1kind: Namespace
2apiVersion: v1
3metadata:
4 name: linkerd-multicluster
5 labels:
6 linkerd.io/extension: multicluster
7 pod-security.kubernetes.io/enforce: privileged
8---
9apiVersion: apps/v1
10kind: Deployment
11metadata:
12 annotations:
13 linkerd.io/created-by: linkerd/helm linkerdVersionValue
14 labels:
15 app.kubernetes.io/name: gateway
16 app.kubernetes.io/part-of: Linkerd
17 app.kubernetes.io/version: linkerdVersionValue
18 component: gateway
19 app: linkerd-gateway
20 linkerd.io/extension: multicluster
21 name: linkerd-gateway
22 namespace: linkerd-multicluster
23spec:
24 replicas: 3
25 revisionHistoryLimit: 10
26 selector:
27 matchLabels:
28 app: linkerd-gateway
29 strategy:
30 rollingUpdate:
31 maxUnavailable: 1
32 template:
33 metadata:
34 annotations:
35 linkerd.io/created-by: linkerd/helm linkerdVersionValue
36 linkerd.io/inject: enabled
37 config.linkerd.io/proxy-require-identity-inbound-ports: "4143"
38 config.linkerd.io/enable-gateway: "true"
39 config.linkerd.io/default-inbound-policy: all-authenticated
40 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
41 labels:
42 app: linkerd-gateway
43 linkerd.io/extension: multicluster
44 spec:
45 affinity:
46 podAntiAffinity:
47 preferredDuringSchedulingIgnoredDuringExecution:
48 - podAffinityTerm:
49 labelSelector:
50 matchExpressions:
51 - key: app
52 operator: In
53 values:
54 - linkerd-gateway
55 topologyKey: topology.kubernetes.io/zone
56 weight: 100
57 requiredDuringSchedulingIgnoredDuringExecution:
58 - labelSelector:
59 matchExpressions:
60 - key: app
61 operator: In
62 values:
63 - linkerd-gateway
64 topologyKey: kubernetes.io/hostname
65 containers:
66 - name: pause
67 image: gcr.io/google_containers/pause:3.2
68 securityContext:
69 allowPrivilegeEscalation: false
70 capabilities:
71 drop:
72 - ALL
73 readOnlyRootFilesystem: true
74 runAsGroup: 2103
75 runAsNonRoot: true
76 runAsUser: 2103
77 seccompProfile:
78 type: RuntimeDefault
79 securityContext:
80 seccompProfile:
81 type: RuntimeDefault
82 serviceAccountName: linkerd-gateway
83---
84kind: PodDisruptionBudget
85apiVersion: policy/v1
86metadata:
87 name: linkerd-gateway
88 namespace: linkerd-multicluster
89 labels:
90 app: linkerd-gateway
91 linkerd.io/extension: multicluster
92 annotations:
93 linkerd.io/created-by: linkerd/helm linkerdVersionValue
94spec:
95 maxUnavailable: 1
96 selector:
97 matchLabels:
98 app: linkerd-gateway
99---
100apiVersion: v1
101kind: Service
102metadata:
103 name: linkerd-gateway
104 namespace: linkerd-multicluster
105 labels:
106 linkerd.io/extension: multicluster
107 annotations:
108 mirror.linkerd.io/gateway-identity: linkerd-gateway.linkerd-multicluster.serviceaccount.identity.linkerd.cluster.local
109 mirror.linkerd.io/probe-period: "3"
110 mirror.linkerd.io/probe-path: /ready
111 mirror.linkerd.io/multicluster-gateway: "true"
112 component: gateway
113 linkerd.io/created-by: linkerd/helm linkerdVersionValue
114spec:
115 ports:
116 - name: mc-gateway
117 port: 4143
118 protocol: TCP
119 - name: mc-probe
120 port: 4191
121 protocol: TCP
122 selector:
123 app: linkerd-gateway
124 type: LoadBalancer
125---
126kind: ServiceAccount
127apiVersion: v1
128metadata:
129 name: linkerd-gateway
130 namespace: linkerd-multicluster
131 labels:
132 linkerd.io/extension: multicluster
133---
134apiVersion: policy.linkerd.io/v1beta2
135kind: Server
136metadata:
137 namespace: linkerd-multicluster
138 name: linkerd-gateway
139 labels:
140 linkerd.io/extension: multicluster
141 app: linkerd-gateway
142 annotations:
143 linkerd.io/created-by: linkerd/helm linkerdVersionValue
144spec:
145 podSelector:
146 matchLabels:
147 app: linkerd-gateway
148 port: linkerd-proxy
149---
150apiVersion: policy.linkerd.io/v1alpha1
151kind: AuthorizationPolicy
152metadata:
153 namespace: linkerd-multicluster
154 name: linkerd-gateway
155 labels:
156 linkerd.io/extension: multicluster
157 app: linkerd-gateway
158 annotations:
159 linkerd.io/created-by: linkerd/helm linkerdVersionValue
160spec:
161 targetRef:
162 group: policy.linkerd.io
163 kind: Server
164 name: linkerd-gateway
165 requiredAuthenticationRefs:
166 - group: policy.linkerd.io
167 kind: MeshTLSAuthentication
168 name: any-meshed
169 namespace: linkerd-multicluster
170 - group: policy.linkerd.io
171 kind: NetworkAuthentication
172 name: source-cluster
173 namespace: linkerd-multicluster
174---
175apiVersion: policy.linkerd.io/v1alpha1
176kind: MeshTLSAuthentication
177metadata:
178 namespace: linkerd-multicluster
179 name: any-meshed
180 labels:
181 linkerd.io/extension: multicluster
182 app: linkerd-gateway
183 annotations:
184 linkerd.io/created-by: linkerd/helm linkerdVersionValue
185spec:
186 identities:
187 - '*'
188---
189apiVersion: policy.linkerd.io/v1alpha1
190kind: NetworkAuthentication
191metadata:
192 namespace: linkerd-multicluster
193 name: source-cluster
194 labels:
195 linkerd.io/extension: multicluster
196 app: linkerd-gateway
197 annotations:
198 linkerd.io/created-by: linkerd/helm linkerdVersionValue
199spec:
200 networks:
201 # Change this to the source cluster cidrs pointing to this gateway.
202 # Note that the source IP in some providers (e.g. GKE) will be the local
203 # node's IP and not the source cluster's
204 - cidr: "0.0.0.0/0"
205 - cidr: "::/0"
206---
207apiVersion: rbac.authorization.k8s.io/v1
208kind: Role
209metadata:
210 name: psp
211 namespace: linkerd-multicluster
212 labels:
213 linkerd.io/extension: multicluster
214rules:
215- apiGroups: ['policy', 'extensions']
216 resources: ['podsecuritypolicies']
217 verbs: ['use']
218 resourceNames:
219 - linkerd-linkerd-control-plane
220---
221apiVersion: rbac.authorization.k8s.io/v1
222kind: RoleBinding
223metadata:
224 name: linkerd-multicluster-psp
225 namespace: linkerd-multicluster
226 labels:
227 linkerd.io/extension: multicluster
228 namespace: linkerd-multicluster
229roleRef:
230 kind: Role
231 name: psp
232 apiGroup: rbac.authorization.k8s.io
233subjects:
234- kind: ServiceAccount
235 name: linkerd-gateway
236 namespace: linkerd-multicluster
237- kind: ServiceAccount
238 name: namespace-metadata
239 namespace: linkerd-multicluster
240---
241apiVersion: rbac.authorization.k8s.io/v1
242kind: ClusterRole
243metadata:
244 name: linkerd-service-mirror-remote-access-default
245 labels:
246 linkerd.io/extension: multicluster
247 annotations:
248 linkerd.io/created-by: linkerd/helm linkerdVersionValue
249rules:
250- apiGroups: ["apps"]
251 resources: ["replicasets"]
252 verbs: ["list", "get", "watch"]
253- apiGroups: ["batch"]
254 resources: ["jobs"]
255 verbs: ["list", "get", "watch"]
256- apiGroups: [""]
257 resources: ["pods", "endpoints", "services"]
258 verbs: ["list", "get", "watch"]
259- apiGroups: ["discovery.k8s.io"]
260 resources: ["endpointslices"]
261 verbs: ["list", "get", "watch"]
262- apiGroups: ["policy.linkerd.io"]
263 resources: ["servers"]
264 verbs: ["list", "get", "watch"]
265- apiGroups: [""]
266 resources: ["configmaps"]
267 verbs: ["get"]
268 resourceNames: ["linkerd-config"]
269- apiGroups: [""]
270 resources: ["events"]
271 verbs: ["create", "patch"]
272---
273apiVersion: v1
274kind: ServiceAccount
275metadata:
276 name: linkerd-service-mirror-remote-access-default
277 namespace: linkerd-multicluster
278 labels:
279 linkerd.io/extension: multicluster
280 annotations:
281 linkerd.io/created-by: linkerd/helm linkerdVersionValue
282---
283apiVersion: v1
284kind: Secret
285metadata:
286 name: linkerd-service-mirror-remote-access-default-token
287 namespace: linkerd-multicluster
288 labels:
289 linkerd.io/extension: multicluster
290 annotations:
291 kubernetes.io/service-account.name: linkerd-service-mirror-remote-access-default
292 linkerd.io/created-by: linkerd/helm linkerdVersionValue
293type: kubernetes.io/service-account-token
294---
295apiVersion: rbac.authorization.k8s.io/v1
296kind: ClusterRoleBinding
297metadata:
298 name: linkerd-service-mirror-remote-access-default
299 labels:
300 linkerd.io/extension: multicluster
301 annotations:
302 linkerd.io/created-by: linkerd/helm linkerdVersionValue
303roleRef:
304 apiGroup: rbac.authorization.k8s.io
305 kind: ClusterRole
306 name: linkerd-service-mirror-remote-access-default
307subjects:
308- kind: ServiceAccount
309 name: linkerd-service-mirror-remote-access-default
310 namespace: linkerd-multicluster
311---
312###
313### Link CRD
314###
315apiVersion: apiextensions.k8s.io/v1
316kind: CustomResourceDefinition
317metadata:
318 name: links.multicluster.linkerd.io
319 labels:
320 linkerd.io/extension: multicluster
321 annotations:
322 linkerd.io/created-by: linkerd/helm linkerdVersionValue
323spec:
324 group: multicluster.linkerd.io
325 versions:
326 - name: v1alpha1
327 served: true
328 storage: true
329 schema:
330 openAPIV3Schema:
331 type: object
332 properties:
333 spec:
334 type: object
335 properties:
336 clusterCredentialsSecret:
337 description: Kubernetes secret of target cluster
338 type: string
339 gatewayAddress:
340 description: Gateway address of target cluster
341 type: string
342 gatewayIdentity:
343 description: Gateway Identity FQDN
344 type: string
345 gatewayPort:
346 description: Gateway Port
347 type: string
348 probeSpec:
349 description: Spec for gateway health probe
350 type: object
351 properties:
352 path:
353 description: Path of remote gateway health endpoint
354 type: string
355 period:
356 description: Interval in between probe requests
357 type: string
358 port:
359 description: Port of remote gateway health endpoint
360 type: string
361 selector:
362 description: Kubernetes Label Selector
363 type: object
364 properties:
365 matchLabels:
366 type: object
367 x-kubernetes-preserve-unknown-fields: true
368 matchExpressions:
369 description: List of selector requirements
370 type: array
371 items:
372 description: A selector item requires a key and an operator
373 type: object
374 required:
375 - key
376 - operator
377 properties:
378 key:
379 description: Label key that selector should apply to
380 type: string
381 operator:
382 description: Evaluation of a label in relation to set
383 type: string
384 enum: [In, NotIn, Exists, DoesNotExist]
385 values:
386 type: array
387 items:
388 type: string
389 remoteDiscoverySelector:
390 description: Selector for Services to mirror in remote discovery mode
391 type: object
392 properties:
393 matchLabels:
394 type: object
395 x-kubernetes-preserve-unknown-fields: true
396 matchExpressions:
397 description: List of selector requirements
398 type: array
399 items:
400 description: A selector item requires a key and an operator
401 type: object
402 required:
403 - key
404 - operator
405 properties:
406 key:
407 description: Label key that selector should apply to
408 type: string
409 operator:
410 description: Evaluation of a label in relation to set
411 type: string
412 enum: [In, NotIn, Exists, DoesNotExist]
413 values:
414 type: array
415 items:
416 type: string
417 targetClusterName:
418 description: Name of target cluster to link to
419 type: string
420 targetClusterDomain:
421 description: Domain name of target cluster to link to
422 type: string
423 targetClusterLinkerdNamespace:
424 description: Name of namespace Linkerd control plane is installed in on target cluster
425 type: string
426 scope: Namespaced
427 names:
428 plural: links
429 singular: link
430 kind: Link
431---
432apiVersion: policy.linkerd.io/v1beta2
433kind: Server
434metadata:
435 namespace: linkerd-multicluster
436 name: service-mirror
437 labels:
438 linkerd.io/extension: multicluster
439 component: linkerd-service-mirror
440spec:
441 podSelector:
442 matchLabels:
443 component: linkerd-service-mirror
444 port: admin-http
445 proxyProtocol: HTTP/1
446---
447apiVersion: policy.linkerd.io/v1alpha1
448kind: AuthorizationPolicy
449metadata:
450 namespace: linkerd-multicluster
451 name: service-mirror
452 labels:
453 linkerd.io/extension: multicluster
454 component: linkerd-service-mirror
455spec:
456 targetRef:
457 group: policy.linkerd.io
458 kind: Server
459 name: service-mirror
460 requiredAuthenticationRefs:
461 # In order to use `linkerd mc gateways` you need viz' Prometheus instance
462 # to be able to reach the service-mirror. In order to also have a separate
463 # Prometheus scrape the service-mirror an additional AuthorizationPolicy
464 # resource should be created.
465 - kind: ServiceAccount
466 name: prometheus
467 namespace: linkerd-viz
468---
View as plain text