mirror of https://github.com/linkerd/linkerd2.git
Add static and dynamic port overrides for CNI ebpf (#9841)
When CNI plugins run in ebpf mode, they may rewrite the packet destination when doing socket-level load balancing (i.e in the `connect()` call). In these cases, skipping `443` on the outbound side for control plane components becomes redundant; the packet is re-written to target the actual Kubernetes API Server backend (which typically listens on port `6443`, but may be overridden when the cluster is created). This change adds port `6443` to the list of skipped ports for control plane components. On the linkerd-cni plugin side, the ports are non-configurable. Whenever a pod with the control plane component label is handled by the plugin, we look-up the `kubernetes` service in the default namespace and append the port values (of both ClusterIP and backend) to the list. On the initContainer side, we make this value configurable in Helm and provide a sensible default (`443,6443`). Users may override this value if the ports do not correspond to what they have in their cluster. In the CLI, if no override is given, we look-up the service in the same way that we do for linkerd-cni; if failures are encountered we fallback to the default list of ports from the values file. Closes #9817 Signed-off-by: Matei David <matei@buoyant.io>
This commit is contained in:
Matei David
GitHub
parent
52ae875e9d
commit
35cecb50e1
|
|
@ -242,6 +242,7 @@ Kubernetes: `>=1.21.0-0`
|
|||
| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container Docker image |
|
||||
| proxyInit.image.version | string | `"v2.1.0"` | Tag for the proxy-init container Docker image |
|
||||
| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used |
|
||||
| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server |
|
||||
| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init |
|
||||
| proxyInit.logLevel | string | info | Log level for the proxy-init |
|
||||
| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. |
|
||||
|
|
|
|||
|
|
@ -317,7 +317,7 @@ spec:
|
|||
The destination controller needs to connect to the Kubernetes API before the proxy is able
|
||||
to proxy requests, so we always skip these connections.
|
||||
*/}}
|
||||
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" -}}
|
||||
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
|
||||
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
{{- if .Values.priorityClassName -}}
|
||||
|
|
|
|||
|
|
@ -214,7 +214,7 @@ spec:
|
|||
proxy requests, so we always skip these connections. The identity controller makes no other
|
||||
outbound connections (so it's not important to persist any other skip ports here)
|
||||
*/}}
|
||||
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" "443" -}}
|
||||
{{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}}
|
||||
- {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
{{- if .Values.priorityClassName -}}
|
||||
|
|
|
|||
|
|
@ -192,6 +192,9 @@ proxyInit:
|
|||
# -- Default set of outbound ports to skip via iptables
|
||||
# - Galera (4567,4568)
|
||||
ignoreOutboundPorts: "4567,4568"
|
||||
# -- Default set of ports to skip via iptables for control plane
|
||||
# components so they can communicate with the Kubernetes API Server
|
||||
kubeAPIServerPorts: "443,6443"
|
||||
# -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy
|
||||
skipSubnets: ""
|
||||
# -- Log level for the proxy-init
|
||||
|
|
|
|||
|
|
@ -108,7 +108,7 @@ metadata:
|
|||
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -7,6 +7,8 @@ import (
|
|||
"io"
|
||||
"os"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
"text/template"
|
||||
"time"
|
||||
|
||||
|
|
@ -26,6 +28,7 @@ import (
|
|||
corev1 "k8s.io/api/core/v1"
|
||||
kerrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"sigs.k8s.io/yaml"
|
||||
)
|
||||
|
||||
|
|
@ -227,6 +230,14 @@ func installControlPlane(ctx context.Context, k8sAPI *k8s.KubernetesAPI, w io.Wr
|
|||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
// Check 'kubernetes' service in default namespace to see what ports the API
|
||||
// Server listens on. If the ports are different from the default ('443,6443')
|
||||
// then replace with ports from the service spec.
|
||||
apiSrvPorts := getApiServerPorts(ctx, k8sAPI)
|
||||
if apiSrvPorts != "" {
|
||||
values.ProxyInit.KubeAPIServerPorts = apiSrvPorts
|
||||
}
|
||||
}
|
||||
|
||||
err = initializeIssuerCredentials(ctx, k8sAPI, values)
|
||||
|
|
@ -456,3 +467,26 @@ func errAfterRunningChecks(cniEnabled bool) error {
|
|||
|
||||
return err
|
||||
}
|
||||
|
||||
// getApiServerPorts looks at the 'kubernetes' service in the 'default'
|
||||
// namespace and returns the ClusterIP port for the API Server (by default 443),
|
||||
// and the port that the API Server backend is expecting TLS connections on (by
|
||||
// default 6443.)
|
||||
func getApiServerPorts(ctx context.Context, api *k8s.KubernetesAPI) string {
|
||||
service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
|
||||
ports := make([]string, 0)
|
||||
for _, port := range service.Spec.Ports {
|
||||
ports = append(ports, strconv.Itoa(int(port.Port)))
|
||||
// We only care about int ports since string ports (e.g targetPort: web)
|
||||
// correspond to a named port in a pod spec.
|
||||
if port.TargetPort.Type == intstr.Int {
|
||||
ports = append(ports, strconv.Itoa(port.TargetPort.IntValue()))
|
||||
}
|
||||
}
|
||||
|
||||
return strings.Join(ports, ",")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ metadata:
|
|||
linkerd.io/cni-resource: "true"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "nodes", "namespaces"]
|
||||
resources: ["pods", "nodes", "namespaces", "services"]
|
||||
verbs: ["list", "get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -921,7 +922,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1344,7 +1345,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: my.custom.registry/linkerd-io/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: my.custom.registry/linkerd-io/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -918,7 +919,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1331,7 +1332,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -614,6 +614,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -1002,7 +1003,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1470,7 +1471,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -614,6 +614,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -1002,7 +1003,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1470,7 +1471,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -518,6 +518,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -851,7 +852,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1273,7 +1274,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -565,6 +565,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: test-proxy-init-version
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -892,7 +893,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1317,7 +1318,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -592,6 +592,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: test-proxy-init-version
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -974,7 +975,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1445,7 +1446,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -596,6 +596,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: test-proxy-init-version
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -982,7 +983,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,444"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1457,7 +1458,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,444"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: test-proxy-init-version
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -964,7 +965,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1435,7 +1436,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,222"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:test-proxy-init-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
|
|||
|
|
@ -567,6 +567,7 @@ data:
|
|||
pullPolicy: ImagePullPolicy
|
||||
version: ProxyInitVersion
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: ""
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -897,8 +898,6 @@ spec:
|
|||
- "2102"
|
||||
- --inbound-ports-to-ignore
|
||||
- "4190,4191"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
image: ProxyInitImageName:ProxyInitVersion
|
||||
imagePullPolicy: ImagePullPolicy
|
||||
name: linkerd-init
|
||||
|
|
@ -1324,8 +1323,6 @@ spec:
|
|||
- "2102"
|
||||
- --inbound-ports-to-ignore
|
||||
- "4190,4191"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
image: ProxyInitImageName:ProxyInitVersion
|
||||
imagePullPolicy: ImagePullPolicy
|
||||
name: linkerd-init
|
||||
|
|
@ -1704,7 +1701,7 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpwb2RNb25pdG9yOiBudWxsCnBvbGljeUNvbnRyb2xsZXI6CiAgaW1hZ2U6CiAgICBuYW1lOiBQb2xpY3lDb250cm9sbGVySW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFBvbGljeUNvbnRyb2xsZXJWZXJzaW9uCiAgbG9nTGV2ZWw6IGxvZy1sZXZlbAogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6IGNwdS1saW1pdAogICAgICByZXF1ZXN0OiBjcHUtcmVxdWVzdAogICAgbWVtb3J5OgogICAgICBsaW1pdDogbWVtb3J5LWxpbWl0CiAgICAgIHJlcXVlc3Q6IG1lbW9yeS1yZXF1ZXN0CnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcmlvcml0eUNsYXNzTmFtZTogUHJpb3JpdHlDbGFzc05hbWUKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHk6CiAgZGVmYXVsdEluYm91bmRQb2xpY3k6IGRlZmF1bHQtYWxsb3ctcG9saWN5CiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQcm94eVZlcnNpb24KICBpbmJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgcmVxdWVzdDogMTBtCiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiA1ME1pCiAgICAgIHJlcXVlc3Q6IDEwTWkKcHJveHlJbmplY3RvcjoKICBjYUJ1bmRsZTogcHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKd2ViaG9va0ZhaWx1cmVQb2xpY3k6IFdlYmhvb2tGYWlsdXJlUG9saWN5Cg==
|
||||
linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpwb2RNb25pdG9yOiBudWxsCnBvbGljeUNvbnRyb2xsZXI6CiAgaW1hZ2U6CiAgICBuYW1lOiBQb2xpY3lDb250cm9sbGVySW1hZ2VOYW1lCiAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IFBvbGljeUNvbnRyb2xsZXJWZXJzaW9uCiAgbG9nTGV2ZWw6IGxvZy1sZXZlbAogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6IGNwdS1saW1pdAogICAgICByZXF1ZXN0OiBjcHUtcmVxdWVzdAogICAgbWVtb3J5OgogICAgICBsaW1pdDogbWVtb3J5LWxpbWl0CiAgICAgIHJlcXVlc3Q6IG1lbW9yeS1yZXF1ZXN0CnBvbGljeVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGUKICBleHRlcm5hbFNlY3JldDogdHJ1ZQpwcmlvcml0eUNsYXNzTmFtZTogUHJpb3JpdHlDbGFzc05hbWUKcHJvZmlsZVZhbGlkYXRvcjoKICBjYUJ1bmRsZTogcHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJveHk6CiAgZGVmYXVsdEluYm91bmRQb2xpY3k6IGRlZmF1bHQtYWxsb3ctcG9saWN5CiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQcm94eVZlcnNpb24KICBpbmJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo=
|
||||
kind: Secret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,22,8100-8102"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,22,8100-8102"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -587,6 +587,7 @@ data:
|
|||
pullPolicy: ""
|
||||
version: v2.1.0
|
||||
iptablesMode: legacy
|
||||
kubeAPIServerPorts: 443,6443
|
||||
logFormat: ""
|
||||
logLevel: ""
|
||||
privileged: false
|
||||
|
|
@ -920,7 +921,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
@ -1342,7 +1343,7 @@ spec:
|
|||
- --inbound-ports-to-ignore
|
||||
- "4190,4191,4567,4568"
|
||||
- --outbound-ports-to-ignore
|
||||
- "443"
|
||||
- "443,6443"
|
||||
image: cr.l5d.io/linkerd/proxy-init:v2.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// ProxyInit is the configuration for the proxy-init binary
|
||||
|
|
@ -249,9 +250,18 @@ func cmdAdd(args *skel.CmdArgs) error {
|
|||
}
|
||||
|
||||
if pod.GetLabels()[k8s.ControllerComponentLabel] != "" {
|
||||
// Skip 443 outbound port if its a control plane component
|
||||
logEntry.Debug("linkerd-cni: adding 443 to OutboundPortsToIgnore as its a control plane component")
|
||||
options.OutboundPortsToIgnore = append(options.OutboundPortsToIgnore, "443")
|
||||
// Skip k8s api server ports on the outbound side if pod is a
|
||||
// control plane component
|
||||
skippedPorts, err := getApiServerPorts(ctx, client)
|
||||
if err != nil {
|
||||
// If we cannot retrieve the 'kubernetes' service's ports (for
|
||||
// whatever reason), skip default ports: 443, 6443
|
||||
logEntry.Errorf("linkerd-cni: could not retrieve ports from 'kubernetes' service: %v", err)
|
||||
skippedPorts = []string{"443", "6443"}
|
||||
}
|
||||
|
||||
logEntry.Debugf("linkerd-cni: adding %v to OutboundPortsToIgnore as its a control plane component", skippedPorts)
|
||||
options.OutboundPortsToIgnore = append(options.OutboundPortsToIgnore, skippedPorts...)
|
||||
}
|
||||
|
||||
firewallConfiguration, err := cmd.BuildFirewallConfiguration(&options)
|
||||
|
|
@ -298,6 +308,23 @@ func cmdDel(args *skel.CmdArgs) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func getApiServerPorts(ctx context.Context, api *k8s.KubernetesAPI) ([]string, error) {
|
||||
service, err := api.CoreV1().Services("default").Get(ctx, "kubernetes", metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return []string{}, err
|
||||
}
|
||||
|
||||
ports := make([]string, 0)
|
||||
for _, port := range service.Spec.Ports {
|
||||
ports = append(ports, strconv.Itoa(int(port.Port)))
|
||||
if port.TargetPort.Type == intstr.Int {
|
||||
ports = append(ports, strconv.Itoa(port.TargetPort.IntValue()))
|
||||
}
|
||||
}
|
||||
|
||||
return ports, nil
|
||||
}
|
||||
|
||||
func getAnnotationOverride(ctx context.Context, api *k8s.KubernetesAPI, pod *v1.Pod, key string) (string, error) {
|
||||
// Check if the annotation is present on the pod
|
||||
if override := pod.GetObjectMeta().GetAnnotations()[key]; override != "" {
|
||||
|
|
|
|||
|
|
@ -122,6 +122,7 @@ type (
|
|||
Capabilities *Capabilities `json:"capabilities"`
|
||||
IgnoreInboundPorts string `json:"ignoreInboundPorts"`
|
||||
IgnoreOutboundPorts string `json:"ignoreOutboundPorts"`
|
||||
KubeAPIServerPorts string `json:"kubeAPIServerPorts"`
|
||||
SkipSubnets string `json:"skipSubnets"`
|
||||
LogLevel string `json:"logLevel"`
|
||||
LogFormat string `json:"logFormat"`
|
||||
|
|
|
|||
|
|
@ -135,6 +135,7 @@ func TestNewValues(t *testing.T) {
|
|||
IptablesMode: "legacy",
|
||||
IgnoreInboundPorts: "4567,4568",
|
||||
IgnoreOutboundPorts: "4567,4568",
|
||||
KubeAPIServerPorts: "443,6443",
|
||||
LogLevel: "",
|
||||
LogFormat: "",
|
||||
Image: &Image{
|
||||
|
|
|
|||
Loading…
Reference in New Issue