1---
2###
3### Linkerd Viz Extension Namespace
4###
5kind: Namespace
6apiVersion: v1
7metadata:
8 name: linkerd-viz
9 labels:
10 linkerd.io/extension: viz
11 pod-security.kubernetes.io/enforce: privileged
12 annotations:
13---
14###
15### Metrics API RBAC
16###
17kind: ClusterRole
18apiVersion: rbac.authorization.k8s.io/v1
19metadata:
20 name: linkerd-linkerd-viz-metrics-api
21 labels:
22 linkerd.io/extension: viz
23 component: metrics-api
24rules:
25- apiGroups: ["extensions", "apps"]
26 resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
27 verbs: ["list", "get", "watch"]
28- apiGroups: ["extensions", "batch"]
29 resources: ["cronjobs", "jobs"]
30 verbs: ["list" , "get", "watch"]
31- apiGroups: [""]
32 resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
33 verbs: ["list", "get", "watch"]
34- apiGroups: ["linkerd.io"]
35 resources: ["serviceprofiles"]
36 verbs: ["list", "get", "watch"]
37- apiGroups: ["policy.linkerd.io"]
38 resources: ["servers", "serverauthorizations", "authorizationpolicies", "httproutes"]
39 verbs: ["list", "get"]
40---
41kind: ClusterRoleBinding
42apiVersion: rbac.authorization.k8s.io/v1
43metadata:
44 name: linkerd-linkerd-viz-metrics-api
45 labels:
46 linkerd.io/extension: viz
47 component: metrics-api
48roleRef:
49 apiGroup: rbac.authorization.k8s.io
50 kind: ClusterRole
51 name: linkerd-linkerd-viz-metrics-api
52subjects:
53- kind: ServiceAccount
54 name: metrics-api
55 namespace: linkerd-viz
56---
57kind: ServiceAccount
58apiVersion: v1
59metadata:
60 name: metrics-api
61 namespace: linkerd-viz
62 labels:
63 linkerd.io/extension: viz
64 component: metrics-api
65---
66###
67### Prometheus RBAC
68###
69kind: ClusterRole
70apiVersion: rbac.authorization.k8s.io/v1
71metadata:
72 name: linkerd-linkerd-viz-prometheus
73 labels:
74 linkerd.io/extension: viz
75 component: prometheus
76rules:
77- apiGroups: [""]
78 resources: ["nodes", "nodes/proxy", "pods"]
79 verbs: ["get", "list", "watch"]
80---
81kind: ClusterRoleBinding
82apiVersion: rbac.authorization.k8s.io/v1
83metadata:
84 name: linkerd-linkerd-viz-prometheus
85 labels:
86 linkerd.io/extension: viz
87 component: prometheus
88roleRef:
89 apiGroup: rbac.authorization.k8s.io
90 kind: ClusterRole
91 name: linkerd-linkerd-viz-prometheus
92subjects:
93- kind: ServiceAccount
94 name: prometheus
95 namespace: linkerd-viz
96---
97kind: ServiceAccount
98apiVersion: v1
99metadata:
100 name: prometheus
101 namespace: linkerd-viz
102 labels:
103 linkerd.io/extension: viz
104 component: prometheus
105 namespace: linkerd-viz
106---
107###
108### Tap RBAC
109###
110kind: ClusterRole
111apiVersion: rbac.authorization.k8s.io/v1
112metadata:
113 name: linkerd-linkerd-viz-tap
114 labels:
115 linkerd.io/extension: viz
116 component: tap
117rules:
118- apiGroups: [""]
119 resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
120 verbs: ["list", "get", "watch"]
121- apiGroups: ["extensions", "apps"]
122 resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
123 verbs: ["list", "get", "watch"]
124- apiGroups: ["extensions", "batch"]
125 resources: ["cronjobs", "jobs"]
126 verbs: ["list" , "get", "watch"]
127---
128kind: ClusterRole
129apiVersion: rbac.authorization.k8s.io/v1
130metadata:
131 name: linkerd-linkerd-viz-tap-admin
132 labels:
133 linkerd.io/extension: viz
134 component: tap
135rules:
136- apiGroups: [""]
137 resources: ["namespaces"]
138 verbs: ["list"]
139- apiGroups: ["tap.linkerd.io"]
140 resources: ["*"]
141 verbs: ["watch"]
142---
143kind: ClusterRoleBinding
144apiVersion: rbac.authorization.k8s.io/v1
145metadata:
146 name: linkerd-linkerd-viz-tap
147 labels:
148 linkerd.io/extension: viz
149 component: tap
150roleRef:
151 apiGroup: rbac.authorization.k8s.io
152 kind: ClusterRole
153 name: linkerd-linkerd-viz-tap
154subjects:
155- kind: ServiceAccount
156 name: tap
157 namespace: linkerd-viz
158---
159apiVersion: rbac.authorization.k8s.io/v1
160kind: ClusterRoleBinding
161metadata:
162 name: linkerd-linkerd-viz-tap-auth-delegator
163 labels:
164 linkerd.io/extension: viz
165 component: tap
166roleRef:
167 apiGroup: rbac.authorization.k8s.io
168 kind: ClusterRole
169 name: system:auth-delegator
170subjects:
171- kind: ServiceAccount
172 name: tap
173 namespace: linkerd-viz
174---
175kind: ServiceAccount
176apiVersion: v1
177metadata:
178 name: tap
179 namespace: linkerd-viz
180 labels:
181 linkerd.io/extension: viz
182 component: tap
183 namespace: linkerd-viz
184---
185apiVersion: rbac.authorization.k8s.io/v1
186kind: RoleBinding
187metadata:
188 name: linkerd-linkerd-viz-tap-auth-reader
189 namespace: kube-system
190 labels:
191 linkerd.io/extension: viz
192 component: tap
193 namespace: linkerd-viz
194roleRef:
195 apiGroup: rbac.authorization.k8s.io
196 kind: Role
197 name: extension-apiserver-authentication-reader
198subjects:
199- kind: ServiceAccount
200 name: tap
201 namespace: linkerd-viz
202---
203apiVersion: apiregistration.k8s.io/v1
204kind: APIService
205metadata:
206 name: v1alpha1.tap.linkerd.io
207 labels:
208 linkerd.io/extension: viz
209 component: tap
210spec:
211 group: tap.linkerd.io
212 version: v1alpha1
213 groupPriorityMinimum: 1000
214 versionPriority: 100
215 service:
216 name: tap
217 namespace: linkerd-viz
218 caBundle: dGVzdC10YXAtY2EtYnVuZGxl
219---
220###
221### Web RBAC
222###
223apiVersion: rbac.authorization.k8s.io/v1
224kind: Role
225metadata:
226 name: web
227 namespace: linkerd
228 labels:
229 linkerd.io/extension: viz
230 component: web
231 namespace: linkerd
232rules:
233- apiGroups: [""]
234 resources: ["configmaps"]
235 verbs: ["get"]
236 resourceNames: ["linkerd-config"]
237- apiGroups: [""]
238 resources: ["namespaces", "configmaps"]
239 verbs: ["get"]
240- apiGroups: [""]
241 resources: ["serviceaccounts", "pods"]
242 verbs: ["list"]
243- apiGroups: ["apps"]
244 resources: ["replicasets"]
245 verbs: ["list"]
246---
247apiVersion: rbac.authorization.k8s.io/v1
248kind: RoleBinding
249metadata:
250 name: web
251 namespace: linkerd
252 labels:
253 linkerd.io/extension: viz
254 component: web
255 namespace: linkerd
256roleRef:
257 kind: Role
258 name: web
259 apiGroup: rbac.authorization.k8s.io
260subjects:
261- kind: ServiceAccount
262 name: web
263 namespace: linkerd-viz
264---
265apiVersion: rbac.authorization.k8s.io/v1
266kind: ClusterRole
267metadata:
268 name: linkerd-linkerd-viz-web-check
269 labels:
270 linkerd.io/extension: viz
271 component: web
272rules:
273- apiGroups: ["rbac.authorization.k8s.io"]
274 resources: ["clusterroles", "clusterrolebindings"]
275 verbs: ["list"]
276- apiGroups: ["apiextensions.k8s.io"]
277 resources: ["customresourcedefinitions"]
278 verbs: ["list"]
279- apiGroups: ["admissionregistration.k8s.io"]
280 resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
281 verbs: ["list"]
282- apiGroups: ["linkerd.io"]
283 resources: ["serviceprofiles"]
284 verbs: ["list"]
285- apiGroups: [""]
286 resources: ["nodes", "pods", "services"]
287 verbs: ["list"]
288- apiGroups: ["apiregistration.k8s.io"]
289 resources: ["apiservices"]
290 verbs: ["get"]
291---
292apiVersion: rbac.authorization.k8s.io/v1
293kind: ClusterRoleBinding
294metadata:
295 name: linkerd-linkerd-viz-web-check
296 labels:
297 linkerd.io/extension: viz
298 component: web
299roleRef:
300 kind: ClusterRole
301 name: linkerd-linkerd-viz-web-check
302 apiGroup: rbac.authorization.k8s.io
303subjects:
304- kind: ServiceAccount
305 name: web
306 namespace: linkerd-viz
307---
308kind: ClusterRoleBinding
309apiVersion: rbac.authorization.k8s.io/v1
310metadata:
311 name: linkerd-linkerd-viz-web-admin
312 labels:
313 linkerd.io/extension: viz
314 component: web
315roleRef:
316 apiGroup: rbac.authorization.k8s.io
317 kind: ClusterRole
318 name: linkerd-linkerd-viz-tap-admin
319subjects:
320- kind: ServiceAccount
321 name: web
322 namespace: linkerd-viz
323---
324apiVersion: rbac.authorization.k8s.io/v1
325kind: ClusterRole
326metadata:
327 name: linkerd-linkerd-viz-web-api
328 labels:
329 linkerd.io/extension: viz
330 component: web
331rules:
332- apiGroups: [""]
333 resources: ["namespaces"]
334 verbs: ["list"]
335---
336apiVersion: rbac.authorization.k8s.io/v1
337kind: ClusterRoleBinding
338metadata:
339 name: linkerd-linkerd-viz-web-api
340 labels:
341 linkerd.io/extension: viz
342 component: web
343roleRef:
344 kind: ClusterRole
345 name: linkerd-linkerd-viz-web-api
346 apiGroup: rbac.authorization.k8s.io
347subjects:
348- kind: ServiceAccount
349 name: web
350 namespace: linkerd-viz
351---
352kind: ServiceAccount
353apiVersion: v1
354metadata:
355 name: web
356 namespace: linkerd-viz
357 labels:
358 linkerd.io/extension: viz
359 component: web
360 namespace: linkerd-viz
361---
362###
363### Metrics API
364###
365kind: Service
366apiVersion: v1
367metadata:
368 name: metrics-api
369 namespace: linkerd-viz
370 labels:
371 linkerd.io/extension: viz
372 component: metrics-api
373 annotations:
374 linkerd.io/created-by: linkerd/helm dev-undefined
375 linkerd.io/inject: enabled
376spec:
377 type: ClusterIP
378 selector:
379 linkerd.io/extension: viz
380 component: metrics-api
381 ports:
382 - name: http
383 port: 8085
384 targetPort: 8085
385---
386apiVersion: apps/v1
387kind: Deployment
388metadata:
389 annotations:
390 linkerd.io/created-by: linkerd/helm dev-undefined
391 linkerd.io/inject: enabled
392 config.linkerd.io/proxy-await: "enabled"
393 labels:
394 linkerd.io/extension: viz
395 app.kubernetes.io/name: metrics-api
396 app.kubernetes.io/part-of: Linkerd
397 app.kubernetes.io/version: dev-undefined
398 component: metrics-api
399 name: metrics-api
400 namespace: linkerd-viz
401spec:
402 replicas: 1
403 revisionHistoryLimit: 10
404 selector:
405 matchLabels:
406 linkerd.io/extension: viz
407 component: metrics-api
408 template:
409 metadata:
410 annotations:
411 checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b
412 linkerd.io/created-by: linkerd/helm dev-undefined
413 linkerd.io/inject: enabled
414 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
415 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
416 labels:
417 linkerd.io/extension: viz
418 component: metrics-api
419 spec:
420 nodeSelector:
421 kubernetes.io/os: linux
422
423 containers:
424 - args:
425 - -controller-namespace=linkerd
426 - -log-level=info
427 - -log-format=plain
428 - -cluster-domain=cluster.local
429 - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090
430 - -enable-pprof=false
431 image: cr.l5d.io/linkerd/metrics-api:dev-undefined
432 imagePullPolicy: IfNotPresent
433 livenessProbe:
434 httpGet:
435 path: /ping
436 port: 9995
437 initialDelaySeconds: 10
438 name: metrics-api
439 ports:
440 - containerPort: 8085
441 name: http
442 - containerPort: 9995
443 name: admin-http
444 readinessProbe:
445 failureThreshold: 7
446 httpGet:
447 path: /ready
448 port: 9995
449 resources:
450 securityContext:
451 allowPrivilegeEscalation: false
452 capabilities:
453 drop:
454 - ALL
455 runAsNonRoot: true
456 readOnlyRootFilesystem: true
457 runAsUser: 2103
458 runAsGroup: 2103
459 seccompProfile:
460 type: RuntimeDefault
461 securityContext:
462 seccompProfile:
463 type: RuntimeDefault
464 serviceAccountName: metrics-api
465---
466apiVersion: policy.linkerd.io/v1beta2
467kind: Server
468metadata:
469 namespace: linkerd-viz
470 name: metrics-api
471 labels:
472 linkerd.io/extension: viz
473 component: metrics-api
474 annotations:
475 linkerd.io/created-by: linkerd/helm dev-undefined
476spec:
477 podSelector:
478 matchLabels:
479 linkerd.io/extension: viz
480 component: metrics-api
481 port: http
482 proxyProtocol: HTTP/1
483---
484apiVersion: policy.linkerd.io/v1alpha1
485kind: AuthorizationPolicy
486metadata:
487 namespace: linkerd-viz
488 name: metrics-api
489 labels:
490 linkerd.io/extension: viz
491 component: metrics-api
492 annotations:
493 linkerd.io/created-by: linkerd/helm dev-undefined
494spec:
495 targetRef:
496 group: policy.linkerd.io
497 kind: Server
498 name: metrics-api
499 requiredAuthenticationRefs:
500 - group: policy.linkerd.io
501 kind: MeshTLSAuthentication
502 name: metrics-api-web
503---
504apiVersion: policy.linkerd.io/v1alpha1
505kind: MeshTLSAuthentication
506metadata:
507 namespace: linkerd-viz
508 name: metrics-api-web
509 labels:
510 linkerd.io/extension: viz
511 component: metrics-api
512 annotations:
513 linkerd.io/created-by: linkerd/helm dev-undefined
514spec:
515 identityRefs:
516 - kind: ServiceAccount
517 name: web
518---
519apiVersion: policy.linkerd.io/v1alpha1
520kind: NetworkAuthentication
521metadata:
522 namespace: linkerd-viz
523 name: kubelet
524 labels:
525 linkerd.io/extension: viz
526 annotations:
527 linkerd.io/created-by: linkerd/helm dev-undefined
528spec:
529 # Ideally, this should be restricted to the actual set of IPs kubelet uses in
530 # a cluster. This can't easily be discovered.
531 networks:
532 - cidr: "0.0.0.0/0"
533 - cidr: "::/0"
534---
535###
536### Prometheus
537###
538kind: ConfigMap
539apiVersion: v1
540metadata:
541 name: prometheus-config
542 namespace: linkerd-viz
543 labels:
544 linkerd.io/extension: viz
545 component: prometheus
546 namespace: linkerd-viz
547 annotations:
548 linkerd.io/created-by: linkerd/helm dev-undefined
549data:
550 prometheus.yml: |-
551 global:
552 evaluation_interval: 10s
553 scrape_interval: 10s
554 scrape_timeout: 10s
555
556 rule_files:
557 - /etc/prometheus/*_rules.yml
558 - /etc/prometheus/*_rules.yaml
559
560 scrape_configs:
561 - job_name: 'prometheus'
562 static_configs:
563 - targets: ['localhost:9090']
564
565 # Required for: https://grafana.com/grafana/dashboards/315
566 - job_name: 'kubernetes-nodes-cadvisor'
567 scheme: https
568 tls_config:
569 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
570 insecure_skip_verify: true
571 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
572 kubernetes_sd_configs:
573 - role: node
574 relabel_configs:
575 - action: labelmap
576 regex: __meta_kubernetes_node_label_(.+)
577 - target_label: __address__
578 replacement: kubernetes.default.svc:443
579 - source_labels: [__meta_kubernetes_node_name]
580 regex: (.+)
581 target_label: __metrics_path__
582 replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
583 metric_relabel_configs:
584 - source_labels: [__name__]
585 regex: '(container|machine)_(cpu|memory|network|fs)_(.+)'
586 action: keep
587 - source_labels: [__name__]
588 regex: 'container_memory_failures_total' # unneeded large metric
589 action: drop
590
591 - job_name: 'linkerd-controller'
592 kubernetes_sd_configs:
593 - role: pod
594 namespaces:
595 names:
596 - 'linkerd'
597 - 'linkerd-viz'
598 relabel_configs:
599 - source_labels:
600 - __meta_kubernetes_pod_container_port_name
601 action: keep
602 regex: admin-http
603 - source_labels: [__meta_kubernetes_pod_container_name]
604 action: replace
605 target_label: component
606
607 - job_name: 'linkerd-service-mirror'
608 kubernetes_sd_configs:
609 - role: pod
610 relabel_configs:
611 - source_labels:
612 - __meta_kubernetes_pod_label_component
613 - __meta_kubernetes_pod_container_port_name
614 action: keep
615 regex: linkerd-service-mirror;admin-http$
616 - source_labels: [__meta_kubernetes_pod_container_name]
617 action: replace
618 target_label: component
619
620 - job_name: 'linkerd-proxy'
621 kubernetes_sd_configs:
622 - role: pod
623 relabel_configs:
624 - source_labels:
625 - __meta_kubernetes_pod_container_name
626 - __meta_kubernetes_pod_container_port_name
627 - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns
628 action: keep
629 regex: ^linkerd-proxy;linkerd-admin;linkerd$
630 - source_labels: [__meta_kubernetes_namespace]
631 action: replace
632 target_label: namespace
633 - source_labels: [__meta_kubernetes_pod_name]
634 action: replace
635 target_label: pod
636 # special case k8s' "job" label, to not interfere with prometheus' "job"
637 # label
638 # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo =>
639 # k8s_job=foo
640 - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job]
641 action: replace
642 target_label: k8s_job
643 # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job
644 - action: labeldrop
645 regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job
646 # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo =>
647 # deployment=foo
648 - action: labelmap
649 regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
650 # drop all labels that we just made copies of in the previous labelmap
651 - action: labeldrop
652 regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
653 # __meta_kubernetes_pod_label_linkerd_io_foo=bar =>
654 # foo=bar
655 - action: labelmap
656 regex: __meta_kubernetes_pod_label_linkerd_io_(.+)
657 # Copy all pod labels to tmp labels
658 - action: labelmap
659 regex: __meta_kubernetes_pod_label_(.+)
660 replacement: __tmp_pod_label_$1
661 # Take `linkerd_io_` prefixed labels and copy them without the prefix
662 - action: labelmap
663 regex: __tmp_pod_label_linkerd_io_(.+)
664 replacement: __tmp_pod_label_$1
665 # Drop the `linkerd_io_` originals
666 - action: labeldrop
667 regex: __tmp_pod_label_linkerd_io_(.+)
668 # Copy tmp labels into real labels
669 - action: labelmap
670 regex: __tmp_pod_label_(.+)
671---
672kind: Service
673apiVersion: v1
674metadata:
675 name: prometheus
676 namespace: linkerd-viz
677 labels:
678 linkerd.io/extension: viz
679 component: prometheus
680 namespace: linkerd-viz
681 annotations:
682 linkerd.io/created-by: linkerd/helm dev-undefined
683 linkerd.io/inject: enabled
684spec:
685 type: ClusterIP
686 selector:
687 linkerd.io/extension: viz
688 component: prometheus
689 ports:
690 - name: admin-http
691 port: 9090
692 targetPort: 9090
693---
694apiVersion: apps/v1
695kind: Deployment
696metadata:
697 annotations:
698 linkerd.io/created-by: linkerd/helm dev-undefined
699 linkerd.io/inject: enabled
700 config.linkerd.io/proxy-await: "enabled"
701 labels:
702 linkerd.io/extension: viz
703 app.kubernetes.io/name: prometheus
704 app.kubernetes.io/part-of: Linkerd
705 app.kubernetes.io/version: dev-undefined
706 component: prometheus
707 namespace: linkerd-viz
708 name: prometheus
709 namespace: linkerd-viz
710spec:
711 replicas: 1
712 revisionHistoryLimit: 10
713 selector:
714 matchLabels:
715 linkerd.io/extension: viz
716 component: prometheus
717 namespace: linkerd-viz
718 template:
719 metadata:
720 annotations:
721 linkerd.io/created-by: linkerd/helm dev-undefined
722 linkerd.io/inject: enabled
723 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
724 labels:
725 linkerd.io/extension: viz
726 component: prometheus
727 namespace: linkerd-viz
728 spec:
729 nodeSelector:
730 kubernetes.io/os: linux
731 containers:
732 - args:
733 - --log.format=logfmt
734 - --config.file=/etc/prometheus/prometheus.yml
735 - --log.level=debug
736 - --storage.tsdb.path=/data
737 - --storage.tsdb.retention.time=6h
738 image: prom/prometheus:v2.48.1
739 imagePullPolicy: IfNotPresent
740 livenessProbe:
741 httpGet:
742 path: /-/healthy
743 port: 9090
744 initialDelaySeconds: 30
745 timeoutSeconds: 30
746 name: prometheus
747 ports:
748 - containerPort: 9090
749 name: admin-http
750 readinessProbe:
751 httpGet:
752 path: /-/ready
753 port: 9090
754 initialDelaySeconds: 30
755 timeoutSeconds: 30
756 resources:
757 securityContext:
758 allowPrivilegeEscalation: false
759 capabilities:
760 drop:
761 - ALL
762 readOnlyRootFilesystem: true
763 runAsGroup: 65534
764 runAsNonRoot: true
765 runAsUser: 65534
766 seccompProfile:
767 type: RuntimeDefault
768 volumeMounts:
769 - mountPath: /data
770 name: data
771 - mountPath: /etc/prometheus/prometheus.yml
772 name: prometheus-config
773 subPath: prometheus.yml
774 readOnly: true
775 securityContext:
776 fsGroup: 65534
777 seccompProfile:
778 type: RuntimeDefault
779 serviceAccountName: prometheus
780 volumes:
781 - name: data
782 emptyDir: {}
783 - configMap:
784 name: prometheus-config
785 name: prometheus-config
786---
787apiVersion: policy.linkerd.io/v1beta2
788kind: Server
789metadata:
790 namespace: linkerd-viz
791 name: prometheus-admin
792 labels:
793 linkerd.io/extension: viz
794 annotations:
795 linkerd.io/created-by: linkerd/helm dev-undefined
796spec:
797 podSelector:
798 matchLabels:
799 linkerd.io/extension: viz
800 component: prometheus
801 namespace: linkerd-viz
802 port: admin-http
803 proxyProtocol: HTTP/1
804---
805apiVersion: policy.linkerd.io/v1alpha1
806kind: AuthorizationPolicy
807metadata:
808 namespace: linkerd-viz
809 name: prometheus-admin
810 labels:
811 linkerd.io/extension: viz
812 annotations:
813 linkerd.io/created-by: linkerd/helm dev-undefined
814spec:
815 targetRef:
816 group: policy.linkerd.io
817 kind: Server
818 name: prometheus-admin
819 requiredAuthenticationRefs:
820 - kind: ServiceAccount
821 name: metrics-api
822 namespace: linkerd-viz
823---
824###
825### Tap
826###
827kind: Service
828apiVersion: v1
829metadata:
830 name: tap
831 namespace: linkerd-viz
832 labels:
833 linkerd.io/extension: viz
834 component: tap
835 namespace: linkerd-viz
836 annotations:
837 linkerd.io/created-by: linkerd/helm dev-undefined
838 linkerd.io/inject: enabled
839spec:
840 type: ClusterIP
841 selector:
842 linkerd.io/extension: viz
843 component: tap
844 ports:
845 - name: grpc
846 port: 8088
847 targetPort: 8088
848 - name: apiserver
849 port: 443
850 targetPort: apiserver
851---
852kind: Deployment
853apiVersion: apps/v1
854metadata:
855 annotations:
856 linkerd.io/created-by: linkerd/helm dev-undefined
857 linkerd.io/inject: enabled
858 config.linkerd.io/proxy-await: "enabled"
859 labels:
860 linkerd.io/extension: viz
861 app.kubernetes.io/name: tap
862 app.kubernetes.io/part-of: Linkerd
863 app.kubernetes.io/version: dev-undefined
864 component: tap
865 namespace: linkerd-viz
866 name: tap
867 namespace: linkerd-viz
868spec:
869 replicas: 1
870 revisionHistoryLimit: 10
871 selector:
872 matchLabels:
873 linkerd.io/extension: viz
874 component: tap
875 namespace: linkerd-viz
876 template:
877 metadata:
878 annotations:
879 checksum/config: d6f2ea38c4004667c96eb4fb0135fe0d9d9a87f5c19aaee30e6ccb6ef7219324
880 linkerd.io/created-by: linkerd/helm dev-undefined
881 linkerd.io/inject: enabled
882 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
883 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
884 labels:
885 linkerd.io/extension: viz
886 component: tap
887 namespace: linkerd-viz
888 spec:
889 nodeSelector:
890 kubernetes.io/os: linux
891
892 containers:
893 - args:
894 - api
895 - -api-namespace=linkerd
896 - -log-level=info
897 - -log-format=plain
898 - -identity-trust-domain=cluster.local
899 - -enable-pprof=false
900 image: cr.l5d.io/linkerd/tap:dev-undefined
901 imagePullPolicy: IfNotPresent
902 livenessProbe:
903 httpGet:
904 path: /ping
905 port: 9998
906 initialDelaySeconds: 10
907 name: tap
908 ports:
909 - containerPort: 8088
910 name: grpc
911 - containerPort: 8089
912 name: apiserver
913 - containerPort: 9998
914 name: admin-http
915 readinessProbe:
916 failureThreshold: 7
917 httpGet:
918 path: /ready
919 port: 9998
920 resources:
921 securityContext:
922 allowPrivilegeEscalation: false
923 capabilities:
924 drop:
925 - ALL
926 readOnlyRootFilesystem: true
927 runAsGroup: 2103
928 runAsNonRoot: true
929 runAsUser: 2103
930 seccompProfile:
931 type: RuntimeDefault
932 volumeMounts:
933 - mountPath: /var/run/linkerd/tls
934 name: tls
935 readOnly: true
936 securityContext:
937 seccompProfile:
938 type: RuntimeDefault
939 serviceAccountName: tap
940 volumes:
941 - name: tls
942 secret:
943 secretName: tap-k8s-tls
944---
945apiVersion: policy.linkerd.io/v1beta2
946kind: Server
947metadata:
948 namespace: linkerd-viz
949 name: tap-api
950 labels:
951 linkerd.io/extension: viz
952 component: tap
953 annotations:
954 linkerd.io/created-by: linkerd/helm dev-undefined
955spec:
956 podSelector:
957 matchLabels:
958 linkerd.io/extension: viz
959 component: tap
960 port: apiserver
961 proxyProtocol: TLS
962---
963apiVersion: policy.linkerd.io/v1alpha1
964kind: AuthorizationPolicy
965metadata:
966 namespace: linkerd-viz
967 name: tap
968 labels:
969 linkerd.io/extension: viz
970 component: tap
971 annotations:
972 linkerd.io/created-by: linkerd/helm dev-undefined
973spec:
974 targetRef:
975 group: policy.linkerd.io
976 kind: Server
977 name: tap-api
978 requiredAuthenticationRefs:
979 - group: policy.linkerd.io
980 kind: NetworkAuthentication
981 name: kube-api-server
982---
983###
984### Tap Injector RBAC
985###
986kind: ClusterRole
987apiVersion: rbac.authorization.k8s.io/v1
988metadata:
989 name: linkerd-tap-injector
990 labels:
991 linkerd.io/extension: viz
992rules:
993- apiGroups: [""]
994 resources: ["namespaces"]
995 verbs: ["get", "list", "watch"]
996---
997kind: ClusterRoleBinding
998apiVersion: rbac.authorization.k8s.io/v1
999metadata:
1000 name: linkerd-tap-injector
1001 labels:
1002 linkerd.io/extension: viz
1003subjects:
1004- kind: ServiceAccount
1005 name: tap-injector
1006 namespace: linkerd-viz
1007roleRef:
1008 kind: ClusterRole
1009 name: linkerd-tap-injector
1010 apiGroup: rbac.authorization.k8s.io
1011---
1012kind: ServiceAccount
1013apiVersion: v1
1014metadata:
1015 name: tap-injector
1016 namespace: linkerd-viz
1017 labels:
1018 linkerd.io/extension: viz
1019---
1020apiVersion: admissionregistration.k8s.io/v1
1021kind: MutatingWebhookConfiguration
1022metadata:
1023 name: linkerd-tap-injector-webhook-config
1024 labels:
1025 linkerd.io/extension: viz
1026webhooks:
1027- name: tap-injector.linkerd.io
1028 namespaceSelector:
1029 matchExpressions:
1030 - key: kubernetes.io/metadata.name
1031 operator: NotIn
1032 values:
1033 - kube-system
1034 clientConfig:
1035 service:
1036 name: tap-injector
1037 namespace: linkerd-viz
1038 path: "/"
1039 caBundle: dGVzdC10YXAtY2EtYnVuZGxl
1040 failurePolicy: Ignore
1041 admissionReviewVersions: ["v1", "v1beta1"]
1042 reinvocationPolicy: IfNeeded
1043 rules:
1044 - operations: [ "CREATE" ]
1045 apiGroups: [""]
1046 apiVersions: ["v1"]
1047 resources: ["pods"]
1048 scope: "Namespaced"
1049 sideEffects: None
1050---
1051###
1052### Tap Injector
1053###
1054kind: Service
1055apiVersion: v1
1056metadata:
1057 name: tap-injector
1058 namespace: linkerd-viz
1059 labels:
1060 linkerd.io/extension: viz
1061 component: tap-injector
1062 annotations:
1063 linkerd.io/created-by: linkerd/helm dev-undefined
1064 linkerd.io/inject: enabled
1065spec:
1066 type: ClusterIP
1067 selector:
1068 linkerd.io/extension: viz
1069 component: tap-injector
1070 ports:
1071 - name: tap-injector
1072 port: 443
1073 targetPort: tap-injector
1074---
1075kind: Deployment
1076apiVersion: apps/v1
1077metadata:
1078 annotations:
1079 linkerd.io/created-by: linkerd/helm dev-undefined
1080 linkerd.io/inject: enabled
1081 config.linkerd.io/proxy-await: "enabled"
1082 labels:
1083 linkerd.io/extension: viz
1084 app.kubernetes.io/name: tap-injector
1085 app.kubernetes.io/part-of: Linkerd
1086 component: tap-injector
1087 name: tap-injector
1088 namespace: linkerd-viz
1089spec:
1090 replicas: 1
1091 revisionHistoryLimit: 10
1092 selector:
1093 matchLabels:
1094 component: tap-injector
1095 template:
1096 metadata:
1097 annotations:
1098 checksum/config: f46683697f33ac5449b952d1d037718887c4f98421d0f4133bb19e1c873a925d
1099 linkerd.io/created-by: linkerd/helm dev-undefined
1100 linkerd.io/inject: enabled
1101 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
1102 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1103 labels:
1104 linkerd.io/extension: viz
1105 component: tap-injector
1106 spec:
1107 nodeSelector:
1108 kubernetes.io/os: linux
1109
1110 containers:
1111 - args:
1112 - injector
1113 - -tap-service-name=tap.linkerd-viz.serviceaccount.identity.linkerd.cluster.local
1114 - -log-level=info
1115 - -log-format=plain
1116 - -enable-pprof=false
1117 image: cr.l5d.io/linkerd/tap:dev-undefined
1118 imagePullPolicy: IfNotPresent
1119 livenessProbe:
1120 httpGet:
1121 path: /ping
1122 port: 9995
1123 initialDelaySeconds: 10
1124 name: tap-injector
1125 ports:
1126 - containerPort: 8443
1127 name: tap-injector
1128 - containerPort: 9995
1129 name: admin-http
1130 readinessProbe:
1131 failureThreshold: 7
1132 httpGet:
1133 path: /ready
1134 port: 9995
1135 resources:
1136 securityContext:
1137 allowPrivilegeEscalation: false
1138 capabilities:
1139 drop:
1140 - ALL
1141 readOnlyRootFilesystem: true
1142 runAsGroup: 2103
1143 runAsNonRoot: true
1144 runAsUser: 2103
1145 seccompProfile:
1146 type: RuntimeDefault
1147 volumeMounts:
1148 - mountPath: /var/run/linkerd/tls
1149 name: tls
1150 readOnly: true
1151 securityContext:
1152 seccompProfile:
1153 type: RuntimeDefault
1154 serviceAccountName: tap-injector
1155 volumes:
1156 - name: tls
1157 secret:
1158 secretName: tap-injector-k8s-tls
1159---
1160apiVersion: policy.linkerd.io/v1beta2
1161kind: Server
1162metadata:
1163 namespace: linkerd-viz
1164 name: tap-injector-webhook
1165 labels:
1166 linkerd.io/extension: viz
1167 component: tap-injector
1168 annotations:
1169 linkerd.io/created-by: linkerd/helm dev-undefined
1170spec:
1171 podSelector:
1172 matchLabels:
1173 linkerd.io/extension: viz
1174 component: tap-injector
1175 port: tap-injector
1176 proxyProtocol: TLS
1177---
1178apiVersion: policy.linkerd.io/v1alpha1
1179kind: AuthorizationPolicy
1180metadata:
1181 namespace: linkerd-viz
1182 name: tap-injector
1183 labels:
1184 linkerd.io/extension: viz
1185 component: tap-injector
1186 annotations:
1187 linkerd.io/created-by: linkerd/helm dev-undefined
1188spec:
1189 targetRef:
1190 group: policy.linkerd.io
1191 kind: Server
1192 name: tap-injector-webhook
1193 requiredAuthenticationRefs:
1194 - group: policy.linkerd.io
1195 kind: NetworkAuthentication
1196 name: kube-api-server
1197---
1198apiVersion: policy.linkerd.io/v1alpha1
1199kind: NetworkAuthentication
1200metadata:
1201 namespace: linkerd-viz
1202 name: kube-api-server
1203 labels:
1204 linkerd.io/extension: viz
1205 annotations:
1206 linkerd.io/created-by: linkerd/helm dev-undefined
1207spec:
1208 # Ideally, this should be restricted to the actual set of IPs the kubelet API
1209 # server uses for webhooks in a cluster. This can't easily be discovered.
1210 networks:
1211 - cidr: "0.0.0.0/0"
1212 - cidr: "::/0"
1213---
1214###
1215### Web
1216###
1217kind: Service
1218apiVersion: v1
1219metadata:
1220 name: web
1221 namespace: linkerd-viz
1222 labels:
1223 linkerd.io/extension: viz
1224 component: web
1225 namespace: linkerd-viz
1226 annotations:
1227 linkerd.io/created-by: linkerd/helm dev-undefined
1228
1229 linkerd.io/inject: enabled
1230spec:
1231 type: ClusterIP
1232 selector:
1233 linkerd.io/extension: viz
1234 component: web
1235 ports:
1236 - name: http
1237 port: 8084
1238 targetPort: 8084
1239 - name: admin-http
1240 port: 9994
1241 targetPort: 9994
1242---
1243apiVersion: apps/v1
1244kind: Deployment
1245metadata:
1246 annotations:
1247 linkerd.io/created-by: linkerd/helm dev-undefined
1248 linkerd.io/inject: enabled
1249 config.linkerd.io/proxy-await: "enabled"
1250 labels:
1251 linkerd.io/extension: viz
1252 app.kubernetes.io/name: web
1253 app.kubernetes.io/part-of: Linkerd
1254 app.kubernetes.io/version: dev-undefined
1255 component: web
1256 namespace: linkerd-viz
1257 name: web
1258 namespace: linkerd-viz
1259spec:
1260 replicas: 1
1261 revisionHistoryLimit: 10
1262 selector:
1263 matchLabels:
1264 linkerd.io/extension: viz
1265 component: web
1266 namespace: linkerd-viz
1267 template:
1268 metadata:
1269 annotations:
1270 linkerd.io/created-by: linkerd/helm dev-undefined
1271 linkerd.io/inject: enabled
1272 config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0"
1273 cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
1274 labels:
1275 linkerd.io/extension: viz
1276 component: web
1277 namespace: linkerd-viz
1278 spec:
1279 nodeSelector:
1280 kubernetes.io/os: linux
1281
1282 containers:
1283 - args:
1284 - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085
1285 - -cluster-domain=cluster.local
1286 - -controller-namespace=linkerd
1287 - -log-level=info
1288 - -log-format=plain
1289 - -enforced-host=^(localhost|127\.0\.0\.1|web\.linkerd-viz\.svc\.cluster\.local|web\.linkerd-viz\.svc|\[::1\])(:\d+)?$
1290 - -enable-pprof=false
1291 image: cr.l5d.io/linkerd/web:dev-undefined
1292 imagePullPolicy: IfNotPresent
1293 livenessProbe:
1294 httpGet:
1295 path: /ping
1296 port: 9994
1297 initialDelaySeconds: 10
1298 name: web
1299 ports:
1300 - containerPort: 8084
1301 name: http
1302 - containerPort: 9994
1303 name: admin-http
1304 readinessProbe:
1305 failureThreshold: 7
1306 httpGet:
1307 path: /ready
1308 port: 9994
1309 resources:
1310 securityContext:
1311 allowPrivilegeEscalation: false
1312 capabilities:
1313 drop:
1314 - ALL
1315 readOnlyRootFilesystem: true
1316 runAsGroup: 2103
1317 runAsNonRoot: true
1318 runAsUser: 2103
1319 seccompProfile:
1320 type: RuntimeDefault
1321 securityContext:
1322 seccompProfile:
1323 type: RuntimeDefault
1324 serviceAccountName: web
1325---
1326apiVersion: linkerd.io/v1alpha2
1327kind: ServiceProfile
1328metadata:
1329 name: metrics-api.linkerd-viz.svc.cluster.local
1330 namespace: linkerd-viz
1331 labels:
1332 linkerd.io/extension: viz
1333spec:
1334 routes:
1335 - name: POST /api/v1/StatSummary
1336 condition:
1337 method: POST
1338 pathRegex: /api/v1/StatSummary
1339 - name: POST /api/v1/TopRoutes
1340 condition:
1341 method: POST
1342 pathRegex: /api/v1/TopRoutes
1343 - name: POST /api/v1/ListPods
1344 condition:
1345 method: POST
1346 pathRegex: /api/v1/ListPods
1347 - name: POST /api/v1/ListServices
1348 condition:
1349 method: POST
1350 pathRegex: /api/v1/ListServices
1351 - name: POST /api/v1/SelfCheck
1352 condition:
1353 method: POST
1354 pathRegex: /api/v1/SelfCheck
1355 - name: POST /api/v1/Gateways
1356 condition:
1357 method: POST
1358 pathRegex: /api/v1/Gateways
1359 - name: POST /api/v1/Edges
1360 condition:
1361 method: POST
1362 pathRegex: /api/v1/Edges
1363---
1364apiVersion: linkerd.io/v1alpha2
1365kind: ServiceProfile
1366metadata:
1367 name: prometheus.linkerd-viz.svc.cluster.local
1368 namespace: linkerd-viz
1369 labels:
1370 linkerd.io/extension: viz
1371spec:
1372 routes:
1373 - name: POST /api/v1/query
1374 condition:
1375 method: POST
1376 pathRegex: /api/v1/query
1377 - name: GET /api/v1/query_range
1378 condition:
1379 method: GET
1380 pathRegex: /api/v1/query_range
1381 - name: GET /api/v1/series
1382 condition:
1383 method: GET
1384 pathRegex: /api/v1/series
View as plain text