1kind: ClusterRole
2apiVersion: rbac.authorization.k8s.io/v1
3metadata:
4 name: linkerd-service-mirror-access-local-resources-test-cluster
5 labels:
6 linkerd.io/extension: multicluster
7 component: service-mirror
8 mirror.linkerd.io/cluster-name: test-cluster
9rules:
10- apiGroups: [""]
11 resources: ["endpoints", "services"]
12 verbs: ["list", "get", "watch", "create", "delete", "update"]
13- apiGroups: [""]
14 resources: ["namespaces"]
15 verbs: ["list", "get", "watch"]
16---
17kind: ClusterRoleBinding
18apiVersion: rbac.authorization.k8s.io/v1
19metadata:
20 name: linkerd-service-mirror-access-local-resources-test-cluster
21 labels:
22 linkerd.io/extension: multicluster
23 component: service-mirror
24 mirror.linkerd.io/cluster-name: test-cluster
25roleRef:
26 apiGroup: rbac.authorization.k8s.io
27 kind: ClusterRole
28 name: linkerd-service-mirror-access-local-resources-test-cluster
29subjects:
30- kind: ServiceAccount
31 name: linkerd-service-mirror-test-cluster
32 namespace: test
33---
34kind: Role
35apiVersion: rbac.authorization.k8s.io/v1
36metadata:
37 name: linkerd-service-mirror-read-remote-creds-test-cluster
38 namespace: test
39 labels:
40 linkerd.io/extension: multicluster
41 component: service-mirror
42 mirror.linkerd.io/cluster-name: test-cluster
43rules:
44 - apiGroups: [""]
45 resources: ["secrets"]
46 resourceNames: ["cluster-credentials-test-cluster"]
47 verbs: ["list", "get", "watch"]
48 - apiGroups: ["multicluster.linkerd.io"]
49 resources: ["links"]
50 verbs: ["list", "get", "watch"]
51 - apiGroups: ["coordination.k8s.io"]
52 resources: ["leases"]
53 verbs: ["create", "get", "update", "patch"]
54---
55kind: RoleBinding
56apiVersion: rbac.authorization.k8s.io/v1
57metadata:
58 name: linkerd-service-mirror-read-remote-creds-test-cluster
59 namespace: test
60 labels:
61 linkerd.io/extension: multicluster
62 component: service-mirror
63 mirror.linkerd.io/cluster-name: test-cluster
64roleRef:
65 apiGroup: rbac.authorization.k8s.io
66 kind: Role
67 name: linkerd-service-mirror-read-remote-creds-test-cluster
68subjects:
69 - kind: ServiceAccount
70 name: linkerd-service-mirror-test-cluster
71 namespace: test
72---
73kind: ServiceAccount
74apiVersion: v1
75metadata:
76 name: linkerd-service-mirror-test-cluster
77 namespace: test
78 labels:
79 linkerd.io/extension: multicluster
80 component: service-mirror
81 mirror.linkerd.io/cluster-name: test-cluster
82---
83apiVersion: apps/v1
84kind: Deployment
85metadata:
86 labels:
87 linkerd.io/extension: multicluster
88 component: service-mirror
89 mirror.linkerd.io/cluster-name: test-cluster
90 name: linkerd-service-mirror-test-cluster
91 namespace: test
92spec:
93 replicas: 1
94 revisionHistoryLimit: 10
95 selector:
96 matchLabels:
97 component: linkerd-service-mirror
98 mirror.linkerd.io/cluster-name: test-cluster
99 template:
100 metadata:
101 annotations:
102 linkerd.io/inject: enabled
103 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
104 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
105 labels:
106 linkerd.io/extension: multicluster
107 component: linkerd-service-mirror
108 mirror.linkerd.io/cluster-name: test-cluster
109 spec:
110 containers:
111 - args:
112 - service-mirror
113 - -log-level=info
114 - -log-format=plain
115 - -event-requeue-limit=3
116 - -namespace=test
117 - -enable-pprof=false
118 - test-cluster
119 image: cr.l5d.io/linkerd/controller:dev-undefined
120 name: service-mirror
121 securityContext:
122 allowPrivilegeEscalation: false
123 capabilities:
124 drop:
125 - ALL
126 readOnlyRootFilesystem: true
127 runAsGroup: 2103
128 runAsNonRoot: true
129 runAsUser: 2103
130 seccompProfile:
131 type: RuntimeDefault
132 ports:
133 - containerPort: 9999
134 name: admin-http
135 securityContext:
136 seccompProfile:
137 type: RuntimeDefault
138 serviceAccountName: linkerd-service-mirror-test-cluster
139---
140apiVersion: v1
141kind: Service
142metadata:
143 name: probe-gateway-test-cluster
144 namespace: test
145 labels:
146 linkerd.io/extension: multicluster
147 mirror.linkerd.io/mirrored-gateway: "true"
148 mirror.linkerd.io/cluster-name: test-cluster
149spec:
150 ports:
151 - name: mc-probe
152 port: 4191
153 protocol: TCP
View as plain text