mirror of https://github.com/linkerd/linkerd2.git
core: use serviceAccountToken volume for pod authentication (#7117)
Fixes #3260 ## Summary Currently, Linkerd uses a service Account token to validate a pod during the `Certify` request with identity, through which identity is established on the proxy. This works well and good, as Kubernetes attaches the `default` service account token of a namespace as a volume (unless overridden with a specific service account by the user). Catch here being that this token is aimed at the application to talk to the kubernetes API and not specifically for Linkerd. This means that there are [controls outside of Linkerd](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server), to manage this service token, which users might want to use, [causing problems with Linkerd](https://github.com/linkerd/linkerd2/issues/3183) as Linkerd might expect it to be present. To have a more granular control over the token, and not rely on the service token that can be managed externally, [Bound Service Tokens](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens) can be used to generate tokens that are specifically for Linkerd, that are bound to a specific pod, along with an expiry. ## Background on Bounded Service Tokens This feature has been GA’ed in Kubernetes 1.20, and is enabled by default in most cloud provider distributions. Using this feature, Kubernetes can be asked to issue specific tokens for linkerd usage (through audience bound configuration), with a specific expiry time (as the validation happens every 24 hours when establishing identity, we can follow the same), bounded to a specific pod (meaning verification fails if the pod object isn’t available). Because of all these bounds, and not being able to use this token for anything else, This feels like the right thing to rely on to validate a pod to issue a certificate. ### Pod Identity Name We still use the same service account name as the pod identity (used with metrics, etc) as these tokens are all generated from the same base service account attached to the pod (could be defualt, or the user overriden one). This can be verified by looking at the `user` field in the `TokenReview` response. <details> <summary>Sample TokenReview response</summary> Here, The new token was created for the vault audience for a pod which had a serviceAccount token volume projection and was using the `mine` serviceAccount in the default namespace. ```json "kind": "TokenReview", "apiVersion": "authentication.k8s.io/v1", "metadata": { "creationTimestamp": null, "managedFields": [ { "manager": "curl", "operation": "Update", "apiVersion": "authentication.k8s.io/v1", "time": "2021-10-19T19:21:40Z", "fieldsType": "FieldsV1", "fieldsV1": {"f:spec":{"f:audiences":{},"f:token":{}}} } ] }, "spec": { "token": "....", "audiences": [ "vault" ] }, "status": { "authenticated": true, "user": { "username": "system:serviceaccount:default:mine", "uid": "889a81bd-e31c-4423-b542-98ddca89bfd9", "groups": [ "system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated" ], "extra": { "authentication.kubernetes.io/pod-name": [ "nginx" ], "authentication.kubernetes.io/pod-uid": [ "ebf36f80-40ee-48ee-a75b-96dcc21466a6" ] } }, "audiences": [ "vault" ] } ``` </details> ## Changes - Update `proxy-injector` and install scripts to include the new projected Volume and VolumeMount. - Update the `identity` pod to validate the token with the linkerd audience key. - Added `identity.serviceAccountTokenProjection` to disable this feature. - Updated err'ing logic with `autoMountServiceAccount: false` to fail only when this feature is disabled. Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
This commit is contained in:
Tarun Pothulapati
GitHub
parent
493262245d
commit
92421d047a
|
|
@ -147,6 +147,7 @@ Kubernetes: `>=1.20.0-0`
|
|||
| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format |
|
||||
| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. |
|
||||
| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install |
|
||||
| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token |
|
||||
| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. |
|
||||
| identityTrustDomain | string | clusterDomain | Trust domain used for identity |
|
||||
| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
|
||||
|
|
|
|||
|
|
@ -315,4 +315,7 @@ spec:
|
|||
{{ if not .Values.cniEnabled -}}
|
||||
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
{{if .Values.identity.serviceAccountTokenProjection -}}
|
||||
- {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
|
|
|
|||
|
|
@ -222,5 +222,8 @@ spec:
|
|||
{{ if not .Values.cniEnabled -}}
|
||||
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
{{if .Values.identity.serviceAccountTokenProjection -}}
|
||||
- {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{end -}}
|
||||
|
|
|
|||
|
|
@ -125,6 +125,9 @@ spec:
|
|||
{{ if not .Values.cniEnabled -}}
|
||||
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
{{if .Values.identity.serviceAccountTokenProjection -}}
|
||||
- {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
{{ end -}}
|
||||
- {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
---
|
||||
kind: Service
|
||||
|
|
|
|||
|
|
@ -228,6 +228,9 @@ debugContainer:
|
|||
identity:
|
||||
# -- If the linkerd-identity-trust-roots ConfigMap has already been created
|
||||
externalCA: false
|
||||
|
||||
# -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token
|
||||
serviceAccountTokenProjection: true
|
||||
issuer:
|
||||
scheme: linkerd.io/tls
|
||||
|
||||
|
|
|
|||
|
|
@ -117,7 +117,11 @@ be used in other contexts.
|
|||
{{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }}
|
||||
{{ end -}}
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
{{- if .Values.identity.serviceAccountTokenProjection }}
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
{{ else }}
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
{{ end -}}
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Values.namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}}
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -179,6 +183,10 @@ volumeMounts:
|
|||
{{- if not .Values.proxy.disableIdentity }}
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
{{- if .Values.identity.serviceAccountTokenProjection }}
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- if .Values.proxy.saMountPath }}
|
||||
- mountPath: {{.Values.proxy.saMountPath.mountPath}}
|
||||
|
|
|
|||
|
|
@ -8,3 +8,13 @@ name: linkerd-identity-end-entity
|
|||
emptyDir: {}
|
||||
name: {{ .Values.proxyInit.xtMountPath.name }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "partials.proxy.volumes.service-account-token" -}}
|
||||
name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400 {{- /* # 24 hours */}}
|
||||
audience: identity.l5d.io
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -87,6 +87,14 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
{{- if .Values.identity.serviceAccountTokenProjection}}
|
||||
{
|
||||
"op": "add",
|
||||
"path": "{{$prefix}}/spec/volumes/-",
|
||||
"value":
|
||||
{{- include "partials.proxy.volumes.service-account-token" . | fromYaml | toPrettyJson | nindent 6 }}
|
||||
},
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{
|
||||
"op": "add",
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ const (
|
|||
injectDisabledDesc = "pods are not annotated to disable injection"
|
||||
unsupportedDesc = "at least one resource can be injected or annotated"
|
||||
udpDesc = "pod specs do not include UDP ports"
|
||||
automountServiceAccountTokenDesc = "pods do not have automountServiceAccountToken set to \"false\""
|
||||
automountServiceAccountTokenDesc = "pods do not have automountServiceAccountToken set to \"false\" or service account token projection is enabled"
|
||||
slash = "/"
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -331,12 +331,17 @@ type injectCmd struct {
|
|||
stdOutGoldenFileName string
|
||||
exitCode int
|
||||
injectProxy bool
|
||||
values *linkerd2.Values
|
||||
}
|
||||
|
||||
func testInjectCmd(t *testing.T, tc injectCmd) {
|
||||
testConfig, err := testInstallValues()
|
||||
if err != nil {
|
||||
t.Fatalf("Unexpected error: %v", err)
|
||||
testConfig := tc.values
|
||||
if testConfig == nil {
|
||||
var err error
|
||||
testConfig, err = testInstallValues()
|
||||
if err != nil {
|
||||
t.Fatalf("Unexpected error: %v", err)
|
||||
}
|
||||
}
|
||||
testConfig.Proxy.Image.Version = "testinjectversion"
|
||||
|
||||
|
|
@ -391,8 +396,20 @@ func TestRunInjectCmd(t *testing.T) {
|
|||
inputFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false.input.yml",
|
||||
stdOutGoldenFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml",
|
||||
stdErrGoldenFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false.golden.stderr",
|
||||
exitCode: 0,
|
||||
injectProxy: true,
|
||||
},
|
||||
{
|
||||
inputFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false.input.yml",
|
||||
stdOutGoldenFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false_volumeProjection_disabled.golden.yml",
|
||||
stdErrGoldenFileName: "inject_emojivoto_deployment_automountServiceAccountToken_false_volumeProjection_disabled.golden.stderr",
|
||||
exitCode: 1,
|
||||
injectProxy: false,
|
||||
values: func() *linkerd2.Values {
|
||||
values, _ := testInstallValues()
|
||||
values.Identity.ServiceAccountTokenProjection = false
|
||||
return values
|
||||
}(),
|
||||
},
|
||||
{
|
||||
inputFileName: "inject_emojivoto_istio.input.yml",
|
||||
|
|
|
|||
|
|
@ -228,6 +228,7 @@ func TestRender(t *testing.T) {
|
|||
{withCustomDestinationGetNetsValues, "install_default_override_dst_get_nets.golden", values.Options{}},
|
||||
{defaultValues, "install_custom_domain.golden", values.Options{Values: []string{"namespace=l5d"}}},
|
||||
{defaultValues, "install_values_file.golden", values.Options{ValueFiles: []string{filepath.Join("testdata", "install_config.yaml")}}},
|
||||
{defaultValues, "install_default_token.golden", values.Options{Values: []string{"identity.serviceAccountTokenProjection=false"}}},
|
||||
}
|
||||
|
||||
for i, tc := range testCases {
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "nginx" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -144,6 +144,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- image: nginx
|
||||
name: nginx
|
||||
ports:
|
||||
|
|
@ -191,4 +193,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "redis" injected
|
||||
|
||||
|
|
@ -14,7 +14,7 @@ deployment "redis" injected
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "nginx" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -144,6 +144,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- image: redis
|
||||
name: redis
|
||||
ports:
|
||||
|
|
@ -191,6 +193,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -296,7 +305,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -338,6 +347,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- image: nginx
|
||||
name: nginx
|
||||
ports:
|
||||
|
|
@ -385,4 +396,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "redis" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -144,6 +144,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- image: redis
|
||||
name: redis
|
||||
ports:
|
||||
|
|
@ -191,4 +193,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -152,6 +152,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- serve
|
||||
- --incluster
|
||||
|
|
@ -231,4 +233,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "contour" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -202,6 +204,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -309,7 +318,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -351,6 +360,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -407,6 +418,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -514,7 +532,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -556,6 +574,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -612,6 +632,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -719,7 +746,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -761,6 +788,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -817,4 +846,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web1" injected
|
||||
deployment "web2" injected
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
cronjob "hello" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -202,4 +204,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
Error transforming resources:
|
||||
failed to inject deployment/nginx: automountServiceAccountToken set to "false"
|
||||
|
||||
deployment "nginx" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -1,2 +1,10 @@
|
|||
Error transforming resources:
|
||||
failed to inject deployment/nginx: automountServiceAccountToken set to "false"
|
||||
|
||||
√ pods do not use host networking
|
||||
√ pods do not have a 3rd party proxy or initContainer already injected
|
||||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "nginx" injected
|
||||
|
||||
|
|
|
|||
206
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml
generated
vendored
206
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false.golden.yml
generated
vendored
|
|
@ -0,0 +1,206 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
name: nginx
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
linkerd.io/identity-mode: default
|
||||
linkerd.io/proxy-version: testinjectversion
|
||||
labels:
|
||||
app: nginx
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
linkerd.io/proxy-deployment: nginx
|
||||
linkerd.io/workload-ns: ""
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- env:
|
||||
- name: _pod_name
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: _pod_ns
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: _pod_nodeName
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
- name: LINKERD2_PROXY_LOG
|
||||
value: warn,linkerd=info
|
||||
- name: LINKERD2_PROXY_LOG_FORMAT
|
||||
value: plain
|
||||
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
||||
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
|
||||
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
|
||||
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
|
||||
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
|
||||
value: linkerd-policy.linkerd.svc.cluster.local.:8090
|
||||
- name: LINKERD2_PROXY_POLICY_WORKLOAD
|
||||
value: $(_pod_ns):$(_pod_name)
|
||||
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
|
||||
value: all-unauthenticated
|
||||
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
|
||||
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
|
||||
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
||||
value: 100ms
|
||||
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
|
||||
value: 1000ms
|
||||
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
||||
value: 0.0.0.0:4190
|
||||
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
||||
value: 0.0.0.0:4191
|
||||
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
||||
value: 127.0.0.1:4140
|
||||
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
||||
value: 0.0.0.0:4143
|
||||
- name: LINKERD2_PROXY_INBOUND_IPS
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.podIPs
|
||||
- name: LINKERD2_PROXY_INBOUND_PORTS
|
||||
value: "80"
|
||||
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
||||
value: svc.cluster.local.
|
||||
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
||||
value: 10000ms
|
||||
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
||||
value: 10000ms
|
||||
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
|
||||
value: 25,587,3306,4444,5432,6379,9300,11211
|
||||
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
||||
value: |
|
||||
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
|
||||
- name: _pod_sa
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.serviceAccountName
|
||||
- name: _l5d_ns
|
||||
value: linkerd
|
||||
- name: _l5d_trustdomain
|
||||
value: cluster.local
|
||||
- name: LINKERD2_PROXY_IDENTITY_DIR
|
||||
value: /var/run/linkerd/identity/end-entity
|
||||
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
||||
value: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
|
||||
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
|
||||
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
|
||||
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
|
||||
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
|
||||
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
|
||||
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
|
||||
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
|
||||
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
|
||||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
||||
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
|
||||
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
||||
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
|
||||
- name: LINKERD2_PROXY_POLICY_SVC_NAME
|
||||
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
|
||||
image: cr.l5d.io/linkerd/proxy:testinjectversion
|
||||
imagePullPolicy: IfNotPresent
|
||||
lifecycle:
|
||||
postStart:
|
||||
exec:
|
||||
command:
|
||||
- /usr/lib/linkerd/linkerd-await
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /live
|
||||
port: 4191
|
||||
initialDelaySeconds: 10
|
||||
name: linkerd-proxy
|
||||
ports:
|
||||
- containerPort: 4143
|
||||
name: linkerd-proxy
|
||||
- containerPort: 4191
|
||||
name: linkerd-admin
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: 4191
|
||||
initialDelaySeconds: 2
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 2102
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- image: nginx
|
||||
name: nginx
|
||||
ports:
|
||||
- containerPort: 80
|
||||
name: http
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
- "4143"
|
||||
- --outgoing-proxy-port
|
||||
- "4140"
|
||||
- --proxy-uid
|
||||
- "2102"
|
||||
- --inbound-ports-to-ignore
|
||||
- 4190,4191,4567,4568
|
||||
- --outbound-ports-to-ignore
|
||||
- 4567,4568
|
||||
image: cr.l5d.io/linkerd/proxy-init:v1.4.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-init
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 50Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 10Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /run
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
Error transforming resources:
|
||||
failed to inject deployment/nginx: automountServiceAccountToken set to "false", with Values.identity.serviceAccountTokenProjection set to "false"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
Error transforming resources:
|
||||
failed to inject deployment/nginx: automountServiceAccountToken set to "false", with Values.identity.serviceAccountTokenProjection set to "false"
|
||||
0
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false_volumeProjection_disabled.golden.yml
generated
vendored
Normal file
0
cli/cmd/testdata/inject_emojivoto_deployment_automountServiceAccountToken_false_volumeProjection_disabled.golden.yml
generated
vendored
Normal file
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -151,6 +151,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -218,4 +220,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -163,6 +163,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -219,4 +221,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -202,6 +204,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -309,7 +318,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -351,6 +360,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -407,4 +418,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "controller" injected
|
||||
deployment "not-controller" injected
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -147,6 +147,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -207,4 +209,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -202,6 +204,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
document missing "kind" field, skipped
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -203,4 +205,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
‼ "linkerd.io/inject: disabled" annotation set on deployment/web
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" skipped
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -164,4 +166,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -147,6 +147,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -203,4 +205,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -147,6 +147,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -203,4 +205,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -148,6 +148,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -204,4 +206,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -146,6 +146,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -204,4 +206,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
‼ deployment/web uses "protocol: UDP"
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ items:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -148,6 +148,8 @@ items:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -204,6 +206,13 @@ items:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
- apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
|
@ -310,7 +319,7 @@ items:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -352,6 +361,8 @@ items:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: GRPC_PORT
|
||||
value: "8080"
|
||||
|
|
@ -403,6 +414,13 @@ items:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
kind: List
|
||||
metadata: {}
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
deployment "emoji" injected
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ items:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -148,6 +148,8 @@ items:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -204,6 +206,13 @@ items:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
- apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
|
@ -310,7 +319,7 @@ items:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -352,6 +361,8 @@ items:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: GRPC_PORT
|
||||
value: "8080"
|
||||
|
|
@ -403,6 +414,13 @@ items:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
- null
|
||||
- null
|
||||
kind: List
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "web" injected
|
||||
deployment "emoji" injected
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
namespace "emojivoto" skipped
|
||||
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -136,6 +136,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- command:
|
||||
- emojivoto-vote-bot
|
||||
env:
|
||||
|
|
@ -185,4 +187,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
pod "vote-bot" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -139,6 +139,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- command:
|
||||
- emojivoto-vote-bot
|
||||
env:
|
||||
|
|
@ -188,4 +190,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
pod "vote-bot" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -138,6 +138,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- command:
|
||||
- emojivoto-vote-bot
|
||||
env:
|
||||
|
|
@ -187,4 +189,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -147,6 +147,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- command:
|
||||
- emojivoto-vote-bot
|
||||
env:
|
||||
|
|
@ -196,4 +198,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
pod "vote-bot" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -147,6 +147,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- env:
|
||||
- name: WEB_PORT
|
||||
value: "80"
|
||||
|
|
@ -203,4 +205,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
statefulset "web" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "get-test-deploy-injected-1" injected
|
||||
deployment "get-test-deploy-injected-2" injected
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -142,6 +142,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- terminus
|
||||
- --grpc-server-port
|
||||
|
|
@ -204,6 +206,13 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -307,7 +316,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -349,6 +358,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- terminus
|
||||
- --grpc-server-port
|
||||
|
|
@ -411,4 +422,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -121,7 +121,7 @@ spec:
|
|||
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
||||
-----END CERTIFICATE-----
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -163,6 +163,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- tap
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -270,4 +272,11 @@ spec:
|
|||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
audience: identity.l5d.io
|
||||
expirationSeconds: 86400
|
||||
path: linkerd-identity-token
|
||||
---
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
√ pods are not annotated to disable injection
|
||||
√ at least one resource can be injected or annotated
|
||||
√ pod specs do not include UDP ports
|
||||
√ pods do not have automountServiceAccountToken set to "false"
|
||||
√ pods do not have automountServiceAccountToken set to "false" or service account token projection is enabled
|
||||
|
||||
deployment "linkerd-tap" injected
|
||||
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1634,7 +1635,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1672,6 +1673,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1718,6 +1721,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1931,7 +1941,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1974,6 +1984,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2116,6 +2128,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2283,7 +2302,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2326,6 +2345,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2407,6 +2428,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1717,6 +1720,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1930,7 +1940,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.l5d.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1973,6 +1983,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2114,6 +2126,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2281,7 +2300,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.l5d.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2324,6 +2343,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2405,6 +2426,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1717,6 +1720,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1930,7 +1940,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1973,6 +1983,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2114,6 +2126,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2281,7 +2300,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2324,6 +2343,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2405,6 +2426,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1717,6 +1720,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1930,7 +1940,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1973,6 +1983,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2114,6 +2126,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2281,7 +2300,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2324,6 +2343,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2405,6 +2426,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1717,6 +1720,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1930,7 +1940,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1973,6 +1983,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2114,6 +2126,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2281,7 +2300,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2324,6 +2343,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2405,6 +2426,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -1282,6 +1282,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources:
|
||||
cpu:
|
||||
|
|
@ -1702,7 +1703,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1745,6 +1746,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1791,6 +1794,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2043,7 +2053,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2091,6 +2101,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2238,6 +2250,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2434,7 +2453,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2482,6 +2501,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2569,6 +2590,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1282,6 +1282,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources:
|
||||
cpu:
|
||||
|
|
@ -1702,7 +1703,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1745,6 +1746,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1791,6 +1794,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2043,7 +2053,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2091,6 +2101,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2238,6 +2250,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2434,7 +2453,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2482,6 +2501,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2569,6 +2590,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1201,6 +1201,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1564,7 +1565,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1602,6 +1603,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1648,6 +1651,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1861,7 +1871,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1904,6 +1914,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2045,6 +2057,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2163,7 +2182,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2206,6 +2225,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2287,6 +2308,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1278,6 +1278,7 @@ data:
|
|||
scheme: linkerd.io/tls
|
||||
tls:
|
||||
crtPEM: test-crt-pem
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: test-trust-anchor
|
||||
|
|
@ -1624,7 +1625,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1662,6 +1663,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1708,6 +1711,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1923,7 +1933,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1966,6 +1976,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2107,6 +2119,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2278,7 +2297,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2321,6 +2340,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2402,6 +2423,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1290,6 +1290,7 @@ data:
|
|||
scheme: linkerd.io/tls
|
||||
tls:
|
||||
crtPEM: test-crt-pem
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources:
|
||||
cpu:
|
||||
|
|
@ -1693,7 +1694,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1736,6 +1737,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1782,6 +1785,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2036,7 +2046,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2084,6 +2094,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2231,6 +2243,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2431,7 +2450,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2479,6 +2498,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2566,6 +2587,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1290,6 +1290,7 @@ data:
|
|||
scheme: linkerd.io/tls
|
||||
tls:
|
||||
crtPEM: test-crt-pem
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources:
|
||||
cpu:
|
||||
|
|
@ -1701,7 +1702,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1744,6 +1745,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1790,6 +1793,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2048,7 +2058,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2096,6 +2106,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2243,6 +2255,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2451,7 +2470,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2499,6 +2518,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2586,6 +2607,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1290,6 +1290,7 @@ data:
|
|||
scheme: linkerd.io/tls
|
||||
tls:
|
||||
crtPEM: test-crt-pem
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources:
|
||||
cpu:
|
||||
|
|
@ -1693,7 +1694,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1736,6 +1737,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1782,6 +1785,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2036,7 +2046,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2084,6 +2094,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2231,6 +2243,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2431,7 +2450,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2479,6 +2498,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2566,6 +2587,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
serviceAccountName: linkerd-identity
|
||||
volumes:
|
||||
- name: identity-issuer
|
||||
|
|
@ -1679,6 +1682,13 @@ spec:
|
|||
- configMap:
|
||||
name: linkerd-identity-trust-roots
|
||||
name: trust-roots
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1892,7 +1902,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1935,6 +1945,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2038,6 +2050,13 @@ spec:
|
|||
- name: policy-tls
|
||||
secret:
|
||||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2205,7 +2224,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2248,6 +2267,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2291,6 +2312,13 @@ spec:
|
|||
- name: tls
|
||||
secret:
|
||||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1629,7 +1630,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1673,6 +1674,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1720,6 +1723,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1929,7 +1939,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1978,6 +1988,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2126,6 +2138,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2290,7 +2309,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2339,6 +2358,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=ControllerLogLevel
|
||||
|
|
@ -2421,6 +2442,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1270,6 +1270,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1633,7 +1634,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1671,6 +1672,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1717,6 +1720,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1930,7 +1940,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1973,6 +1983,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2114,6 +2126,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2281,7 +2300,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2324,6 +2343,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2405,6 +2426,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -1256,6 +1256,7 @@ data:
|
|||
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
|
||||
51tdrmkHEZRr0qlLSJdHYgEfMzk=
|
||||
-----END CERTIFICATE-----
|
||||
serviceAccountTokenProjection: true
|
||||
identityProxyResources: null
|
||||
identityResources: null
|
||||
identityTrustAnchorsPEM: |
|
||||
|
|
@ -1619,7 +1620,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: localhost.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1657,6 +1658,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
initContainers:
|
||||
- args:
|
||||
- --incoming-proxy-port
|
||||
|
|
@ -1703,6 +1706,13 @@ spec:
|
|||
name: trust-roots
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -1916,7 +1926,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.l5d.svc.example.com.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -1959,6 +1969,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- destination
|
||||
- -addr=:8086
|
||||
|
|
@ -2100,6 +2112,13 @@ spec:
|
|||
secretName: linkerd-policy-validator-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
@ -2267,7 +2286,7 @@ spec:
|
|||
name: linkerd-identity-trust-roots
|
||||
key: ca-bundle.crt
|
||||
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
||||
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
value: /var/run/secrets/tokens/linkerd-identity-token
|
||||
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
||||
value: linkerd-identity-headless.l5d.svc.example.com.:8080
|
||||
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
||||
|
|
@ -2310,6 +2329,8 @@ spec:
|
|||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
name: linkerd-identity-end-entity
|
||||
- mountPath: /var/run/secrets/tokens
|
||||
name: linkerd-identity-token
|
||||
- args:
|
||||
- proxy-injector
|
||||
- -log-level=info
|
||||
|
|
@ -2391,6 +2412,13 @@ spec:
|
|||
secretName: linkerd-proxy-injector-k8s-tls
|
||||
- emptyDir: {}
|
||||
name: linkerd-proxy-init-xtables-lock
|
||||
- name: linkerd-identity-token
|
||||
projected:
|
||||
sources:
|
||||
- serviceAccountToken:
|
||||
path: linkerd-identity-token
|
||||
expirationSeconds: 86400
|
||||
audience: identity.l5d.io
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
name: linkerd-identity-end-entity
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/linkerd/linkerd2/pkg/identity"
|
||||
log "github.com/sirupsen/logrus"
|
||||
kauthnApi "k8s.io/api/authentication/v1"
|
||||
kauthzApi "k8s.io/api/authorization/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -15,6 +16,12 @@ import (
|
|||
kauthz "k8s.io/client-go/kubernetes/typed/authorization/v1"
|
||||
)
|
||||
|
||||
const (
|
||||
// LinkerdAudienceKey is the audience key used for the Linkerd token creation
|
||||
// and review requests.
|
||||
LinkerdAudienceKey = "identity.l5d.io"
|
||||
)
|
||||
|
||||
// K8sTokenValidator implements Validator for Kubernetes bearer tokens.
|
||||
type K8sTokenValidator struct {
|
||||
authn kauthn.AuthenticationV1Interface
|
||||
|
|
@ -42,16 +49,28 @@ func NewK8sTokenValidator(
|
|||
|
||||
// Validate accepts kubernetes bearer tokens and returns a DNS-form linkerd ID.
|
||||
func (k *K8sTokenValidator) Validate(ctx context.Context, tok []byte) (string, error) {
|
||||
// TODO: Set/check `audience`
|
||||
tr := kauthnApi.TokenReview{Spec: kauthnApi.TokenReviewSpec{Token: string(tok)}}
|
||||
tr := kauthnApi.TokenReview{Spec: kauthnApi.TokenReviewSpec{Token: string(tok), Audiences: []string{LinkerdAudienceKey}}}
|
||||
rvw, err := k.authn.TokenReviews().Create(ctx, &tr, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if rvw.Status.Error != "" {
|
||||
return "", identity.InvalidToken{Reason: rvw.Status.Error}
|
||||
if strings.Contains(rvw.Status.Error, "token audiences") {
|
||||
// Fallback to the default service account token validation if the error is realted to audiences
|
||||
log.Debugf("TokenReview with audiences Failed. Falling back to the default")
|
||||
tr = kauthnApi.TokenReview{Spec: kauthnApi.TokenReviewSpec{Token: string(tok), Audiences: []string{}}}
|
||||
rvw, err = k.authn.TokenReviews().Create(ctx, &tr, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
|
||||
if rvw.Status.Error != "" {
|
||||
return "", identity.InvalidToken{Reason: rvw.Status.Error}
|
||||
}
|
||||
}
|
||||
|
||||
if !rvw.Status.Authenticated {
|
||||
return "", identity.NotAuthenticated{}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -183,7 +183,8 @@ type (
|
|||
// Identity contains the fields to set the identity variables in the proxy
|
||||
// sidecar container
|
||||
Identity struct {
|
||||
Issuer *Issuer `json:"issuer"`
|
||||
ServiceAccountTokenProjection bool `json:"serviceAccountTokenProjection"`
|
||||
Issuer *Issuer `json:"issuer"`
|
||||
}
|
||||
|
||||
// Issuer has the Helm variables of the identity issuer
|
||||
|
|
|
|||
|
|
@ -124,6 +124,7 @@ func TestNewValues(t *testing.T) {
|
|||
},
|
||||
},
|
||||
Identity: &Identity{
|
||||
ServiceAccountTokenProjection: true,
|
||||
Issuer: &Issuer{
|
||||
ClockSkewAllowance: "20s",
|
||||
IssuanceLifetime: "24h0m0s",
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ var (
|
|||
injectDisableAnnotationPresent: fmt.Sprintf("pod has the annotation \"%s:%s\"", k8s.ProxyInjectAnnotation, k8s.ProxyInjectDisabled),
|
||||
invalidInjectAnnotationWorkload: fmt.Sprintf("invalid value for annotation \"%s\" at workload", k8s.ProxyInjectAnnotation),
|
||||
invalidInjectAnnotationNamespace: fmt.Sprintf("invalid value for annotation \"%s\" at namespace", k8s.ProxyInjectAnnotation),
|
||||
disabledAutomountServiceAccountToken: "automountServiceAccountToken set to \"false\"",
|
||||
disabledAutomountServiceAccountToken: "automountServiceAccountToken set to \"false\", with Values.identity.serviceAccountTokenProjection set to \"false\"",
|
||||
udpPortsEnabled: "UDP port(s) configured on pod spec",
|
||||
}
|
||||
)
|
||||
|
|
@ -90,12 +90,16 @@ func newReport(conf *ResourceConfig) *Report {
|
|||
report.HostNetwork = conf.pod.spec.HostNetwork
|
||||
report.Sidecar = healthcheck.HasExistingSidecars(conf.pod.spec)
|
||||
report.UDP = checkUDPPorts(conf.pod.spec)
|
||||
if conf.pod.spec.AutomountServiceAccountToken != nil {
|
||||
if conf.pod.spec.AutomountServiceAccountToken != nil &&
|
||||
(conf.values != nil && !conf.values.Identity.ServiceAccountTokenProjection) {
|
||||
report.AutomountServiceAccountToken = *conf.pod.spec.AutomountServiceAccountToken
|
||||
}
|
||||
if conf.origin == OriginWebhook {
|
||||
if vm := conf.serviceAccountVolumeMount(); vm == nil {
|
||||
report.AutomountServiceAccountToken = false
|
||||
// set to false only if it is not using the new linkerd-token volume projection
|
||||
if conf.values != nil && !conf.values.Identity.ServiceAccountTokenProjection {
|
||||
report.AutomountServiceAccountToken = false
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -243,16 +243,6 @@ func TestInjectable(t *testing.T) {
|
|||
injectable: false,
|
||||
reasons: []string{hostNetworkEnabled, sidecarExists, injectEnableAnnotationAbsent},
|
||||
},
|
||||
{
|
||||
podSpec: &corev1.PodSpec{},
|
||||
podMeta: &metav1.ObjectMeta{
|
||||
Annotations: map[string]string{
|
||||
k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled,
|
||||
},
|
||||
},
|
||||
injectable: false,
|
||||
reasons: []string{disabledAutomountServiceAccountToken},
|
||||
},
|
||||
}
|
||||
|
||||
for i, testCase := range testCases {
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ func (conf *ResourceConfig) uninjectPodSpec(report *Report) {
|
|||
|
||||
volumes := []v1.Volume{}
|
||||
for _, volume := range t.Volumes {
|
||||
if volume.Name != k8s.IdentityEndEntityVolumeName && volume.Name != k8s.InitXtablesLockVolumeMountName {
|
||||
if volume.Name != k8s.IdentityEndEntityVolumeName && volume.Name != k8s.InitXtablesLockVolumeMountName && volume.Name != k8s.LinkerdTokenVolumeMountName {
|
||||
volumes = append(volumes, volume)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -293,6 +293,10 @@ const (
|
|||
// to handle iptables-legacy
|
||||
InitXtablesLockVolumeMountName = "linkerd-proxy-init-xtables-lock"
|
||||
|
||||
// LinkerdTokenVolumeMountName is the name of the volumeMount used for
|
||||
// the serviceAccount token
|
||||
LinkerdTokenVolumeMountName = "linkerd-identity-token"
|
||||
|
||||
// ProxyContainerName is the name assigned to the injected proxy container.
|
||||
ProxyContainerName = "linkerd-proxy"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue