--- ### ### Linkerd Viz Extension Namespace ### kind: Namespace apiVersion: v1 metadata: name: linkerd-viz labels: linkerd.io/extension: viz pod-security.kubernetes.io/enforce: privileged annotations: viz.linkerd.io/external-prometheus: external-prom.com --- ### ### Metrics API RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-metrics-api labels: linkerd.io/extension: viz component: metrics-api rules: - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list" , "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] verbs: ["list", "get", "watch"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] - apiGroups: ["policy.linkerd.io"] resources: ["servers", "serverauthorizations", "authorizationpolicies", "httproutes"] verbs: ["list", "get"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-metrics-api labels: linkerd.io/extension: viz component: metrics-api roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-metrics-api subjects: - kind: ServiceAccount name: metrics-api namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: metrics-api namespace: linkerd-viz labels: linkerd.io/extension: viz component: metrics-api --- ### ### Tap RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap labels: linkerd.io/extension: viz component: tap rules: - apiGroups: [""] resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list" , "get", "watch"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap-admin labels: linkerd.io/extension: viz component: tap rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] - apiGroups: ["tap.linkerd.io"] resources: ["*"] verbs: ["watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap labels: linkerd.io/extension: viz component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-tap subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-tap-auth-delegator labels: linkerd.io/extension: viz component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: tap namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-linkerd-viz-tap-auth-reader namespace: kube-system labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.tap.linkerd.io labels: linkerd.io/extension: viz component: tap spec: group: tap.linkerd.io version: v1alpha1 groupPriorityMinimum: 1000 versionPriority: 100 service: name: tap namespace: linkerd-viz caBundle: dGVzdC10YXAtY2EtYnVuZGxl --- ### ### Web RBAC ### apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: web namespace: linkerd labels: linkerd.io/extension: viz component: web namespace: linkerd rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] - apiGroups: [""] resources: ["namespaces", "configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts", "pods"] verbs: ["list"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: web namespace: linkerd labels: linkerd.io/extension: viz component: web namespace: linkerd roleRef: kind: Role name: web apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: linkerd-linkerd-viz-web-check labels: linkerd.io/extension: viz component: web rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings"] verbs: ["list"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["list"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list"] - apiGroups: [""] resources: ["nodes", "pods", "services"] verbs: ["list"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-web-check labels: linkerd.io/extension: viz component: web roleRef: kind: ClusterRole name: linkerd-linkerd-viz-web-check apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-web-admin labels: linkerd.io/extension: viz component: web roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-tap-admin subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: linkerd-linkerd-viz-web-api labels: linkerd.io/extension: viz component: web rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-web-api labels: linkerd.io/extension: viz component: web roleRef: kind: ClusterRole name: linkerd-linkerd-viz-web-api apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: web namespace: linkerd-viz labels: linkerd.io/extension: viz component: web namespace: linkerd-viz --- ### ### Metrics API ### kind: Service apiVersion: v1 metadata: name: metrics-api namespace: linkerd-viz labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: metrics-api ports: - name: http port: 8085 targetPort: 8085 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: metrics-api app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: metrics-api name: metrics-api namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: metrics-api template: metadata: annotations: checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: metrics-api spec: nodeSelector: kubernetes.io/os: linux containers: - args: - -controller-namespace=linkerd - -log-level=info - -log-format=plain - -cluster-domain=cluster.local - -prometheus-url=external-prom.com - -enable-pprof=false image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: metrics-api ports: - containerPort: 8085 name: http - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true readOnlyRootFilesystem: true runAsUser: 2103 runAsGroup: 2103 seccompProfile: type: RuntimeDefault securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: metrics-api --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: metrics-api labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: metrics-api port: http proxyProtocol: HTTP/1 --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: metrics-api labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: metrics-api requiredAuthenticationRefs: - group: policy.linkerd.io kind: MeshTLSAuthentication name: metrics-api-web --- apiVersion: policy.linkerd.io/v1alpha1 kind: MeshTLSAuthentication metadata: namespace: linkerd-viz name: metrics-api-web labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: identityRefs: - kind: ServiceAccount name: web --- apiVersion: policy.linkerd.io/v1alpha1 kind: NetworkAuthentication metadata: namespace: linkerd-viz name: kubelet labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: # Ideally, this should be restricted to the actual set of IPs kubelet uses in # a cluster. This can't easily be discovered. networks: - cidr: "0.0.0.0/0" - cidr: "::/0" --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: prometheus-admin labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz port: admin-http proxyProtocol: HTTP/1 --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: prometheus-admin labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: prometheus-admin requiredAuthenticationRefs: - kind: ServiceAccount name: metrics-api namespace: linkerd-viz --- ### ### Tap ### kind: Service apiVersion: v1 metadata: name: tap namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: tap ports: - name: grpc port: 8088 targetPort: 8088 - name: apiserver port: 443 targetPort: apiserver --- kind: Deployment apiVersion: apps/v1 metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: tap app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: tap namespace: linkerd-viz name: tap namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: tap namespace: linkerd-viz template: metadata: annotations: checksum/config: d6f2ea38c4004667c96eb4fb0135fe0d9d9a87f5c19aaee30e6ccb6ef7219324 linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz spec: nodeSelector: kubernetes.io/os: linux containers: - args: - api - -api-namespace=linkerd - -log-level=info - -log-format=plain - -identity-trust-domain=cluster.local - -enable-pprof=false image: cr.l5d.io/linkerd/tap:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9998 initialDelaySeconds: 10 name: tap ports: - containerPort: 8088 name: grpc - containerPort: 8089 name: apiserver - containerPort: 9998 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9998 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: tls readOnly: true securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: tap volumes: - name: tls secret: secretName: tap-k8s-tls --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: tap-api labels: linkerd.io/extension: viz component: tap annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: tap port: apiserver proxyProtocol: TLS --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: tap labels: linkerd.io/extension: viz component: tap annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: tap-api requiredAuthenticationRefs: - group: policy.linkerd.io kind: NetworkAuthentication name: kube-api-server --- ### ### Tap Injector RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-tap-injector labels: linkerd.io/extension: viz rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-tap-injector labels: linkerd.io/extension: viz subjects: - kind: ServiceAccount name: tap-injector namespace: linkerd-viz roleRef: kind: ClusterRole name: linkerd-tap-injector apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: tap-injector namespace: linkerd-viz labels: linkerd.io/extension: viz --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: linkerd-tap-injector-webhook-config labels: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system clientConfig: service: name: tap-injector namespace: linkerd-viz path: "/" caBundle: dGVzdC10YXAtY2EtYnVuZGxl failurePolicy: Ignore admissionReviewVersions: ["v1", "v1beta1"] reinvocationPolicy: IfNeeded rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] scope: "Namespaced" sideEffects: None --- ### ### Tap Injector ### kind: Service apiVersion: v1 metadata: name: tap-injector namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: tap-injector ports: - name: tap-injector port: 443 targetPort: tap-injector --- kind: Deployment apiVersion: apps/v1 metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: tap-injector app.kubernetes.io/part-of: Linkerd component: tap-injector name: tap-injector namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: component: tap-injector template: metadata: annotations: checksum/config: f46683697f33ac5449b952d1d037718887c4f98421d0f4133bb19e1c873a925d linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: tap-injector spec: nodeSelector: kubernetes.io/os: linux containers: - args: - injector - -tap-service-name=tap.linkerd-viz.serviceaccount.identity.linkerd.cluster.local - -log-level=info - -log-format=plain - -enable-pprof=false image: cr.l5d.io/linkerd/tap:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: tap-injector ports: - containerPort: 8443 name: tap-injector - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: tls readOnly: true securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: tap-injector volumes: - name: tls secret: secretName: tap-injector-k8s-tls --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: tap-injector-webhook labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: tap-injector port: tap-injector proxyProtocol: TLS --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: tap-injector labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: tap-injector-webhook requiredAuthenticationRefs: - group: policy.linkerd.io kind: NetworkAuthentication name: kube-api-server --- apiVersion: policy.linkerd.io/v1alpha1 kind: NetworkAuthentication metadata: namespace: linkerd-viz name: kube-api-server labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: # Ideally, this should be restricted to the actual set of IPs the kubelet API # server uses for webhooks in a cluster. This can't easily be discovered. networks: - cidr: "0.0.0.0/0" - cidr: "::/0" --- ### ### Web ### kind: Service apiVersion: v1 metadata: name: web namespace: linkerd-viz labels: linkerd.io/extension: viz component: web namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: web ports: - name: http port: 8084 targetPort: 8084 - name: admin-http port: 9994 targetPort: 9994 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: web app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: web namespace: linkerd-viz name: web namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: web namespace: linkerd-viz template: metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: web namespace: linkerd-viz spec: nodeSelector: kubernetes.io/os: linux containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 - -cluster-domain=cluster.local - -controller-namespace=linkerd - -log-level=info - -log-format=plain - -enforced-host=^(localhost|127\.0\.0\.1|web\.linkerd-viz\.svc\.cluster\.local|web\.linkerd-viz\.svc|\[::1\])(:\d+)?$ - -enable-pprof=false image: cr.l5d.io/linkerd/web:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9994 initialDelaySeconds: 10 name: web ports: - containerPort: 8084 name: http - containerPort: 9994 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9994 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: web --- apiVersion: linkerd.io/v1alpha2 kind: ServiceProfile metadata: name: metrics-api.linkerd-viz.svc.cluster.local namespace: linkerd-viz labels: linkerd.io/extension: viz spec: routes: - name: POST /api/v1/StatSummary condition: method: POST pathRegex: /api/v1/StatSummary - name: POST /api/v1/TopRoutes condition: method: POST pathRegex: /api/v1/TopRoutes - name: POST /api/v1/ListPods condition: method: POST pathRegex: /api/v1/ListPods - name: POST /api/v1/ListServices condition: method: POST pathRegex: /api/v1/ListServices - name: POST /api/v1/SelfCheck condition: method: POST pathRegex: /api/v1/SelfCheck - name: POST /api/v1/Gateways condition: method: POST pathRegex: /api/v1/Gateways - name: POST /api/v1/Edges condition: method: POST pathRegex: /api/v1/Edges