolicy
1505 livenessProbe:
1506 httpGet:
1507 path: /live
1508 port: admin-http
1509 name: policy
1510 ports:
1511 - containerPort: 8090
1512 name: grpc
1513 - containerPort: 9990
1514 name: admin-http
1515 - containerPort: 9443
1516 name: policy-https
1517 readinessProbe:
1518 failureThreshold: 7
1519 httpGet:
1520 path: /ready
1521 port: admin-http
1522 initialDelaySeconds: 10
1523 resources:
1524 limits:
1525 cpu: "cpu-limit"
1526 memory: "memory-limit"
1527 requests:
1528 cpu: "cpu-request"
1529 memory: "memory-request"
1530 securityContext:
1531 capabilities:
1532 drop:
1533 - ALL
1534 readOnlyRootFilesystem: true
1535 runAsNonRoot: true
1536 runAsUser: 2103
1537 runAsGroup: 2103
1538 allowPrivilegeEscalation: false
1539 seccompProfile:
1540 type: RuntimeDefault
1541 volumeMounts:
1542 - mountPath: /var/run/linkerd/tls
1543 name: policy-tls
1544 readOnly: true
1545 initContainers:
1546 - args:
1547 - --incoming-proxy-port
1548 - "4143"
1549 - --outgoing-proxy-port
1550 - "4140"
1551 - --proxy-uid
1552 - "2102"
1553 - --proxy-gid
1554 - "2102"
1555 - --inbound-ports-to-ignore
1556 - "4190,4191"
1557 image: ProxyInitImageName:ProxyInitVersion
1558 imagePullPolicy: ImagePullPolicy
1559 name: linkerd-init
1560 resources:
1561 limits:
1562 cpu: "100m"
1563 memory: "50Mi"
1564 requests:
1565 cpu: "10m"
1566 memory: "10Mi"
1567 securityContext:
1568 allowPrivilegeEscalation: false
1569 capabilities:
1570 add:
1571 - NET_ADMIN
1572 - NET_RAW
1573 privileged: false
1574 runAsNonRoot: true
1575 runAsUser: 65534
1576 runAsGroup: 65534
1577 readOnlyRootFilesystem: true
1578 seccompProfile:
1579 type: RuntimeDefault
1580 terminationMessagePolicy: FallbackToLogsOnError
1581 volumeMounts:
1582 - mountPath: /run
1583 name: linkerd-proxy-init-xtables-lock
1584 priorityClassName: PriorityClassName
1585 securityContext:
1586 seccompProfile:
1587 type: RuntimeDefault
1588 serviceAccountName: linkerd-destination
1589 volumes:
1590 - name: sp-tls
1591 secret:
1592 secretName: linkerd-sp-validator-k8s-tls
1593 - name: policy-tls
1594 secret:
1595 secretName: linkerd-policy-validator-k8s-tls
1596 - emptyDir: {}
1597 name: linkerd-proxy-init-xtables-lock
1598 - name: linkerd-identity-token
1599 projected:
1600 sources:
1601 - serviceAccountToken:
1602 path: linkerd-identity-token
1603 expirationSeconds: 86400
1604 audience: identity.l5d.io
1605 - emptyDir:
1606 medium: Memory
1607 name: linkerd-identity-end-entity
1608---
1609###
1610### Heartbeat
1611###
1612apiVersion: batch/v1
1613kind: CronJob
1614metadata:
1615 name: linkerd-heartbeat
1616 namespace: linkerd
1617 labels:
1618 app.kubernetes.io/name: heartbeat
1619 app.kubernetes.io/part-of: Linkerd
1620 app.kubernetes.io/version: LinkerdVersion
1621 linkerd.io/control-plane-component: heartbeat
1622 linkerd.io/control-plane-ns: linkerd
1623 annotations:
1624 linkerd.io/created-by: CliVersion
1625spec:
1626 concurrencyPolicy: Replace
1627 schedule: "1 2 3 4 5"
1628 successfulJobsHistoryLimit: 0
1629 jobTemplate:
1630 spec:
1631 template:
1632 metadata:
1633 labels:
1634 linkerd.io/control-plane-component: heartbeat
1635 linkerd.io/workload-ns: linkerd
1636 annotations:
1637 linkerd.io/created-by: CliVersion
1638 spec:
1639 priorityClassName: PriorityClassName
1640 nodeSelector:
1641 kubernetes.io/os: linux
1642 securityContext:
1643 seccompProfile:
1644 type: RuntimeDefault
1645 serviceAccountName: linkerd-heartbeat
1646 restartPolicy: Never
1647 containers:
1648 - name: heartbeat
1649 image: ControllerImage:LinkerdVersion
1650 imagePullPolicy: ImagePullPolicy
1651 env:
1652 - name: LINKERD_DISABLED
1653 value: "the heartbeat controller does not use the proxy"
1654 args:
1655 - "heartbeat"
1656 - "-controller-namespace=linkerd"
1657 - "-log-level=ControllerLogLevel"
1658 - "-log-format=ControllerLogFormat"
1659 - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
1660 securityContext:
1661 capabilities:
1662 drop:
1663 - ALL
1664 readOnlyRootFilesystem: true
1665 runAsNonRoot: true
1666 runAsUser: 2103
1667 runAsGroup: 2103
1668 allowPrivilegeEscalation: false
1669 seccompProfile:
1670 type: RuntimeDefault
1671---
1672###
1673### Proxy Injector
1674###
1675apiVersion: apps/v1
1676kind: Deployment
1677metadata:
1678 annotations:
1679 linkerd.io/created-by: CliVersion
1680 labels:
1681 app.kubernetes.io/name: proxy-injector
1682 app.kubernetes.io/part-of: Linkerd
1683 app.kubernetes.io/version: LinkerdVersion
1684 linkerd.io/control-plane-component: proxy-injector
1685 linkerd.io/control-plane-ns: linkerd
1686 name: linkerd-proxy-injector
1687 namespace: linkerd
1688spec:
1689 replicas: 1
1690 revisionHistoryLimit: 10
1691 selector:
1692 matchLabels:
1693 linkerd.io/control-plane-component: proxy-injector
1694 template:
1695 metadata:
1696 annotations:
1697 checksum/config: fd791d1adb869c6aa7de66e366ec110a2ccbacf37a750723b111d98636c5ae00
1698 linkerd.io/created-by: CliVersion
1699 linkerd.io/proxy-version: ProxyVersion
1700 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1701 linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
1702 config.linkerd.io/opaque-ports: "8443"
1703 config.linkerd.io/default-inbound-policy: "all-unauthenticated"
1704 labels:
1705 linkerd.io/control-plane-component: proxy-injector
1706 linkerd.io/control-plane-ns: linkerd
1707 linkerd.io/workload-ns: linkerd
1708 linkerd.io/proxy-deployment: linkerd-proxy-injector
1709 spec:
1710 nodeSelector:
1711 kubernetes.io/os: linux
1712
1713 containers:
1714 - env:
1715 - name: _pod_name
1716 valueFrom:
1717 fieldRef:
1718 fieldPath: metadata.name
1719 - name: _pod_ns
1720 valueFrom:
1721 fieldRef:
1722 fieldPath: metadata.namespace
1723 - name: _pod_nodeName
1724 valueFrom:
1725 fieldRef:
1726 fieldPath: spec.nodeName
1727 - name: LINKERD2_PROXY_LOG
1728 value: "warn,linkerd=info"
1729 - name: LINKERD2_PROXY_LOG_FORMAT
1730 value: "plain"
1731 - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
1732 value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
1733 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
1734 value: "ClusterNetworks"
1735 - name: LINKERD2_PROXY_POLICY_SVC_ADDR
1736 value: linkerd-policy.linkerd.svc.cluster.local.:8090
1737 - name: LINKERD2_PROXY_POLICY_WORKLOAD
1738 value: |
1739 {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
1740 - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
1741 value: all-unauthenticated
1742 - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
1743 value: "ClusterNetworks"
1744 - name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
1745 value: ""
1746 - name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
1747 value: ""
1748 - name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
1749 value: ""
1750 - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
1751 value: "5s"
1752 - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
1753 value: "90s"
1754 - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
1755 value: "[::]:4190"
1756 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
1757 value: "[::]:4191"
1758 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
1759 value: "127.0.0.1:4140"
1760 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
1761 value: "127.0.0.1:4140,[::1]:4140"
1762 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
1763 value: "[::]:4143"
1764 - name: LINKERD2_PROXY_INBOUND_IPS
1765 valueFrom:
1766 fieldRef:
1767 fieldPath: status.podIPs
1768 - name: LINKERD2_PROXY_INBOUND_PORTS
1769 value: "8443,9995"
1770 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
1771 value: svc.cluster.local.
1772 - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
1773 value: 10000ms
1774 - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
1775 value: 10000ms
1776 - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
1777 value: "25,443,587,3306,5432,11211"
1778 - name: LINKERD2_PROXY_DESTINATION_CONTEXT
1779 value: |
1780 {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
1781 - name: _pod_sa
1782 valueFrom:
1783 fieldRef:
1784 fieldPath: spec.serviceAccountName
1785 - name: _l5d_ns
1786 value: linkerd
1787 - name: _l5d_trustdomain
1788 value: cluster.local
1789 - name: LINKERD2_PROXY_IDENTITY_DIR
1790 value: /var/run/linkerd/identity/end-entity
1791 - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
1792 valueFrom:
1793 configMapKeyRef:
1794 name: linkerd-identity-trust-roots
1795 key: ca-bundle.crt
1796 - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
1797 value: /var/run/secrets/tokens/linkerd-identity-token
1798 - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
1799 value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
1800 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
1801 value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
1802 - name: LINKERD2_PROXY_IDENTITY_SVC_NAME
1803 value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
1804 - name: LINKERD2_PROXY_DESTINATION_SVC_NAME
1805 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1806 - name: LINKERD2_PROXY_POLICY_SVC_NAME
1807 value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
1808 image: ProxyImageName:ProxyVersion
1809 imagePullPolicy: ImagePullPolicy
1810 livenessProbe:
1811 httpGet:
1812 path: /live
1813 port: 4191
1814 initialDelaySeconds: 10
1815 timeoutSeconds: 1
1816 name: linkerd-proxy
1817 ports:
1818 - containerPort: 4143
1819 name: linkerd-proxy
1820 - containerPort: 4191
1821 name: linkerd-admin
1822 readinessProbe:
1823 httpGet:
1824 path: /ready
1825 port: 4191
1826 initialDelaySeconds: 2
1827 timeoutSeconds: 1
1828 resources:
1829 limits:
1830 cpu: "cpu-limit"
1831 memory: "memory-limit"
1832 requests:
1833 cpu: "cpu-request"
1834 memory: "memory-request"
1835 securityContext:
1836 allowPrivilegeEscalation: false
1837 capabilities:
1838 drop:
1839 - ALL
1840 readOnlyRootFilesystem: true
1841 runAsNonRoot: true
1842 runAsUser: 2102
1843 runAsGroup: 2102
1844 seccompProfile:
1845 type: RuntimeDefault
1846 terminationMessagePolicy: FallbackToLogsOnError
1847 lifecycle:
1848 postStart:
1849 exec:
1850 command:
1851 - /usr/lib/linkerd/linkerd-await
1852 - --timeout=2m
1853 - --port=4191
1854 volumeMounts:
1855 - mountPath: /var/run/linkerd/identity/end-entity
1856 name: linkerd-identity-end-entity
1857 - mountPath: /var/run/secrets/tokens
1858 name: linkerd-identity-token
1859 - args:
1860 - proxy-injector
1861 - -log-level=ControllerLogLevel
1862 - -log-format=ControllerLogFormat
1863 - -linkerd-namespace=linkerd
1864 - -enable-pprof=false
1865 image: ControllerImage:LinkerdVersion
1866 imagePullPolicy: ImagePullPolicy
1867 livenessProbe:
1868 httpGet:
1869 path: /ping
1870 port: 9995
1871 initialDelaySeconds: 10
1872 name: proxy-injector
1873 ports:
1874 - containerPort: 8443
1875 name: proxy-injector
1876 - containerPort: 9995
1877 name: admin-http
1878 readinessProbe:
1879 failureThreshold: 7
1880 httpGet:
1881 path: /ready
1882 port: 9995
1883 securityContext:
1884 capabilities:
1885 drop:
1886 - ALL
1887 readOnlyRootFilesystem: true
1888 runAsNonRoot: true
1889 runAsUser: 2103
1890 runAsGroup: 2103
1891 allowPrivilegeEscalation: false
1892 seccompProfile:
1893 type: RuntimeDefault
1894 volumeMounts:
1895 - mountPath: /var/run/linkerd/config
1896 name: config
1897 - mountPath: /var/run/linkerd/identity/trust-roots
1898 name: trust-roots
1899 - mountPath: /var/run/linkerd/tls
1900 name: tls
1901 readOnly: true
1902 initContainers:
1903 - args:
1904 - --incoming-proxy-port
1905 - "4143"
1906 - --outgoing-proxy-port
1907 - "4140"
1908 - --proxy-uid
1909 - "2102"
1910 - --proxy-gid
1911 - "2102"
1912 - --inbound-ports-to-ignore
1913 - "4190,4191"
1914 image: ProxyInitImageName:ProxyInitVersion
1915 imagePullPolicy: ImagePullPolicy
1916 name: linkerd-init
1917 resources:
1918 limits:
1919 cpu: "100m"
1920 memory: "50Mi"
1921 requests:
1922 cpu: "10m"
1923 memory: "10Mi"
1924 securityContext:
1925 allowPrivilegeEscalation: false
1926 capabilities:
1927 add:
1928 - NET_ADMIN
1929 - NET_RAW
1930 privileged: false
1931 runAsNonRoot: true
1932 runAsUser: 65534
1933 runAsGroup: 65534
1934 readOnlyRootFilesystem: true
1935 seccompProfile:
1936 type: RuntimeDefault
1937 terminationMessagePolicy: FallbackToLogsOnError
1938 volumeMounts:
1939 - mountPath: /run
1940 name: linkerd-proxy-init-xtables-lock
1941 priorityClassName: PriorityClassName
1942 securityContext:
1943 seccompProfile:
1944 type: RuntimeDefault
1945 serviceAccountName: linkerd-proxy-injector
1946 volumes:
1947 - configMap:
1948 name: linkerd-config
1949 name: config
1950 - configMap:
1951 name: linkerd-identity-trust-roots
1952 name: trust-roots
1953 - name: tls
1954 secret:
1955 secretName: linkerd-proxy-injector-k8s-tls
1956 - emptyDir: {}
1957 name: linkerd-proxy-init-xtables-lock
1958 - name: linkerd-identity-token
1959 projected:
1960 sources:
1961 - serviceAccountToken:
1962 path: linkerd-identity-token
1963 expirationSeconds: 86400
1964 audience: identity.l5d.io
1965 - emptyDir:
1966 medium: Memory
1967 name: linkerd-identity-end-entity
1968---
1969kind: Service
1970apiVersion: v1
1971metadata:
1972 name: linkerd-proxy-injector
1973 namespace: linkerd
1974 labels:
1975 linkerd.io/control-plane-component: proxy-injector
1976 linkerd.io/control-plane-ns: linkerd
1977 annotations:
1978 linkerd.io/created-by: CliVersion
1979 config.linkerd.io/opaque-ports: "443"
1980spec:
1981 type: ClusterIP
1982 selector:
1983 linkerd.io/control-plane-component: proxy-injector
1984 ports:
1985 - name: proxy-injector
1986 port: 443
1987 targetPort: proxy-injector
1988---
1989apiVersion: v1
1990data:
1991 linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVyOiBudWxsCmNvbnRyb2xsZXJHSUQ6IDIxMDMKY29udHJvbGxlckltYWdlOiBDb250cm9sbGVySW1hZ2UKY29udHJvbGxlckxvZ0Zvcm1hdDogQ29udHJvbGxlckxvZ0Zvcm1hdApjb250cm9sbGVyTG9nTGV2ZWw6IENvbnRyb2xsZXJMb2dMZXZlbApkZWJ1Z0NvbnRhaW5lcjoKICBpbWFnZToKICAgIG5hbWU6IERlYnVnSW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBEZWJ1Z0ltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogRGVidWdWZXJzaW9uCmRlc3RpbmF0aW9uQ29udHJvbGxlcjogbnVsbApkaXNhYmxlSVB2NjogZmFsc2UKZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGNvbnRyb2w6IG51bGwKICBkZWZhdWx0SW5ib3VuZFBvbGljeTogZGVmYXVsdC1hbGxvdy1wb2xpY3kKICBnaWQ6IDIxMDIKICBpbWFnZToKICAgIG5hbWU6IFByb3h5SW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFByb3h5VmVyc2lvbgogIGluYm91bmRDb25uZWN0VGltZW91dDogIiIKICBpbmJvdW5kRGlzY292ZXJ5Q2FjaGVVbnVzZWRUaW1lb3V0OiAiIgogIGxvZ0xldmVsOiB3YXJuLGxpbmtlcmQ9aW5mbwogIG9wYXF1ZVBvcnRzOiAyNSw0NDMsNTg3LDMzMDYsNTQzMiwxMTIxMQogIG91dGJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgb3V0Ym91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICBsaW1pdDogY3B1LWxpbWl0CiAgICAgIHJlcXVlc3Q6IGNwdS1yZXF1ZXN0CiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiBtZW1vcnktbGltaXQKICAgICAgcmVxdWVzdDogbWVtb3J5LXJlcXVlc3QKICBzdGFydHVwUHJvYmU6IG51bGwKcHJveHlDb250YWluZXJOYW1lOiBQcm94eUNvbnRhaW5lck5hbWUKcHJveHlJbml0OgogIGlnbm9yZUluYm91bmRQb3J0czogIiIKICBpZ25vcmVPdXRib3VuZFBvcnRzOiAiNDQzIgogIGltYWdlOgogICAgbmFtZTogUHJveHlJbml0SW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFByb3h5SW5pdFZlcnNpb24KICBrdWJlQVBJU2VydmVyUG9ydHM6ICIiCiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICByZXF1ZXN0OiAxMG0KICAgIG1lbW9yeToKICAgICAgbGltaXQ6IDUwTWkKICAgICAgcmVxdWVzdDogMTBNaQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQp3ZWJob29rRmFpbHVyZVBvbGljeTogV2ViaG9va0ZhaWx1cmVQb2xpY3kK
1992kind: Secret
1993metadata:
1994 creationTimestamp: null
1995 labels:
1996 linkerd.io/control-plane-ns: linkerd
1997 name: linkerd-config-overrides
1998 namespace: linkerd
View as plain text