1---
2apiVersion: policy.linkerd.io/v1beta2
3kind: Server
4metadata:
5 namespace: {{ .Release.Namespace }}
6 name: tap-injector-webhook
7 labels:
8 linkerd.io/extension: viz
9 component: tap-injector
10 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
11 annotations:
12 {{ include "partials.annotations.created-by" . }}
13spec:
14 podSelector:
15 matchLabels:
16 linkerd.io/extension: viz
17 component: tap-injector
18 port: tap-injector
19 proxyProtocol: TLS
20---
21apiVersion: policy.linkerd.io/v1alpha1
22kind: AuthorizationPolicy
23metadata:
24 namespace: {{ .Release.Namespace }}
25 name: tap-injector
26 labels:
27 linkerd.io/extension: viz
28 component: tap-injector
29 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
30 annotations:
31 {{ include "partials.annotations.created-by" . }}
32spec:
33 targetRef:
34 group: policy.linkerd.io
35 kind: Server
36 name: tap-injector-webhook
37 requiredAuthenticationRefs:
38 - group: policy.linkerd.io
39 kind: NetworkAuthentication
40 name: kube-api-server
41---
42apiVersion: policy.linkerd.io/v1alpha1
43kind: NetworkAuthentication
44metadata:
45 namespace: {{ .Release.Namespace }}
46 name: kube-api-server
47 labels:
48 linkerd.io/extension: viz
49 {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
50 annotations:
51 {{ include "partials.annotations.created-by" . }}
52spec:
53 # Ideally, this should be restricted to the actual set of IPs the kubelet API
54 # server uses for webhooks in a cluster. This can't easily be discovered.
55 networks:
56 - cidr: "0.0.0.0/0"
57 - cidr: "::/0"
View as plain text