--- ### ### Linkerd Viz Extension Namespace ### kind: Namespace apiVersion: v1 metadata: name: linkerd-viz labels: linkerd.io/extension: viz pod-security.kubernetes.io/enforce: privileged annotations: --- ### ### Metrics API RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-metrics-api labels: linkerd.io/extension: viz component: metrics-api rules: - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list" , "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] verbs: ["list", "get", "watch"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] - apiGroups: ["policy.linkerd.io"] resources: ["servers", "serverauthorizations", "authorizationpolicies", "httproutes"] verbs: ["list", "get"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-metrics-api labels: linkerd.io/extension: viz component: metrics-api roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-metrics-api subjects: - kind: ServiceAccount name: metrics-api namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: metrics-api namespace: linkerd-viz labels: linkerd.io/extension: viz component: metrics-api --- ### ### Prometheus RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-prometheus labels: linkerd.io/extension: viz component: prometheus rules: - apiGroups: [""] resources: ["nodes", "nodes/proxy", "pods"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-prometheus labels: linkerd.io/extension: viz component: prometheus roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-prometheus subjects: - kind: ServiceAccount name: prometheus namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: prometheus namespace: linkerd-viz labels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz --- ### ### Tap RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap labels: linkerd.io/extension: viz component: tap rules: - apiGroups: [""] resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list" , "get", "watch"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap-admin labels: linkerd.io/extension: viz component: tap rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] - apiGroups: ["tap.linkerd.io"] resources: ["*"] verbs: ["watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-tap labels: linkerd.io/extension: viz component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-tap subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-tap-auth-delegator labels: linkerd.io/extension: viz component: tap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: tap namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-linkerd-viz-tap-auth-reader namespace: kube-system labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: tap namespace: linkerd-viz --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.tap.linkerd.io labels: linkerd.io/extension: viz component: tap spec: group: tap.linkerd.io version: v1alpha1 groupPriorityMinimum: 1000 versionPriority: 100 service: name: tap namespace: linkerd-viz caBundle: dGVzdC10YXAtY2EtYnVuZGxl --- ### ### Web RBAC ### apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: web namespace: linkerd labels: linkerd.io/extension: viz component: web namespace: linkerd rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] - apiGroups: [""] resources: ["namespaces", "configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts", "pods"] verbs: ["list"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: web namespace: linkerd labels: linkerd.io/extension: viz component: web namespace: linkerd roleRef: kind: Role name: web apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: linkerd-linkerd-viz-web-check labels: linkerd.io/extension: viz component: web rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings"] verbs: ["list"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["list"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["list"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list"] - apiGroups: [""] resources: ["nodes", "pods", "services"] verbs: ["list"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-web-check labels: linkerd.io/extension: viz component: web roleRef: kind: ClusterRole name: linkerd-linkerd-viz-web-check apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-viz-web-admin labels: linkerd.io/extension: viz component: web roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-viz-tap-admin subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: linkerd-linkerd-viz-web-api labels: linkerd.io/extension: viz component: web rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-linkerd-viz-web-api labels: linkerd.io/extension: viz component: web roleRef: kind: ClusterRole name: linkerd-linkerd-viz-web-api apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: web namespace: linkerd-viz --- kind: ServiceAccount apiVersion: v1 metadata: name: web namespace: linkerd-viz labels: linkerd.io/extension: viz component: web namespace: linkerd-viz --- ### ### Metrics API ### kind: Service apiVersion: v1 metadata: name: metrics-api namespace: linkerd-viz labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: metrics-api ports: - name: http port: 8085 targetPort: 8085 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: metrics-api app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: metrics-api name: metrics-api namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: metrics-api template: metadata: annotations: checksum/config: b73fb1bf343c4203fbab8ee108c5eba2e07d184177e204677dc83d4cad2cd12b linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: metrics-api spec: nodeSelector: kubernetes.io/os: linux containers: - args: - -controller-namespace=linkerd - -log-level=info - -log-format=plain - -cluster-domain=cluster.local - -prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090 - -enable-pprof=false image: cr.l5d.io/linkerd/metrics-api:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: metrics-api ports: - containerPort: 8085 name: http - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true readOnlyRootFilesystem: true runAsUser: 2103 runAsGroup: 2103 seccompProfile: type: RuntimeDefault securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: metrics-api --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: metrics-api labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: metrics-api port: http proxyProtocol: HTTP/1 --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: metrics-api labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: metrics-api requiredAuthenticationRefs: - group: policy.linkerd.io kind: MeshTLSAuthentication name: metrics-api-web --- apiVersion: policy.linkerd.io/v1alpha1 kind: MeshTLSAuthentication metadata: namespace: linkerd-viz name: metrics-api-web labels: linkerd.io/extension: viz component: metrics-api annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: identityRefs: - kind: ServiceAccount name: web --- apiVersion: policy.linkerd.io/v1alpha1 kind: NetworkAuthentication metadata: namespace: linkerd-viz name: kubelet labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: # Ideally, this should be restricted to the actual set of IPs kubelet uses in # a cluster. This can't easily be discovered. networks: - cidr: "0.0.0.0/0" - cidr: "::/0" --- ### ### Prometheus ### kind: ConfigMap apiVersion: v1 metadata: name: prometheus-config namespace: linkerd-viz labels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined data: prometheus.yml: |- global: evaluation_interval: 10s scrape_interval: 10s scrape_timeout: 10s rule_files: - /etc/prometheus/*_rules.yml - /etc/prometheus/*_rules.yaml scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] # Required for: https://grafana.com/grafana/dashboards/315 - job_name: 'kubernetes-nodes-cadvisor' scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt insecure_skip_verify: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: [__meta_kubernetes_node_name] regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor metric_relabel_configs: - source_labels: [__name__] regex: '(container|machine)_(cpu|memory|network|fs)_(.+)' action: keep - source_labels: [__name__] regex: 'container_memory_failures_total' # unneeded large metric action: drop - job_name: 'linkerd-controller' kubernetes_sd_configs: - role: pod namespaces: names: - 'linkerd' - 'linkerd-viz' relabel_configs: - source_labels: - __meta_kubernetes_pod_container_port_name action: keep regex: admin-http - source_labels: [__meta_kubernetes_pod_container_name] action: replace target_label: component - job_name: 'linkerd-service-mirror' kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: - __meta_kubernetes_pod_label_component - __meta_kubernetes_pod_container_port_name action: keep regex: linkerd-service-mirror;admin-http$ - source_labels: [__meta_kubernetes_pod_container_name] action: replace target_label: component - job_name: 'linkerd-proxy' kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: - __meta_kubernetes_pod_container_name - __meta_kubernetes_pod_container_port_name - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns action: keep regex: ^linkerd-proxy;linkerd-admin;linkerd$ - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod # special case k8s' "job" label, to not interfere with prometheus' "job" # label # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => # k8s_job=foo - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] action: replace target_label: k8s_job # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - action: labeldrop regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => # deployment=foo - action: labelmap regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) # drop all labels that we just made copies of in the previous labelmap - action: labeldrop regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) # __meta_kubernetes_pod_label_linkerd_io_foo=bar => # foo=bar - action: labelmap regex: __meta_kubernetes_pod_label_linkerd_io_(.+) # Copy all pod labels to tmp labels - action: labelmap regex: __meta_kubernetes_pod_label_(.+) replacement: __tmp_pod_label_$1 # Take `linkerd_io_` prefixed labels and copy them without the prefix - action: labelmap regex: __tmp_pod_label_linkerd_io_(.+) replacement: __tmp_pod_label_$1 # Drop the `linkerd_io_` originals - action: labeldrop regex: __tmp_pod_label_linkerd_io_(.+) # Copy tmp labels into real labels - action: labelmap regex: __tmp_pod_label_(.+) --- kind: Service apiVersion: v1 metadata: name: prometheus namespace: linkerd-viz labels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: prometheus ports: - name: admin-http port: 9090 targetPort: 9090 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: prometheus app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: prometheus namespace: linkerd-viz name: prometheus namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz template: metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" labels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz spec: nodeSelector: kubernetes.io/os: linux containers: - args: - --log.format=logfmt - --config.file=/etc/prometheus/prometheus.yml - --log.level=debug - --storage.tsdb.path=/data - --storage.tsdb.retention.time=6h image: prom/prometheus:v2.48.1 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /-/healthy port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 name: prometheus ports: - containerPort: 9090 name: admin-http readinessProbe: httpGet: path: /-/ready port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 65534 runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /data name: data - mountPath: /etc/prometheus/prometheus.yml name: prometheus-config subPath: prometheus.yml readOnly: true securityContext: fsGroup: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: prometheus volumes: - name: data emptyDir: {} - configMap: name: prometheus-config name: prometheus-config --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: prometheus-admin labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: prometheus namespace: linkerd-viz port: admin-http proxyProtocol: HTTP/1 --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: prometheus-admin labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: prometheus-admin requiredAuthenticationRefs: - kind: ServiceAccount name: metrics-api namespace: linkerd-viz --- ### ### Tap ### kind: Service apiVersion: v1 metadata: name: tap namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: tap ports: - name: grpc port: 8088 targetPort: 8088 - name: apiserver port: 443 targetPort: apiserver --- kind: Deployment apiVersion: apps/v1 metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: tap app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: tap namespace: linkerd-viz name: tap namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: tap namespace: linkerd-viz template: metadata: annotations: checksum/config: d6f2ea38c4004667c96eb4fb0135fe0d9d9a87f5c19aaee30e6ccb6ef7219324 linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: tap namespace: linkerd-viz spec: nodeSelector: kubernetes.io/os: linux containers: - args: - api - -api-namespace=linkerd - -log-level=info - -log-format=plain - -identity-trust-domain=cluster.local - -enable-pprof=false image: cr.l5d.io/linkerd/tap:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9998 initialDelaySeconds: 10 name: tap ports: - containerPort: 8088 name: grpc - containerPort: 8089 name: apiserver - containerPort: 9998 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9998 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: tls readOnly: true securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: tap volumes: - name: tls secret: secretName: tap-k8s-tls --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: tap-api labels: linkerd.io/extension: viz component: tap annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: tap port: apiserver proxyProtocol: TLS --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: tap labels: linkerd.io/extension: viz component: tap annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: tap-api requiredAuthenticationRefs: - group: policy.linkerd.io kind: NetworkAuthentication name: kube-api-server --- ### ### Tap Injector RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-tap-injector labels: linkerd.io/extension: viz rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-tap-injector labels: linkerd.io/extension: viz subjects: - kind: ServiceAccount name: tap-injector namespace: linkerd-viz roleRef: kind: ClusterRole name: linkerd-tap-injector apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: tap-injector namespace: linkerd-viz labels: linkerd.io/extension: viz --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: linkerd-tap-injector-webhook-config labels: linkerd.io/extension: viz webhooks: - name: tap-injector.linkerd.io namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: NotIn values: - kube-system clientConfig: service: name: tap-injector namespace: linkerd-viz path: "/" caBundle: dGVzdC10YXAtY2EtYnVuZGxl failurePolicy: Ignore admissionReviewVersions: ["v1", "v1beta1"] reinvocationPolicy: IfNeeded rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] scope: "Namespaced" sideEffects: None --- ### ### Tap Injector ### kind: Service apiVersion: v1 metadata: name: tap-injector namespace: linkerd-viz labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: tap-injector ports: - name: tap-injector port: 443 targetPort: tap-injector --- kind: Deployment apiVersion: apps/v1 metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: tap-injector app.kubernetes.io/part-of: Linkerd component: tap-injector name: tap-injector namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: component: tap-injector template: metadata: annotations: checksum/config: f46683697f33ac5449b952d1d037718887c4f98421d0f4133bb19e1c873a925d linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: tap-injector spec: nodeSelector: kubernetes.io/os: linux containers: - args: - injector - -tap-service-name=tap.linkerd-viz.serviceaccount.identity.linkerd.cluster.local - -log-level=info - -log-format=plain - -enable-pprof=false image: cr.l5d.io/linkerd/tap:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: tap-injector ports: - containerPort: 8443 name: tap-injector - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: tls readOnly: true securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: tap-injector volumes: - name: tls secret: secretName: tap-injector-k8s-tls --- apiVersion: policy.linkerd.io/v1beta2 kind: Server metadata: namespace: linkerd-viz name: tap-injector-webhook labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: podSelector: matchLabels: linkerd.io/extension: viz component: tap-injector port: tap-injector proxyProtocol: TLS --- apiVersion: policy.linkerd.io/v1alpha1 kind: AuthorizationPolicy metadata: namespace: linkerd-viz name: tap-injector labels: linkerd.io/extension: viz component: tap-injector annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: targetRef: group: policy.linkerd.io kind: Server name: tap-injector-webhook requiredAuthenticationRefs: - group: policy.linkerd.io kind: NetworkAuthentication name: kube-api-server --- apiVersion: policy.linkerd.io/v1alpha1 kind: NetworkAuthentication metadata: namespace: linkerd-viz name: kube-api-server labels: linkerd.io/extension: viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined spec: # Ideally, this should be restricted to the actual set of IPs the kubelet API # server uses for webhooks in a cluster. This can't easily be discovered. networks: - cidr: "0.0.0.0/0" - cidr: "::/0" --- ### ### Web ### kind: Service apiVersion: v1 metadata: name: web namespace: linkerd-viz labels: linkerd.io/extension: viz component: web namespace: linkerd-viz annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled spec: type: ClusterIP selector: linkerd.io/extension: viz component: web ports: - name: http port: 8084 targetPort: 8084 - name: admin-http port: 9994 targetPort: 9994 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.linkerd.io/proxy-await: "enabled" labels: linkerd.io/extension: viz app.kubernetes.io/name: web app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: dev-undefined component: web namespace: linkerd-viz name: web namespace: linkerd-viz spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: linkerd.io/extension: viz component: web namespace: linkerd-viz template: metadata: annotations: linkerd.io/created-by: linkerd/helm dev-undefined linkerd.io/inject: enabled config.alpha.linkerd.io/proxy-wait-before-exit-seconds: "0" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" labels: linkerd.io/extension: viz component: web namespace: linkerd-viz spec: nodeSelector: kubernetes.io/os: linux containers: - args: - -linkerd-metrics-api-addr=metrics-api.linkerd-viz.svc.cluster.local:8085 - -cluster-domain=cluster.local - -controller-namespace=linkerd - -log-level=info - -log-format=plain - -enforced-host=^(localhost|127\.0\.0\.1|web\.linkerd-viz\.svc\.cluster\.local|web\.linkerd-viz\.svc|\[::1\])(:\d+)?$ - -enable-pprof=false image: cr.l5d.io/linkerd/web:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9994 initialDelaySeconds: 10 name: web ports: - containerPort: 8084 name: http - containerPort: 9994 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9994 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 2103 runAsNonRoot: true runAsUser: 2103 seccompProfile: type: RuntimeDefault securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: web --- apiVersion: linkerd.io/v1alpha2 kind: ServiceProfile metadata: name: metrics-api.linkerd-viz.svc.cluster.local namespace: linkerd-viz labels: linkerd.io/extension: viz spec: routes: - name: POST /api/v1/StatSummary condition: method: POST pathRegex: /api/v1/StatSummary - name: POST /api/v1/TopRoutes condition: method: POST pathRegex: /api/v1/TopRoutes - name: POST /api/v1/ListPods condition: method: POST pathRegex: /api/v1/ListPods - name: POST /api/v1/ListServices condition: method: POST pathRegex: /api/v1/ListServices - name: POST /api/v1/SelfCheck condition: method: POST pathRegex: /api/v1/SelfCheck - name: POST /api/v1/Gateways condition: method: POST pathRegex: /api/v1/Gateways - name: POST /api/v1/Edges condition: method: POST pathRegex: /api/v1/Edges --- apiVersion: linkerd.io/v1alpha2 kind: ServiceProfile metadata: name: prometheus.linkerd-viz.svc.cluster.local namespace: linkerd-viz labels: linkerd.io/extension: viz spec: routes: - name: POST /api/v1/query condition: method: POST pathRegex: /api/v1/query - name: GET /api/v1/query_range condition: method: GET pathRegex: /api/v1/query_range - name: GET /api/v1/series condition: method: GET pathRegex: /api/v1/series