1kind: Namespace
2apiVersion: v1
3metadata:
4 name: linkerd-multicluster
5 labels:
6 linkerd.io/extension: multicluster
7 pod-security.kubernetes.io/enforce: privileged
8---
9apiVersion: apps/v1
10kind: Deployment
11metadata:
12 annotations:
13 linkerd.io/created-by: linkerd/helm linkerdVersionValue
14 labels:
15 app.kubernetes.io/name: gateway
16 app.kubernetes.io/part-of: Linkerd
17 app.kubernetes.io/version: linkerdVersionValue
18 component: gateway
19 app: linkerd-gateway
20 linkerd.io/extension: multicluster
21 name: linkerd-gateway
22 namespace: linkerd-multicluster
23spec:
24 replicas: 1
25 revisionHistoryLimit: 10
26 selector:
27 matchLabels:
28 app: linkerd-gateway
29 template:
30 metadata:
31 annotations:
32 linkerd.io/created-by: linkerd/helm linkerdVersionValue
33 linkerd.io/inject: enabled
34 config.linkerd.io/proxy-require-identity-inbound-ports: "4143"
35 config.linkerd.io/enable-gateway: "true"
36 config.linkerd.io/default-inbound-policy: all-authenticated
37 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
38 labels:
39 app: linkerd-gateway
40 linkerd.io/extension: multicluster
41 spec:
42
43 containers:
44 - name: pause
45 image: gcr.io/google_containers/pause:3.2
46 securityContext:
47 allowPrivilegeEscalation: false
48 capabilities:
49 drop:
50 - ALL
51 readOnlyRootFilesystem: true
52 runAsGroup: 2103
53 runAsNonRoot: true
54 runAsUser: 2103
55 seccompProfile:
56 type: RuntimeDefault
57 securityContext:
58 seccompProfile:
59 type: RuntimeDefault
60 serviceAccountName: linkerd-gateway
61---
62apiVersion: v1
63kind: Service
64metadata:
65 name: linkerd-gateway
66 namespace: linkerd-multicluster
67 labels:
68 linkerd.io/extension: multicluster
69 annotations:
70 mirror.linkerd.io/gateway-identity: linkerd-gateway.linkerd-multicluster.serviceaccount.identity.linkerd.cluster.local
71 mirror.linkerd.io/probe-period: "3"
72 mirror.linkerd.io/probe-path: /ready
73 mirror.linkerd.io/multicluster-gateway: "true"
74 component: gateway
75 linkerd.io/created-by: linkerd/helm linkerdVersionValue
76spec:
77 ports:
78 - name: mc-gateway
79 port: 4143
80 protocol: TCP
81 - name: mc-probe
82 port: 4191
83 protocol: TCP
84 selector:
85 app: linkerd-gateway
86 type: LoadBalancer
87---
88kind: ServiceAccount
89apiVersion: v1
90metadata:
91 name: linkerd-gateway
92 namespace: linkerd-multicluster
93 labels:
94 linkerd.io/extension: multicluster
95---
96apiVersion: policy.linkerd.io/v1beta2
97kind: Server
98metadata:
99 namespace: linkerd-multicluster
100 name: linkerd-gateway
101 labels:
102 linkerd.io/extension: multicluster
103 app: linkerd-gateway
104 annotations:
105 linkerd.io/created-by: linkerd/helm linkerdVersionValue
106spec:
107 podSelector:
108 matchLabels:
109 app: linkerd-gateway
110 port: linkerd-proxy
111---
112apiVersion: policy.linkerd.io/v1alpha1
113kind: AuthorizationPolicy
114metadata:
115 namespace: linkerd-multicluster
116 name: linkerd-gateway
117 labels:
118 linkerd.io/extension: multicluster
119 app: linkerd-gateway
120 annotations:
121 linkerd.io/created-by: linkerd/helm linkerdVersionValue
122spec:
123 targetRef:
124 group: policy.linkerd.io
125 kind: Server
126 name: linkerd-gateway
127 requiredAuthenticationRefs:
128 - group: policy.linkerd.io
129 kind: MeshTLSAuthentication
130 name: any-meshed
131 namespace: linkerd-multicluster
132 - group: policy.linkerd.io
133 kind: NetworkAuthentication
134 name: source-cluster
135 namespace: linkerd-multicluster
136---
137apiVersion: policy.linkerd.io/v1alpha1
138kind: MeshTLSAuthentication
139metadata:
140 namespace: linkerd-multicluster
141 name: any-meshed
142 labels:
143 linkerd.io/extension: multicluster
144 app: linkerd-gateway
145 annotations:
146 linkerd.io/created-by: linkerd/helm linkerdVersionValue
147spec:
148 identities:
149 - '*'
150---
151apiVersion: policy.linkerd.io/v1alpha1
152kind: NetworkAuthentication
153metadata:
154 namespace: linkerd-multicluster
155 name: source-cluster
156 labels:
157 linkerd.io/extension: multicluster
158 app: linkerd-gateway
159 annotations:
160 linkerd.io/created-by: linkerd/helm linkerdVersionValue
161spec:
162 networks:
163 # Change this to the source cluster cidrs pointing to this gateway.
164 # Note that the source IP in some providers (e.g. GKE) will be the local
165 # node's IP and not the source cluster's
166 - cidr: "0.0.0.0/0"
167 - cidr: "::/0"
168---
169apiVersion: rbac.authorization.k8s.io/v1
170kind: ClusterRole
171metadata:
172 name: linkerd-service-mirror-remote-access-default
173 labels:
174 linkerd.io/extension: multicluster
175 annotations:
176 linkerd.io/created-by: linkerd/helm linkerdVersionValue
177rules:
178- apiGroups: ["apps"]
179 resources: ["replicasets"]
180 verbs: ["list", "get", "watch"]
181- apiGroups: ["batch"]
182 resources: ["jobs"]
183 verbs: ["list", "get", "watch"]
184- apiGroups: [""]
185 resources: ["pods", "endpoints", "services"]
186 verbs: ["list", "get", "watch"]
187- apiGroups: ["discovery.k8s.io"]
188 resources: ["endpointslices"]
189 verbs: ["list", "get", "watch"]
190- apiGroups: ["policy.linkerd.io"]
191 resources: ["servers"]
192 verbs: ["list", "get", "watch"]
193- apiGroups: [""]
194 resources: ["configmaps"]
195 verbs: ["get"]
196 resourceNames: ["linkerd-config"]
197- apiGroups: [""]
198 resources: ["events"]
199 verbs: ["create", "patch"]
200---
201apiVersion: v1
202kind: ServiceAccount
203metadata:
204 name: linkerd-service-mirror-remote-access-default
205 namespace: linkerd-multicluster
206 labels:
207 linkerd.io/extension: multicluster
208 annotations:
209 linkerd.io/created-by: linkerd/helm linkerdVersionValue
210---
211apiVersion: v1
212kind: Secret
213metadata:
214 name: linkerd-service-mirror-remote-access-default-token
215 namespace: linkerd-multicluster
216 labels:
217 linkerd.io/extension: multicluster
218 annotations:
219 kubernetes.io/service-account.name: linkerd-service-mirror-remote-access-default
220 linkerd.io/created-by: linkerd/helm linkerdVersionValue
221type: kubernetes.io/service-account-token
222---
223apiVersion: rbac.authorization.k8s.io/v1
224kind: ClusterRoleBinding
225metadata:
226 name: linkerd-service-mirror-remote-access-default
227 labels:
228 linkerd.io/extension: multicluster
229 annotations:
230 linkerd.io/created-by: linkerd/helm linkerdVersionValue
231roleRef:
232 apiGroup: rbac.authorization.k8s.io
233 kind: ClusterRole
234 name: linkerd-service-mirror-remote-access-default
235subjects:
236- kind: ServiceAccount
237 name: linkerd-service-mirror-remote-access-default
238 namespace: linkerd-multicluster
239---
240###
241### Link CRD
242###
243apiVersion: apiextensions.k8s.io/v1
244kind: CustomResourceDefinition
245metadata:
246 name: links.multicluster.linkerd.io
247 labels:
248 linkerd.io/extension: multicluster
249 annotations:
250 linkerd.io/created-by: linkerd/helm linkerdVersionValue
251spec:
252 group: multicluster.linkerd.io
253 versions:
254 - name: v1alpha1
255 served: true
256 storage: true
257 schema:
258 openAPIV3Schema:
259 type: object
260 properties:
261 spec:
262 type: object
263 properties:
264 clusterCredentialsSecret:
265 description: Kubernetes secret of target cluster
266 type: string
267 gatewayAddress:
268 description: Gateway address of target cluster
269 type: string
270 gatewayIdentity:
271 description: Gateway Identity FQDN
272 type: string
273 gatewayPort:
274 description: Gateway Port
275 type: string
276 probeSpec:
277 description: Spec for gateway health probe
278 type: object
279 properties:
280 path:
281 description: Path of remote gateway health endpoint
282 type: string
283 period:
284 description: Interval in between probe requests
285 type: string
286 port:
287 description: Port of remote gateway health endpoint
288 type: string
289 selector:
290 description: Kubernetes Label Selector
291 type: object
292 properties:
293 matchLabels:
294 type: object
295 x-kubernetes-preserve-unknown-fields: true
296 matchExpressions:
297 description: List of selector requirements
298 type: array
299 items:
300 description: A selector item requires a key and an operator
301 type: object
302 required:
303 - key
304 - operator
305 properties:
306 key:
307 description: Label key that selector should apply to
308 type: string
309 operator:
310 description: Evaluation of a label in relation to set
311 type: string
312 enum: [In, NotIn, Exists, DoesNotExist]
313 values:
314 type: array
315 items:
316 type: string
317 remoteDiscoverySelector:
318 description: Selector for Services to mirror in remote discovery mode
319 type: object
320 properties:
321 matchLabels:
322 type: object
323 x-kubernetes-preserve-unknown-fields: true
324 matchExpressions:
325 description: List of selector requirements
326 type: array
327 items:
328 description: A selector item requires a key and an operator
329 type: object
330 required:
331 - key
332 - operator
333 properties:
334 key:
335 description: Label key that selector should apply to
336 type: string
337 operator:
338 description: Evaluation of a label in relation to set
339 type: string
340 enum: [In, NotIn, Exists, DoesNotExist]
341 values:
342 type: array
343 items:
344 type: string
345 targetClusterName:
346 description: Name of target cluster to link to
347 type: string
348 targetClusterDomain:
349 description: Domain name of target cluster to link to
350 type: string
351 targetClusterLinkerdNamespace:
352 description: Name of namespace Linkerd control plane is installed in on target cluster
353 type: string
354 scope: Namespaced
355 names:
356 plural: links
357 singular: link
358 kind: Link
359---
360apiVersion: policy.linkerd.io/v1beta2
361kind: Server
362metadata:
363 namespace: linkerd-multicluster
364 name: service-mirror
365 labels:
366 linkerd.io/extension: multicluster
367 component: linkerd-service-mirror
368spec:
369 podSelector:
370 matchLabels:
371 component: linkerd-service-mirror
372 port: admin-http
373 proxyProtocol: HTTP/1
374---
375apiVersion: policy.linkerd.io/v1alpha1
376kind: AuthorizationPolicy
377metadata:
378 namespace: linkerd-multicluster
379 name: service-mirror
380 labels:
381 linkerd.io/extension: multicluster
382 component: linkerd-service-mirror
383spec:
384 targetRef:
385 group: policy.linkerd.io
386 kind: Server
387 name: service-mirror
388 requiredAuthenticationRefs:
389 # In order to use `linkerd mc gateways` you need viz' Prometheus instance
390 # to be able to reach the service-mirror. In order to also have a separate
391 # Prometheus scrape the service-mirror an additional AuthorizationPolicy
392 # resource should be created.
393 - kind: ServiceAccount
394 name: prometheus
395 namespace: linkerd-viz
396---
View as plain text