1---
2###
3### Linkerd Viz Extension Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd-viz
9 labels:
10 linkerd.io/extension: viz
11 pod-security.kubernetes.io/enforce: privileged
12 annotations:
13 viz.linkerd.io/external-prometheus: external-prom.com
14---
15###
16### Metrics API RBAC
17###
18kind: ClusterRole
19apiVersion: rbac.authorization.k8s.io/v1
20metadata:
21 name: linkerd-linkerd-viz-metrics-api
22 labels:
23 linkerd.io/extension: viz
24 component: metrics-api
25rules:
26- apiGroups: ["extensions", "apps"]
27 resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
28 verbs: ["list", "get", "watch"]
29- apiGroups: ["extensions", "batch"]
30 resources: ["cronjobs", "jobs"]
31 verbs: ["list" , "get", "watch"]
32- apiGroups: [""]
33 resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
34 verbs: ["list", "get", "watch"]
35- apiGroups: ["linkerd.io"]
36 resources: ["serviceprofiles"]
37 verbs: ["list", "get", "watch"]
38- apiGroups: ["policy.linkerd.io"]
39 resources: ["servers", "serverauthorizations", "authorizationpolicies", "httproutes"]
40 verbs: ["list", "get"]
41---
42kind: ClusterRoleBinding
43apiVersion: rbac.authorization.k8s.io/v1
44metadata:
45 name: linkerd-linkerd-viz-metrics-api
46 labels:
47 linkerd.io/extension: viz
48 component: metrics-api
49roleRef:
50 apiGroup: rbac.authorization.k8s.io
51 kind: ClusterRole
52 name: linkerd-linkerd-viz-metrics-api
53subjects:
54- kind: ServiceAccount
55 name: metrics-api
56 namespace: linkerd-viz
57---
58kind: ServiceAccount
59apiVersion: v1
60metadata:
61 name: metrics-api
62 namespace: linkerd-viz
63 labels:
64 linkerd.io/extension: viz
65 component: metrics-api
66---
67###
68### Tap RBAC
69###
70kind: ClusterRole
71apiVersion: rbac.authorization.k8s.io/v1
72metadata:
73 name: linkerd-linkerd-viz-tap
74 labels:
75 linkerd.io/extension: viz
76 component: tap
77rules:
78- apiGroups: [""]
79 resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
80 verbs: ["list", "get", "watch"]
81- apiGroups: ["extensions", "apps"]
82 resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
83 verbs: ["list", "get", "watch"]
84- apiGroups: ["extensions", "batch"]
85 resources: ["cronjobs", "jobs"]
86 verbs: ["list" , "get", "watch"]
87---
88kind: ClusterRole
89apiVersion: rbac.authorization.k8s.io/v1
90metadata:
91 name: linkerd-linkerd-viz-tap-admin
92 labels:
93 linkerd.io/extension: viz
94 component: tap
95rules:
96- apiGroups: [""]
97 resources: ["namespaces"]
98 verbs: ["list"]
99- apiGroups: ["tap.linkerd.io"]
100 resources: ["*"]
101 verbs: ["watch"]
102---
103kind: ClusterRoleBinding
104apiVersion: rbac.authorization.k8s.io/v1
105metadata:
106 name: linkerd-linkerd-viz-tap
107 labels:
108 linkerd.io/extension: viz
109 component: tap
110roleRef:
111 apiGroup: rbac.authorization.k8s.io
112 kind: ClusterRole
113 name: linkerd-linkerd-viz-tap
114subjects:
115- kind: ServiceAccount
116 name: tap
117 namespace: linkerd-viz
118---
119apiVersion: rbac.authorization.k8s.io/v1
120kind: ClusterRoleBinding
121metadata:
122 name: linkerd-linkerd-viz-tap-auth-delegator
123 labels:
124 linkerd.io/extension: viz
125 component: tap
126roleRef:
127 apiGroup: rbac.authorization.k8s.io
128 kind: ClusterRole
129 name: system:auth-delegator
130subjects:
131- kind: ServiceAccount
132 name: tap
133 namespace: linkerd-viz
134---
135kind: ServiceAccount
136apiVersion: v1
137metadata:
138 name: tap
139 namespace: linkerd-viz
140 labels:
141 linkerd.io/extension: viz
142 component: tap
143 namespace: linkerd-viz
144---
145apiVersion: rbac.authorization.k8s.io/v1
146kind: RoleBinding
147metadata:
148 name: linkerd-linkerd-viz-tap-auth-reader
149 namespace: kube-system
150 labels:
151 linkerd.io/extension: viz
152 component: tap
153 namespace: linkerd-viz
154roleRef:
155 apiGroup: rbac.authorization.k8s.io
156 kind: Role
157 name: extension-apiserver-authentication-reader
158subjects:
159- kind: ServiceAccount
160 name: tap
161 namespace: linkerd-viz
162---
163apiVersion: apiregistration.k8s.io/v1
164kind: APIService
165metadata:
166 name: v1alpha1.tap.linkerd.io
167 labels:
168 linkerd.io/extension: viz
169 component: tap
170spec:
171 group: tap.linkerd.io
172 version: v1alpha1
173 groupPriorityMinimum: 1000
174 versionPriority: 100
175 service:
176 name: tap
177 namespace: linkerd-viz
178 caBundle: dGVzdC10YXAtY2EtYnVuZGxl
179---
180###
181### Web RBAC
182###
183apiVersion: rbac.authorization.k8s.io/v1
184kind: Role
185metadata:
186 name: web
187 namespace: linkerd
188 labels:
189 linkerd.io/extension: viz
190 component: web
191 namespace: linkerd
192rules:
193- apiGroups: [""]
194 resources: ["configmaps"]
195 verbs: ["get"]
196 resourceNames: ["linkerd-config"]
197- apiGroups: [""]
198 resources: ["namespaces", "configmaps"]
199 verbs: ["get"]
200- apiGroups: [""]
201 resources: ["serviceaccounts", "pods"]
202 verbs: ["list"]
203- apiGroups: ["apps"]
204 resources: ["replicasets"]
205 verbs: ["list"]
206---
207apiVersion: rbac.authorization.k8s.io/v1
208kind: RoleBinding
209metadata:
210 name: web
211 namespace: linkerd
212 labels:
213 linkerd.io/extension: viz
214 component: web
215 namespace: linkerd
216roleRef:
217 kind: Role
218 name: web
219 apiGroup: rbac.authorization.k8s.io
220subjects:
221- kind: ServiceAccount
222 name: web
223 namespace: linkerd-viz
224---
225apiVersion: rbac.authorization.k8s.io/v1
226kind: ClusterRole
227metadata:
228 name: linkerd-linkerd-viz-web-check
229 labels:
230 linkerd.io/extension: viz
231 component: web
232rules:
233- apiGroups: ["rbac.authorization.k8s.io"]
234 resources: ["clusterroles", "clusterrolebindings"]
235 verbs: ["list"]
236- apiGroups: ["apiextensions.k8s.io"]
237 resources: ["customresourcedefinitions"]
238 verbs: ["list"]
239- apiGroups: ["admissionregistration.k8s.io"]
240 resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
241 verbs: ["list"]
242- apiGroups: ["linkerd.io"]
243 resources: ["serviceprofiles"]
244 verbs: ["list"]
245- apiGroups: [""]
246 resources: ["nodes", "pods", "services"]
247 verbs: ["list"]
248- apiGroups: ["apiregistration.k8s.io"]
249 resources: ["apiservices"]
250 verbs: ["get"]
251---
252apiVersion: rbac.authorization.k8s.io/v1
253kind: ClusterRoleBinding
254metadata:
255 name: linkerd-linkerd-viz-web-check
256 labels:
257 linkerd.io/extension: viz
258 component: web
259roleRef:
260 kind: ClusterRole
261 name: linkerd-linkerd-viz-web-check
262 apiGroup: rbac.authorization.k8s.io
263subjects:
264- kind: ServiceAccount
265 name: web
266 namespace: linkerd-viz
267---
268kind: ClusterRoleBinding
269apiVersion: rbac.authorization.k8s.io/v1
270metadata:
271 name: linkerd-linkerd-viz-web-admin
272 labels:
273 linkerd.io/extension: viz
274 component: web
275roleRef:
276 apiGroup: rbac.authorization.k8s.io
277 kind: ClusterRole
278 name: linkerd-linkerd-viz-tap-admin
279subjects:
280- kind: ServiceAccount
281 name: web
282 namespace: linkerd-viz
283---
284apiVersion: rbac.authorization.k8s.io/v1
285kind: ClusterRole
286metadata:
287 name: linkerd-linkerd-viz-web-api
288 labels:
289 linkerd.io/extension: viz
290 component: web
291rules:
292- apiGroups: [""]
293 resources: ["namespaces"]
294 verbs: ["list"]
295---
296apiVersion: rbac.authorization.k8s.io/v1
297kind: ClusterRoleBinding
298metadata:
299 name: linkerd-linkerd-viz-web-api
300 labels:
301 linkerd.io/extension: viz
302 component: web
303roleRef:
304 kind: ClusterRole
305 name: linkerd-linkerd-viz-web-api
306 apiGroup: rbac.authorization.k8s.io
307subjects:
308- kind: ServiceAccount
309 name: web
310 namespace: linkerd-viz
311---
312kind: ServiceAccount
313apiVersion: v1
314metadata:
315 name: web
316 namespace: linkerd-viz
317 labels:
318 linkerd.io/extension: viz
319 component: web
320 namespace: linkerd-viz
321---
322###
323### Metrics API
324###
325kind: Service
326apiVersion: v1
327metadata:
328 name: metrics-api
329 namespace: linkerd-viz
330 labels:
331 linkerd.io/extension: viz
332 component: metrics-api
333 annotations:
334 linkerd.io/created-by: linkerd/helm dev-undefined
335 linkerd.io/inject: enabled
336spec:
337 type: ClusterIP
338 selector:
339 linkerd.io/extension: viz
340 component: metrics-api
341 ports:
342 - name: http
343 port: 8085
344 targetPort: 8085
345---
346apiVersion: apps/v1
347kind: Deployment
348metadata:
349 annotations:
350 linkerd.io/created-by: linkerd/helm dev-undefined
351 linkerd.io/inject: enabled
352 config.linkerd.io/proxy-await: "enabled"
353 labels:
354 linkerd.io/extension: viz
355 app.kubernetes.io/name: metrics-api
356 app.kubernetes.io/part-of: Linkerd
357 app.kubernetes.io/version: dev-undefined
358 component: metrics-api
359 name: metrics-api
360 namespace: linkerd-viz
361spec:
362 replicas: 1
363 revisionHistoryLimit: 10
364 selector:
365 matchLabels:
366 linkerd.io/extension: viz
367 component: metrics-api
368 template:
369 metadata:
370 annotations:
371 checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b
372 linkerd.io/created-by: linkerd/helm dev-undefined
373 linkerd.io/inject: enabled
374 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
375 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
376 labels:
377 linkerd.io/extension: viz
378 component: metrics-api
379 spec:
380 nodeSelector:
381 kubernetes.io/os: linux
382
383 containers:
384 - args:
385 - -controller-namespace=linkerd
386 - -log-level=info
387 - -log-format=plain
388 - -cluster-domain=cluster.local
389 - -prometheus-url=external-prom.com
390 - -enable-pprof=false
391 image: cr.l5d.io/linkerd/metrics-api:dev-undefined
392 imagePullPolicy: IfNotPresent
393 livenessProbe:
394 httpGet:
395 path: /ping
396 port: 9995
397 initialDelaySeconds: 10
398 name: metrics-api
399 ports:
400 - containerPort: 8085
401 name: http
402 - containerPort: 9995
403 name: admin-http
404 readinessProbe:
405 failureThreshold: 7
406 httpGet:
407 path: /ready
408 port: 9995
409 resources:
410 securityContext:
411 allowPrivilegeEscalation: false
412 capabilities:
413 drop:
414 - ALL
415 runAsNonRoot: true
416 readOnlyRootFilesystem: true
417 runAsUser: 2103
418 runAsGroup: 2103
419 seccompProfile:
420 type: RuntimeDefault
421 securityContext:
422 seccompProfile:
423 type: RuntimeDefault
424 serviceAccountName: metrics-api
425---
426apiVersion: policy.linkerd.io/v1beta2
427kind: Server
428metadata:
429 namespace: linkerd-viz
430 name: metrics-api
431 labels:
432 linkerd.io/extension: viz
433 component: metrics-api
434 annotations:
435 linkerd.io/created-by: linkerd/helm dev-undefined
436spec:
437 podSelector:
438 matchLabels:
439 linkerd.io/extension: viz
440 component: metrics-api
441 port: http
442 proxyProtocol: HTTP/1
443---
444apiVersion: policy.linkerd.io/v1alpha1
445kind: AuthorizationPolicy
446metadata:
447 namespace: linkerd-viz
448 name: metrics-api
449 labels:
450 linkerd.io/extension: viz
451 component: metrics-api
452 annotations:
453 linkerd.io/created-by: linkerd/helm dev-undefined
454spec:
455 targetRef:
456 group: policy.linkerd.io
457 kind: Server
458 name: metrics-api
459 requiredAuthenticationRefs:
460 - group: policy.linkerd.io
461 kind: MeshTLSAuthentication
462 name: metrics-api-web
463---
464apiVersion: policy.linkerd.io/v1alpha1
465kind: MeshTLSAuthentication
466metadata:
467 namespace: linkerd-viz
468 name: metrics-api-web
469 labels:
470 linkerd.io/extension: viz
471 component: metrics-api
472 annotations:
473 linkerd.io/created-by: linkerd/helm dev-undefined
474spec:
475 identityRefs:
476 - kind: ServiceAccount
477 name: web
478---
479apiVersion: policy.linkerd.io/v1alpha1
480kind: NetworkAuthentication
481metadata:
482 namespace: linkerd-viz
483 name: kubelet
484 labels:
485 linkerd.io/extension: viz
486 annotations:
487 linkerd.io/created-by: linkerd/helm dev-undefined
488spec:
489 # Ideally, this should be restricted to the actual set of IPs kubelet uses in
490 # a cluster. This can't easily be discovered.
491 networks:
492 - cidr: "0.0.0.0/0"
493 - cidr: "::/0"
494---
495apiVersion: policy.linkerd.io/v1beta2
496kind: Server
497metadata:
498 namespace: linkerd-viz
499 name: prometheus-admin
500 labels:
501 linkerd.io/extension: viz
502 annotations:
503 linkerd.io/created-by: linkerd/helm dev-undefined
504spec:
505 podSelector:
506 matchLabels:
507 linkerd.io/extension: viz
508 component: prometheus
509 namespace: linkerd-viz
510 port: admin-http
511 proxyProtocol: HTTP/1
512---
513apiVersion: policy.linkerd.io/v1alpha1
514kind: AuthorizationPolicy
515metadata:
516 namespace: linkerd-viz
517 name: prometheus-admin
518 labels:
519 linkerd.io/extension: viz
520 annotations:
521 linkerd.io/created-by: linkerd/helm dev-undefined
522spec:
523 targetRef:
524 group: policy.linkerd.io
525 kind: Server
526 name: prometheus-admin
527 requiredAuthenticationRefs:
528 - kind: ServiceAccount
529 name: metrics-api
530 namespace: linkerd-viz
531---
532###
533### Tap
534###
535kind: Service
536apiVersion: v1
537metadata:
538 name: tap
539 namespace: linkerd-viz
540 labels:
541 linkerd.io/extension: viz
542 component: tap
543 namespace: linkerd-viz
544 annotations:
545 linkerd.io/created-by: linkerd/helm dev-undefined
546 linkerd.io/inject: enabled
547spec:
548 type: ClusterIP
549 selector:
550 linkerd.io/extension: viz
551 component: tap
552 ports:
553 - name: grpc
554 port: 8088
555 targetPort: 8088
556 - name: apiserver
557 port: 443
558 targetPort: apiserver
559---
560kind: Deployment
561apiVersion: apps/v1
562metadata:
563 annotations:
564 linkerd.io/created-by: linkerd/helm dev-undefined
565 linkerd.io/inject: enabled
566 config.linkerd.io/proxy-await: "enabled"
567 labels:
568 linkerd.io/extension: viz
569 app.kubernetes.io/name: tap
570 app.kubernetes.io/part-of: Linkerd
571 app.kubernetes.io/version: dev-undefined
572 component: tap
573 namespace: linkerd-viz
574 name: tap
575 namespace: linkerd-viz
576spec:
577 replicas: 1
578 revisionHistoryLimit: 10
579 selector:
580 matchLabels:
581 linkerd.io/extension: viz
582 component: tap
583 namespace: linkerd-viz
584 template:
585 metadata:
586 annotations:
587 checksum/config: d6f2ea38c4004667c96eb4fb0135fe0d9d9a87f5c19aaee30e6ccb6ef7219324
588 linkerd.io/created-by: linkerd/helm dev-undefined
589 linkerd.io/inject: enabled
590 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
591 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
592 labels:
593 linkerd.io/extension: viz
594 component: tap
595 namespace: linkerd-viz
596 spec:
597 nodeSelector:
598 kubernetes.io/os: linux
599
600 containers:
601 - args:
602 - api
603 - -api-namespace=linkerd
604 - -log-level=info
605 - -log-format=plain
606 - -identity-trust-domain=cluster.local
607 - -enable-pprof=false
608 image: cr.l5d.io/linkerd/tap:dev-undefined
609 imagePullPolicy: IfNotPresent
610 livenessProbe:
611 httpGet:
612 path: /ping
613 port: 9998
614 initialDelaySeconds: 10
615 name: tap
616 ports:
617 - containerPort: 8088
618 name: grpc
619 - containerPort: 8089
620 name: apiserver
621 - containerPort: 9998
622 name: admin-http
623 readinessProbe:
624 failureThreshold: 7
625 httpGet:
626 path: /ready
627 port: 9998
628 resources:
629 securityContext:
630 allowPrivilegeEscalation: false
631 capabilities:
632 drop:
633 - ALL
634 readOnlyRootFilesystem: true
635 runAsGroup: 2103
636 runAsNonRoot: true
637 runAsUser: 2103
638 seccompProfile:
639 type: RuntimeDefault
640 volumeMounts:
641 - mountPath: /var/run/linkerd/tls
642 name: tls
643 readOnly: true
644 securityContext:
645 seccompProfile:
646 type: RuntimeDefault
647 serviceAccountName: tap
648 volumes:
649 - name: tls
650 secret:
651 secretName: tap-k8s-tls
652---
653apiVersion: policy.linkerd.io/v1beta2
654kind: Server
655metadata:
656 namespace: linkerd-viz
657 name: tap-api
658 labels:
659 linkerd.io/extension: viz
660 component: tap
661 annotations:
662 linkerd.io/created-by: linkerd/helm dev-undefined
663spec:
664 podSelector:
665 matchLabels:
666 linkerd.io/extension: viz
667 component: tap
668 port: apiserver
669 proxyProtocol: TLS
670---
671apiVersion: policy.linkerd.io/v1alpha1
672kind: AuthorizationPolicy
673metadata:
674 namespace: linkerd-viz
675 name: tap
676 labels:
677 linkerd.io/extension: viz
678 component: tap
679 annotations:
680 linkerd.io/created-by: linkerd/helm dev-undefined
681spec:
682 targetRef:
683 group: policy.linkerd.io
684 kind: Server
685 name: tap-api
686 requiredAuthenticationRefs:
687 - group: policy.linkerd.io
688 kind: NetworkAuthentication
689 name: kube-api-server
690---
691###
692### Tap Injector RBAC
693###
694kind: ClusterRole
695apiVersion: rbac.authorization.k8s.io/v1
696metadata:
697 name: linkerd-tap-injector
698 labels:
699 linkerd.io/extension: viz
700rules:
701- apiGroups: [""]
702 resources: ["namespaces"]
703 verbs: ["get", "list", "watch"]
704---
705kind: ClusterRoleBinding
706apiVersion: rbac.authorization.k8s.io/v1
707metadata:
708 name: linkerd-tap-injector
709 labels:
710 linkerd.io/extension: viz
711subjects:
712- kind: ServiceAccount
713 name: tap-injector
714 namespace: linkerd-viz
715roleRef:
716 kind: ClusterRole
717 name: linkerd-tap-injector
718 apiGroup: rbac.authorization.k8s.io
719---
720kind: ServiceAccount
721apiVersion: v1
722metadata:
723 name: tap-injector
724 namespace: linkerd-viz
725 labels:
726 linkerd.io/extension: viz
727---
728apiVersion: admissionregistration.k8s.io/v1
729kind: MutatingWebhookConfiguration
730metadata:
731 name: linkerd-tap-injector-webhook-config
732 labels:
733 linkerd.io/extension: viz
734webhooks:
735- name: tap-injector.linkerd.io
736 namespaceSelector:
737 matchExpressions:
738 - key: kubernetes.io/metadata.name
739 operator: NotIn
740 values:
741 - kube-system
742 clientConfig:
743 service:
744 name: tap-injector
745 namespace: linkerd-viz
746 path: "/"
747 caBundle: dGVzdC10YXAtY2EtYnVuZGxl
748 failurePolicy: Ignore
749 admissionReviewVersions: ["v1", "v1beta1"]
750 reinvocationPolicy: IfNeeded
751 rules:
752 - operations: [ "CREATE" ]
753 apiGroups: [""]
754 apiVersions: ["v1"]
755 resources: ["pods"]
756 scope: "Namespaced"
757 sideEffects: None
758---
759###
760### Tap Injector
761###
762kind: Service
763apiVersion: v1
764metadata:
765 name: tap-injector
766 namespace: linkerd-viz
767 labels:
768 linkerd.io/extension: viz
769 component: tap-injector
770 annotations:
771 linkerd.io/created-by: linkerd/helm dev-undefined
772 linkerd.io/inject: enabled
773spec:
774 type: ClusterIP
775 selector:
776 linkerd.io/extension: viz
777 component: tap-injector
778 ports:
779 - name: tap-injector
780 port: 443
781 targetPort: tap-injector
782---
783kind: Deployment
784apiVersion: apps/v1
785metadata:
786 annotations:
787 linkerd.io/created-by: linkerd/helm dev-undefined
788 linkerd.io/inject: enabled
789 config.linkerd.io/proxy-await: "enabled"
790 labels:
791 linkerd.io/extension: viz
792 app.kubernetes.io/name: tap-injector
793 app.kubernetes.io/part-of: Linkerd
794 component: tap-injector
795 name: tap-injector
796 namespace: linkerd-viz
797spec:
798 replicas: 1
799 revisionHistoryLimit: 10
800 selector:
801 matchLabels:
802 component: tap-injector
803 template:
804 metadata:
805 annotations:
806 checksum/config: f46683697f33ac5449b952d1d037718887c4f98421d0f4133bb19e1c873a925d
807 linkerd.io/created-by: linkerd/helm dev-undefined
808 linkerd.io/inject: enabled
809 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
810 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
811 labels:
812 linkerd.io/extension: viz
813 component: tap-injector
814 spec:
815 nodeSelector:
816 kubernetes.io/os: linux
817
818 containers:
819 - args:
820 - injector
821 - -tap-service-name=tap.linkerd-viz.serviceaccount.identity.linkerd.cluster.local
822 - -log-level=info
823 - -log-format=plain
824 - -enable-pprof=false
825 image: cr.l5d.io/linkerd/tap:dev-undefined
826 imagePullPolicy: IfNotPresent
827 livenessProbe:
828 httpGet:
829 path: /ping
830 port: 9995
831 initialDelaySeconds: 10
832 name: tap-injector
833 ports:
834 - containerPort: 8443
835 name: tap-injector
836 - containerPort: 9995
837 name: admin-http
838 readinessProbe:
839 failureThreshold: 7
840 httpGet:
841 path: /ready
842 port: 9995
843 resources:
844 securityContext:
845 allowPrivilegeEscalation: false
846 capabilities:
847 drop:
848 - ALL
849 readOnlyRootFilesystem: true
850 runAsGroup: 2103
851 runAsNonRoot: true
852 runAsUser: 2103
853 seccompProfile:
854 type: RuntimeDefault
855 volumeMounts:
856 - mountPath: /var/run/linkerd/tls
857 name: tls
858 readOnly: true
859 securityContext:
860 seccompProfile:
861 type: RuntimeDefault
862 serviceAccountName: tap-injector
863 volumes:
864 - name: tls
865 secret:
866 secretName: tap-injector-k8s-tls
867---
868apiVersion: policy.linkerd.io/v1beta2
869kind: Server
870metadata:
871 namespace: linkerd-viz
872 name: tap-injector-webhook
873 labels:
874 linkerd.io/extension: viz
875 component: tap-injector
876 annotations:
877 linkerd.io/created-by: linkerd/helm dev-undefined
878spec:
879 podSelector:
880 matchLabels:
881 linkerd.io/extension: viz
882 component: tap-injector
883 port: tap-injector
884 proxyProtocol: TLS
885---
886apiVersion: policy.linkerd.io/v1alpha1
887kind: AuthorizationPolicy
888metadata:
889 namespace: linkerd-viz
890 name: tap-injector
891 labels:
892 linkerd.io/extension: viz
893 component: tap-injector
894 annotations:
895 linkerd.io/created-by: linkerd/helm dev-undefined
896spec:
897 targetRef:
898 group: policy.linkerd.io
899 kind: Server
900 name: tap-injector-webhook
901 requiredAuthenticationRefs:
902 - group: policy.linkerd.io
903 kind: NetworkAuthentication
904 name: kube-api-server
905---
906apiVersion: policy.linkerd.io/v1alpha1
907kind: NetworkAuthentication
908metadata:
909 namespace: linkerd-viz
910 name: kube-api-server
911 labels:
912 linkerd.io/extension: viz
913 annotations:
914 linkerd.io/created-by: linkerd/helm dev-undefined
915spec:
916 # Ideally, this should be restricted to the actual set of IPs the kubelet API
917 # server uses for webhooks in a cluster. This can't easily be discovered.
918 networks:
919 - cidr: "0.0.0.0/0"
920 - cidr: "::/0"
921---
922###
923### Web
924###
925kind: Service
926apiVersion: v1
927metadata:
928 name: web
929 namespace: linkerd-viz
930 labels:
931 linkerd.io/extension: viz
932 component: web
933 namespace: linkerd-viz
934 annotations:
935 linkerd.io/created-by: linkerd/helm dev-undefined
936
937 linkerd.io/inject: enabled
938spec:
939 type: ClusterIP
940 selector:
941 linkerd.io/extension: viz
942 component: web
943 ports:
944 - name: http
945 port: 8084
946 targetPort: 8084
947 - name: admin-http
948 port: 9994
949 targetPort: 9994
950---
951apiVersion: apps/v1
952kind: Deployment
953metadata:
954 annotations:
955 linkerd.io/created-by: linkerd/helm dev-undefined
956 linkerd.io/inject: enabled
957 config.linkerd.io/proxy-await: "enabled"
958 labels:
959 linkerd.io/extension: viz
960 app.kubernetes.io/name: web
961 app.kubernetes.io/part-of: Linkerd
962 app.kubernetes.io/version: dev-undefined
963 component: web
964 namespace: linkerd-viz
965 name: web
966 namespace: linkerd-viz
967spec:
968 replicas: 1
969 revisionHistoryLimit: 10
970 selector:
971 matchLabels:
972 linkerd.io/extension: viz
973 component: web
974 namespace: linkerd-viz
975 template:
976 metadata:
977 annotations:
978 linkerd.io/created-by: linkerd/helm dev-undefined
979 linkerd.io/inject: enabled
980 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
981 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
982 labels:
983 linkerd.io/extension: viz
984 component: web
985 namespace: linkerd-viz
986 spec:
987 nodeSelector:
988 kubernetes.io/os: linux
989
990 containers:
991 - args:
992 - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085
993 - -cluster-domain=cluster.local
994 - -controller-namespace=linkerd
995 - -log-level=info
996 - -log-format=plain
997 - -enforced-host=^(localhost|127\.0\.0\.1|web\.linkerd-viz\.svc\.cluster\.local|web\.linkerd-viz\.svc|\[::1\])(:\d+)?$
998 - -enable-pprof=false
999 image: cr.l5d.io/linkerd/web:dev-undefined
1000 imagePullPolicy: IfNotPresent
1001 livenessProbe:
1002 httpGet:
1003 path: /ping
1004 port: 9994
1005 initialDelaySeconds: 10
1006 name: web
1007 ports:
1008 - containerPort: 8084
1009 name: http
1010 - containerPort: 9994
1011 name: admin-http
1012 readinessProbe:
1013 failureThreshold: 7
1014 httpGet:
1015 path: /ready
1016 port: 9994
1017 resources:
1018 securityContext:
1019 allowPrivilegeEscalation: false
1020 capabilities:
1021 drop:
1022 - ALL
1023 readOnlyRootFilesystem: true
1024 runAsGroup: 2103
1025 runAsNonRoot: true
1026 runAsUser: 2103
1027 seccompProfile:
1028 type: RuntimeDefault
1029 securityContext:
1030 seccompProfile:
1031 type: RuntimeDefault
1032 serviceAccountName: web
1033---
1034apiVersion: linkerd.io/v1alpha2
1035kind: ServiceProfile
1036metadata:
1037 name: metrics-api.linkerd-viz.svc.cluster.local
1038 namespace: linkerd-viz
1039 labels:
1040 linkerd.io/extension: viz
1041spec:
1042 routes:
1043 - name: POST /api/v1/StatSummary
1044 condition:
1045 method: POST
1046 pathRegex: /api/v1/StatSummary
1047 - name: POST /api/v1/TopRoutes
1048 condition:
1049 method: POST
1050 pathRegex: /api/v1/TopRoutes
1051 - name: POST /api/v1/ListPods
1052 condition:
1053 method: POST
1054 pathRegex: /api/v1/ListPods
1055 - name: POST /api/v1/ListServices
1056 condition:
1057 method: POST
1058 pathRegex: /api/v1/ListServices
1059 - name: POST /api/v1/SelfCheck
1060 condition:
1061 method: POST
1062 pathRegex: /api/v1/SelfCheck
1063 - name: POST /api/v1/Gateways
1064 condition:
1065 method: POST
1066 pathRegex: /api/v1/Gateways
1067 - name: POST /api/v1/Edges
1068 condition:
1069 method: POST
1070 pathRegex: /api/v1/Edges
View as plain text