1kind: Namespace
2apiVersion: v1
3metadata:
4 name: linkerd-multicluster
5 labels:
6 linkerd.io/extension: multicluster
7 pod-security.kubernetes.io/enforce: privileged
8---
9apiVersion: apps/v1
10kind: Deployment
11metadata:
12 annotations:
13 linkerd.io/created-by: linkerd/helm linkerdVersionValue
14 labels:
15 app.kubernetes.io/name: gateway
16 app.kubernetes.io/part-of: Linkerd
17 app.kubernetes.io/version: linkerdVersionValue
18 component: gateway
19 app: linkerd-gateway
20 linkerd.io/extension: multicluster
21 name: linkerd-gateway
22 namespace: linkerd-multicluster
23spec:
24 replicas: 1
25 revisionHistoryLimit: 10
26 selector:
27 matchLabels:
28 app: linkerd-gateway
29 template:
30 metadata:
31 annotations:
32 linkerd.io/created-by: linkerd/helm linkerdVersionValue
33 linkerd.io/inject: enabled
34 config.linkerd.io/proxy-require-identity-inbound-ports: "4143"
35 config.linkerd.io/enable-gateway: "true"
36 config.linkerd.io/default-inbound-policy: all-authenticated
37 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
38 labels:
39 app: linkerd-gateway
40 linkerd.io/extension: multicluster
41 spec:
42
43 containers:
44 - name: pause
45 image: gcr.io/google_containers/pause:3.2
46 securityContext:
47 allowPrivilegeEscalation: false
48 capabilities:
49 drop:
50 - ALL
51 readOnlyRootFilesystem: true
52 runAsGroup: 2103
53 runAsNonRoot: true
54 runAsUser: 2103
55 seccompProfile:
56 type: RuntimeDefault
57 securityContext:
58 seccompProfile:
59 type: RuntimeDefault
60 serviceAccountName: linkerd-gateway
61---
62apiVersion: v1
63kind: Service
64metadata:
65 name: linkerd-gateway
66 namespace: linkerd-multicluster
67 labels:
68 linkerd.io/extension: multicluster
69 annotations:
70 mirror.linkerd.io/gateway-identity: linkerd-gateway.linkerd-multicluster.serviceaccount.identity.linkerd.cluster.local
71 mirror.linkerd.io/probe-period: "3"
72 mirror.linkerd.io/probe-path: /ready
73 mirror.linkerd.io/multicluster-gateway: "true"
74 component: gateway
75 linkerd.io/created-by: linkerd/helm linkerdVersionValue
76spec:
77 ports:
78 - name: mc-gateway
79 port: 4143
80 protocol: TCP
81 - name: mc-probe
82 port: 4191
83 protocol: TCP
84 selector:
85 app: linkerd-gateway
86 type: LoadBalancer
87---
88kind: ServiceAccount
89apiVersion: v1
90metadata:
91 name: linkerd-gateway
92 namespace: linkerd-multicluster
93 labels:
94 linkerd.io/extension: multicluster
95---
96apiVersion: policy.linkerd.io/v1beta2
97kind: Server
98metadata:
99 namespace: linkerd-multicluster
100 name: linkerd-gateway
101 labels:
102 linkerd.io/extension: multicluster
103 app: linkerd-gateway
104 annotations:
105 linkerd.io/created-by: linkerd/helm linkerdVersionValue
106spec:
107 podSelector:
108 matchLabels:
109 app: linkerd-gateway
110 port: linkerd-proxy
111---
112apiVersion: policy.linkerd.io/v1alpha1
113kind: AuthorizationPolicy
114metadata:
115 namespace: linkerd-multicluster
116 name: linkerd-gateway
117 labels:
118 linkerd.io/extension: multicluster
119 app: linkerd-gateway
120 annotations:
121 linkerd.io/created-by: linkerd/helm linkerdVersionValue
122spec:
123 targetRef:
124 group: policy.linkerd.io
125 kind: Server
126 name: linkerd-gateway
127 requiredAuthenticationRefs:
128 - group: policy.linkerd.io
129 kind: MeshTLSAuthentication
130 name: any-meshed
131 namespace: linkerd-multicluster
132 - group: policy.linkerd.io
133 kind: NetworkAuthentication
134 name: source-cluster
135 namespace: linkerd-multicluster
136---
137apiVersion: policy.linkerd.io/v1alpha1
138kind: MeshTLSAuthentication
139metadata:
140 namespace: linkerd-multicluster
141 name: any-meshed
142 labels:
143 linkerd.io/extension: multicluster
144 app: linkerd-gateway
145 annotations:
146 linkerd.io/created-by: linkerd/helm linkerdVersionValue
147spec:
148 identities:
149 - '*'
150---
151apiVersion: policy.linkerd.io/v1alpha1
152kind: NetworkAuthentication
153metadata:
154 namespace: linkerd-multicluster
155 name: source-cluster
156 labels:
157 linkerd.io/extension: multicluster
158 app: linkerd-gateway
159 annotations:
160 linkerd.io/created-by: linkerd/helm linkerdVersionValue
161spec:
162 networks:
163 # Change this to the source cluster cidrs pointing to this gateway.
164 # Note that the source IP in some providers (e.g. GKE) will be the local
165 # node's IP and not the source cluster's
166 - cidr: "0.0.0.0/0"
167 - cidr: "::/0"
168---
169apiVersion: rbac.authorization.k8s.io/v1
170kind: Role
171metadata:
172 name: psp
173 namespace: linkerd-multicluster
174 labels:
175 linkerd.io/extension: multicluster
176rules:
177- apiGroups: ['policy', 'extensions']
178 resources: ['podsecuritypolicies']
179 verbs: ['use']
180 resourceNames:
181 - linkerd-linkerd-control-plane
182---
183apiVersion: rbac.authorization.k8s.io/v1
184kind: RoleBinding
185metadata:
186 name: linkerd-multicluster-psp
187 namespace: linkerd-multicluster
188 labels:
189 linkerd.io/extension: multicluster
190 namespace: linkerd-multicluster
191roleRef:
192 kind: Role
193 name: psp
194 apiGroup: rbac.authorization.k8s.io
195subjects:
196- kind: ServiceAccount
197 name: linkerd-gateway
198 namespace: linkerd-multicluster
199- kind: ServiceAccount
200 name: namespace-metadata
201 namespace: linkerd-multicluster
202---
203apiVersion: rbac.authorization.k8s.io/v1
204kind: ClusterRole
205metadata:
206 name: linkerd-service-mirror-remote-access-default
207 labels:
208 linkerd.io/extension: multicluster
209 annotations:
210 linkerd.io/created-by: linkerd/helm linkerdVersionValue
211rules:
212- apiGroups: ["apps"]
213 resources: ["replicasets"]
214 verbs: ["list", "get", "watch"]
215- apiGroups: ["batch"]
216 resources: ["jobs"]
217 verbs: ["list", "get", "watch"]
218- apiGroups: [""]
219 resources: ["pods", "endpoints", "services"]
220 verbs: ["list", "get", "watch"]
221- apiGroups: ["discovery.k8s.io"]
222 resources: ["endpointslices"]
223 verbs: ["list", "get", "watch"]
224- apiGroups: ["policy.linkerd.io"]
225 resources: ["servers"]
226 verbs: ["list", "get", "watch"]
227- apiGroups: [""]
228 resources: ["configmaps"]
229 verbs: ["get"]
230 resourceNames: ["linkerd-config"]
231- apiGroups: [""]
232 resources: ["events"]
233 verbs: ["create", "patch"]
234---
235apiVersion: v1
236kind: ServiceAccount
237metadata:
238 name: linkerd-service-mirror-remote-access-default
239 namespace: linkerd-multicluster
240 labels:
241 linkerd.io/extension: multicluster
242 annotations:
243 linkerd.io/created-by: linkerd/helm linkerdVersionValue
244---
245apiVersion: v1
246kind: Secret
247metadata:
248 name: linkerd-service-mirror-remote-access-default-token
249 namespace: linkerd-multicluster
250 labels:
251 linkerd.io/extension: multicluster
252 annotations:
253 kubernetes.io/service-account.name: linkerd-service-mirror-remote-access-default
254 linkerd.io/created-by: linkerd/helm linkerdVersionValue
255type: kubernetes.io/service-account-token
256---
257apiVersion: rbac.authorization.k8s.io/v1
258kind: ClusterRoleBinding
259metadata:
260 name: linkerd-service-mirror-remote-access-default
261 labels:
262 linkerd.io/extension: multicluster
263 annotations:
264 linkerd.io/created-by: linkerd/helm linkerdVersionValue
265roleRef:
266 apiGroup: rbac.authorization.k8s.io
267 kind: ClusterRole
268 name: linkerd-service-mirror-remote-access-default
269subjects:
270- kind: ServiceAccount
271 name: linkerd-service-mirror-remote-access-default
272 namespace: linkerd-multicluster
273---
274###
275### Link CRD
276###
277apiVersion: apiextensions.k8s.io/v1
278kind: CustomResourceDefinition
279metadata:
280 name: links.multicluster.linkerd.io
281 labels:
282 linkerd.io/extension: multicluster
283 annotations:
284 linkerd.io/created-by: linkerd/helm linkerdVersionValue
285spec:
286 group: multicluster.linkerd.io
287 versions:
288 - name: v1alpha1
289 served: true
290 storage: true
291 schema:
292 openAPIV3Schema:
293 type: object
294 properties:
295 spec:
296 type: object
297 properties:
298 clusterCredentialsSecret:
299 description: Kubernetes secret of target cluster
300 type: string
301 gatewayAddress:
302 description: Gateway address of target cluster
303 type: string
304 gatewayIdentity:
305 description: Gateway Identity FQDN
306 type: string
307 gatewayPort:
308 description: Gateway Port
309 type: string
310 probeSpec:
311 description: Spec for gateway health probe
312 type: object
313 properties:
314 path:
315 description: Path of remote gateway health endpoint
316 type: string
317 period:
318 description: Interval in between probe requests
319 type: string
320 port:
321 description: Port of remote gateway health endpoint
322 type: string
323 selector:
324 description: Kubernetes Label Selector
325 type: object
326 properties:
327 matchLabels:
328 type: object
329 x-kubernetes-preserve-unknown-fields: true
330 matchExpressions:
331 description: List of selector requirements
332 type: array
333 items:
334 description: A selector item requires a key and an operator
335 type: object
336 required:
337 - key
338 - operator
339 properties:
340 key:
341 description: Label key that selector should apply to
342 type: string
343 operator:
344 description: Evaluation of a label in relation to set
345 type: string
346 enum: [In, NotIn, Exists, DoesNotExist]
347 values:
348 type: array
349 items:
350 type: string
351 remoteDiscoverySelector:
352 description: Selector for Services to mirror in remote discovery mode
353 type: object
354 properties:
355 matchLabels:
356 type: object
357 x-kubernetes-preserve-unknown-fields: true
358 matchExpressions:
359 description: List of selector requirements
360 type: array
361 items:
362 description: A selector item requires a key and an operator
363 type: object
364 required:
365 - key
366 - operator
367 properties:
368 key:
369 description: Label key that selector should apply to
370 type: string
371 operator:
372 description: Evaluation of a label in relation to set
373 type: string
374 enum: [In, NotIn, Exists, DoesNotExist]
375 values:
376 type: array
377 items:
378 type: string
379 targetClusterName:
380 description: Name of target cluster to link to
381 type: string
382 targetClusterDomain:
383 description: Domain name of target cluster to link to
384 type: string
385 targetClusterLinkerdNamespace:
386 description: Name of namespace Linkerd control plane is installed in on target cluster
387 type: string
388 scope: Namespaced
389 names:
390 plural: links
391 singular: link
392 kind: Link
393---
394apiVersion: policy.linkerd.io/v1beta2
395kind: Server
396metadata:
397 namespace: linkerd-multicluster
398 name: service-mirror
399 labels:
400 linkerd.io/extension: multicluster
401 component: linkerd-service-mirror
402spec:
403 podSelector:
404 matchLabels:
405 component: linkerd-service-mirror
406 port: admin-http
407 proxyProtocol: HTTP/1
408---
409apiVersion: policy.linkerd.io/v1alpha1
410kind: AuthorizationPolicy
411metadata:
412 namespace: linkerd-multicluster
413 name: service-mirror
414 labels:
415 linkerd.io/extension: multicluster
416 component: linkerd-service-mirror
417spec:
418 targetRef:
419 group: policy.linkerd.io
420 kind: Server
421 name: service-mirror
422 requiredAuthenticationRefs:
423 # In order to use `linkerd mc gateways` you need viz' Prometheus instance
424 # to be able to reach the service-mirror. In order to also have a separate
425 # Prometheus scrape the service-mirror an additional AuthorizationPolicy
426 # resource should be created.
427 - kind: ServiceAccount
428 name: prometheus
429 namespace: linkerd-viz
430---
View as plain text