mirror of https://github.com/linkerd/linkerd2.git
Default policies for extensions (#6846)
Ref #6813 This adds the necessary Server and ServerAuthorization resources to the viz, multicluster and jaeger extensions, for them to properly work when using a default-deny policy (installing linkerd with `--set policyController.defaultAllowPolicy=deny`). This includes adding the policy for the admin servers (for k8s liveness and readiness probes) that require granting all unauthenticated access. When the a component shares its main service port with its admin server port (e.g. Grafana and Prometheus), this means we can't properly lock down the main service access, unfortunately. Also note traffic coming from the kube-api (for the tap api-server and the webhooks (tap-injector, jaeger-injector)) also requires leaving those ports wide open. The multicluster gateway has a policy to only allow traffic into the `linkerd-proxy` port with a meshed identity. The source cluster also hits the gateway in the probe port, but the proxy's `linkerd-admin` port doesn't support policy at the moment. Other changes: - Added missing `containerPort` entry in jaeger's `tracing.yaml` template. - Added policy for smoke-test-terminus in the install integration tests, that'll serve for the default-deny integration test that'll followup.
This commit is contained in:
Alejandro Pedraza
GitHub
parent
5b5d1ff53f
commit
b13e7a5d34
|
|
@ -30,6 +30,7 @@ rm -f viz/charts/linkerd-viz/charts/*
|
|||
|
||||
"$bindir"/helm dep up "$rootdir"/multicluster/charts/linkerd-multicluster
|
||||
"$bindir"/helm lint "$rootdir"/multicluster/charts/linkerd-multicluster
|
||||
"$bindir"/helm dep up "$rootdir"/multicluster/charts/linkerd-multicluster-link
|
||||
"$bindir"/helm lint "$rootdir"/multicluster/charts/linkerd-multicluster-link
|
||||
"$bindir"/helm lint "$rootdir"/charts/partials
|
||||
"$bindir"/helm dep up "$rootdir"/charts/linkerd2-cni
|
||||
|
|
|
|||
|
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: jaeger-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-injector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-injector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
client:
|
||||
# traffic coming from the kubelet and from kube-api
|
||||
unauthenticated: true
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
|
|
@ -0,0 +1,232 @@
|
|||
{{ if .Values.collector.enabled -}}
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-otlp
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 4317
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-opencensus
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 55678
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-zipkin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 9411
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-jaeger-thrift
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14268
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14250
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 13133
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: collector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
client:
|
||||
# allow connections from any pod (meshed or not) sending trace data
|
||||
unauthenticated: true
|
||||
{{ end -}}
|
||||
{{ if .Values.jaeger.enabled -}}
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: grpc
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-grpc
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: collector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-admin
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# if not using linkerd-viz' prometheus, replace its SA here
|
||||
- name: prometheus
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: ui
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-ui
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# for the optional dashboard integration
|
||||
- name: web
|
||||
namespace: linkerd-viz
|
||||
{{ end -}}
|
||||
|
|
@ -9,6 +9,7 @@ metadata:
|
|||
name: collector-config
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
data:
|
||||
collector-config: |
|
||||
|
|
@ -20,6 +21,7 @@ metadata:
|
|||
name: collector
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -51,6 +53,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: collector
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: collector
|
||||
|
|
@ -70,6 +73,7 @@ spec:
|
|||
prometheus.io/port: "8888"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
{{- if .Values.collector.tolerations -}}
|
||||
|
|
@ -96,6 +100,7 @@ spec:
|
|||
port: 13133
|
||||
name: ot-collector
|
||||
ports:
|
||||
- containerPort: 13133
|
||||
- containerPort: 4317
|
||||
- containerPort: 55678
|
||||
- containerPort: 9411
|
||||
|
|
@ -132,6 +137,7 @@ metadata:
|
|||
name: jaeger
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -149,6 +155,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: jaeger
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: jaeger
|
||||
|
|
@ -167,6 +174,7 @@ spec:
|
|||
prometheus.io/port: "14269"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
{{- if .Values.jaeger.tolerations -}}
|
||||
|
|
|
|||
|
|
@ -25,10 +25,13 @@ import (
|
|||
var (
|
||||
templatesJaeger = []string{
|
||||
"templates/namespace.yaml",
|
||||
"templates/proxy-admin-policy.yaml",
|
||||
"templates/jaeger-injector.yaml",
|
||||
"templates/jaeger-injector-policy.yaml",
|
||||
"templates/rbac.yaml",
|
||||
"templates/psp.yaml",
|
||||
"templates/tracing.yaml",
|
||||
"templates/tracing-policy.yaml",
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,39 @@ metadata:
|
|||
linkerd.io/inject: enabled
|
||||
config.linkerd.io/proxy-await: "enabled"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
@ -90,6 +123,62 @@ spec:
|
|||
port: 443
|
||||
targetPort: jaeger-injector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: jaeger-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
client:
|
||||
# traffic coming from the kubelet and from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Jaeger Injector RBAC
|
||||
###
|
||||
|
|
@ -178,6 +267,7 @@ metadata:
|
|||
name: jaeger
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -195,6 +285,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: jaeger
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: jaeger
|
||||
|
|
@ -213,6 +304,7 @@ spec:
|
|||
prometheus.io/port: "14269"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
nodeSelector:
|
||||
|
|
@ -234,3 +326,112 @@ spec:
|
|||
name: ui
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: jaeger
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: grpc
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-grpc
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: collector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-admin
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# if not using linkerd-viz' prometheus, replace its SA here
|
||||
- name: prometheus
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: ui
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-ui
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# for the optional dashboard integration
|
||||
- name: web
|
||||
namespace: linkerd-viz
|
||||
|
|
|
|||
|
|
@ -9,6 +9,39 @@ metadata:
|
|||
linkerd.io/inject: enabled
|
||||
config.linkerd.io/proxy-await: "enabled"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
@ -90,6 +123,62 @@ spec:
|
|||
port: 443
|
||||
targetPort: jaeger-injector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: jaeger-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
client:
|
||||
# traffic coming from the kubelet and from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### collector RBAC
|
||||
###
|
||||
|
|
@ -187,6 +276,7 @@ metadata:
|
|||
name: collector-config
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
data:
|
||||
collector-config: |
|
||||
|
|
@ -225,6 +315,7 @@ metadata:
|
|||
name: collector
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -256,6 +347,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: collector
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: collector
|
||||
|
|
@ -275,6 +367,7 @@ spec:
|
|||
prometheus.io/port: "8888"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
nodeSelector:
|
||||
|
|
@ -299,6 +392,7 @@ spec:
|
|||
port: 13133
|
||||
name: ot-collector
|
||||
ports:
|
||||
- containerPort: 13133
|
||||
- containerPort: 4317
|
||||
- containerPort: 55678
|
||||
- containerPort: 9411
|
||||
|
|
@ -330,6 +424,7 @@ metadata:
|
|||
name: jaeger
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -347,6 +442,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: jaeger
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: jaeger
|
||||
|
|
@ -365,6 +461,7 @@ spec:
|
|||
prometheus.io/port: "14269"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
spec:
|
||||
nodeSelector:
|
||||
|
|
@ -386,3 +483,231 @@ spec:
|
|||
name: ui
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: jaeger
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-otlp
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 4317
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-opencensus
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 55678
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-zipkin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 9411
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-jaeger-thrift
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14268
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14250
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 13133
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
client:
|
||||
# allow connections from any pod (meshed or not) sending trace data
|
||||
unauthenticated: true
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: grpc
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-grpc
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: collector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-admin
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# if not using linkerd-viz' prometheus, replace its SA here
|
||||
- name: prometheus
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: jaeger
|
||||
port: ui
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-ui
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: jaeger-ui
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
# for the optional dashboard integration
|
||||
- name: web
|
||||
namespace: linkerd-viz
|
||||
|
|
|
|||
|
|
@ -9,6 +9,39 @@ metadata:
|
|||
linkerd.io/inject: enabled
|
||||
config.linkerd.io/proxy-await: "enabled"
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Jaeger Injector
|
||||
###
|
||||
|
|
@ -90,6 +123,62 @@ spec:
|
|||
port: 443
|
||||
targetPort: jaeger-injector
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: jaeger-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: jaeger-injector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: jaeger-injector
|
||||
client:
|
||||
# traffic coming from the kubelet and from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### collector RBAC
|
||||
###
|
||||
|
|
@ -178,6 +267,7 @@ metadata:
|
|||
name: collector-config
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
data:
|
||||
collector-config: |
|
||||
|
|
@ -216,6 +306,7 @@ metadata:
|
|||
name: collector
|
||||
namespace: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
type: ClusterIP
|
||||
|
|
@ -247,6 +338,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
app.kubernetes.io/name: collector
|
||||
app.kubernetes.io/part-of: Linkerd
|
||||
component: collector
|
||||
|
|
@ -266,6 +358,7 @@ spec:
|
|||
prometheus.io/port: "8888"
|
||||
prometheus.io/scrape: "true"
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
spec:
|
||||
nodeSelector:
|
||||
|
|
@ -290,6 +383,7 @@ spec:
|
|||
port: 13133
|
||||
name: ot-collector
|
||||
ports:
|
||||
- containerPort: 13133
|
||||
- containerPort: 4317
|
||||
- containerPort: 55678
|
||||
- containerPort: 9411
|
||||
|
|
@ -311,3 +405,122 @@ spec:
|
|||
path: collector-config.yaml
|
||||
name: collector-config
|
||||
name: collector-config-val
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-otlp
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 4317
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-opencensus
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 55678
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-zipkin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 9411
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-jaeger-thrift
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14268
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-jaeger-grpc
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 14250
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector-admin
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: collector
|
||||
port: 13133
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-jaeger
|
||||
name: collector
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: jaeger
|
||||
component: collector
|
||||
client:
|
||||
# allow connections from any pod (meshed or not) sending trace data
|
||||
unauthenticated: true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: service-mirror
|
||||
labels:
|
||||
linkerd.io/control-plane-component: linkerd-service-mirror
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/control-plane-component: linkerd-service-mirror
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: service-mirror
|
||||
labels:
|
||||
linkerd.io/control-plane-component: linkerd-service-mirror
|
||||
spec:
|
||||
server:
|
||||
name: service-mirror
|
||||
client:
|
||||
# In order to use `linkerd mc gateways` you need viz' Prometheus instance
|
||||
# to be able to reach the service-mirror. In order to also have a separate
|
||||
# Prometheus scrape the service-mirror an additional ServerAuthorization
|
||||
# resource should be created.
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: prometheus
|
||||
namespace: linkerd-viz
|
||||
|
|
@ -4,6 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
metadata:
|
||||
name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
rules:
|
||||
|
|
@ -19,6 +20,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
metadata:
|
||||
name: linkerd-service-mirror-access-local-resources-{{.Values.targetClusterName}}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
roleRef:
|
||||
|
|
@ -36,6 +38,7 @@ metadata:
|
|||
name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
rules:
|
||||
|
|
@ -53,6 +56,7 @@ metadata:
|
|||
name: linkerd-service-mirror-read-remote-creds-{{.Values.targetClusterName}}
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
roleRef:
|
||||
|
|
@ -70,6 +74,7 @@ metadata:
|
|||
name: linkerd-service-mirror-{{.Values.targetClusterName}}
|
||||
namespace: {{.Values.namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
---
|
||||
|
|
@ -77,6 +82,7 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
name: linkerd-service-mirror-{{.Values.targetClusterName}}
|
||||
|
|
@ -85,6 +91,7 @@ spec:
|
|||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: linkerd-service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
template:
|
||||
|
|
@ -92,6 +99,7 @@ spec:
|
|||
annotations:
|
||||
linkerd.io/inject: enabled
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
linkerd.io/control-plane-component: linkerd-service-mirror
|
||||
mirror.linkerd.io/cluster-name: {{.Values.targetClusterName}}
|
||||
spec:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,66 @@
|
|||
{{if .Values.gateway.enabled -}}
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: linkerd-gateway
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
app: {{.Values.gateway.name}}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: {{.Values.gateway.name}}
|
||||
port: linkerd-proxy
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: linkerd-gateway
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
app: {{.Values.gateway.name}}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: linkerd-gateway
|
||||
client:
|
||||
meshTLS:
|
||||
identities:
|
||||
- '*'
|
||||
networks:
|
||||
# Change this to the source cluster cidrs pointing to this gateway.
|
||||
# Note that the source IP in some providers (e.g. GKE) will be the local
|
||||
# node's IP and not the source cluster's
|
||||
- cidr: 0.0.0.0/0
|
||||
- cidr: ::/0
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: linkerd-gateway-probe
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
app: {{.Values.gateway.name}}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# allows probes from outside the cluster, as long as they have an identity
|
||||
meshTLS:
|
||||
identities:
|
||||
- '*'
|
||||
networks:
|
||||
# cf note for linkerd-gateway ServerAuthorization
|
||||
- cidr: 0.0.0.0/0
|
||||
- cidr: ::/0
|
||||
{{end -}}
|
||||
|
|
@ -18,6 +18,7 @@ spec:
|
|||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: multicluster
|
||||
app: {{.Values.gateway.name}}
|
||||
template:
|
||||
metadata:
|
||||
|
|
@ -27,6 +28,7 @@ spec:
|
|||
config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gateway.port}}"
|
||||
config.linkerd.io/enable-gateway: "true"
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
app: {{.Values.gateway.name}}
|
||||
spec:
|
||||
containers:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: multicluster
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
|
|
@ -85,6 +85,8 @@ A full list of configurable values can be found at https://github.com/linkerd/li
|
|||
{Name: chartutil.ChartfileName},
|
||||
{Name: "templates/namespace.yaml"},
|
||||
{Name: "templates/gateway.yaml"},
|
||||
{Name: "templates/proxy-admin-policy.yaml"},
|
||||
{Name: "templates/gateway-policy.yaml"},
|
||||
{Name: "templates/psp.yaml"},
|
||||
{Name: "templates/remote-access-service-mirror-rbac.yaml"},
|
||||
{Name: "templates/link-crd.yaml"},
|
||||
|
|
|
|||
|
|
@ -259,6 +259,7 @@ A full list of configurable values can be found at https://github.com/linkerd/li
|
|||
files := []*chartloader.BufferedFile{
|
||||
{Name: chartutil.ChartfileName},
|
||||
{Name: "templates/service-mirror.yaml"},
|
||||
{Name: "templates/service-mirror-policy.yaml"},
|
||||
{Name: "templates/psp.yaml"},
|
||||
{Name: "templates/gateway-mirror.yaml"},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,10 @@
|
|||
|
||||
deployment "smoke-test-terminus" injected
|
||||
service "smoke-test-terminus-svc" skipped
|
||||
server "smoke-test-terminus" skipped
|
||||
serverauthorization "smoke-test-terminus" skipped
|
||||
deployment "smoke-test-gateway" injected
|
||||
service "smoke-test-gateway-svc" skipped
|
||||
server "smoke-test-proxy-admin" skipped
|
||||
serverauthorization "smoke-test-proxy-admin" skipped
|
||||
|
||||
|
|
|
|||
|
|
@ -32,6 +32,34 @@ spec:
|
|||
port: 9090
|
||||
targetPort: 9090
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
name: smoke-test-terminus
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: smoke-test-terminus
|
||||
port: 9090
|
||||
proxyProtocol: gRPC
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
name: smoke-test-terminus
|
||||
spec:
|
||||
server:
|
||||
name: smoke-test-terminus
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: default
|
||||
namespace: linkerd-smoke-test
|
||||
- name: default
|
||||
namespace: linkerd-smoke-test-manual
|
||||
- name: default
|
||||
namespace: linkerd-smoke-test-ann
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
|
@ -64,3 +92,29 @@ spec:
|
|||
- name: http
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
name: smoke-test-proxy-admin
|
||||
spec:
|
||||
podSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- smoke-test-terminus
|
||||
- smoke-test-gateway
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
name: smoke-test-proxy-admin
|
||||
spec:
|
||||
server:
|
||||
name: smoke-test-proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
|
|
|||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
{{ if .Values.grafana.enabled -}}
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
{{ end -}}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: {{.Values.namespace}}
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
|
|
@ -29,12 +29,18 @@ var (
|
|||
"templates/tap-rbac.yaml",
|
||||
"templates/web-rbac.yaml",
|
||||
"templates/psp.yaml",
|
||||
"templates/admin-policy.yaml",
|
||||
"templates/proxy-admin-policy.yaml",
|
||||
"templates/metrics-api.yaml",
|
||||
"templates/metrics-api-policy.yaml",
|
||||
"templates/grafana.yaml",
|
||||
"templates/grafana-policy.yaml",
|
||||
"templates/prometheus.yaml",
|
||||
"templates/tap.yaml",
|
||||
"templates/tap-policy.yaml",
|
||||
"templates/tap-injector-rbac.yaml",
|
||||
"templates/tap-injector.yaml",
|
||||
"templates/tap-injector-policy.yaml",
|
||||
"templates/web.yaml",
|
||||
"templates/service-profiles.yaml",
|
||||
}
|
||||
|
|
|
|||
|
|
@ -392,6 +392,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -474,6 +540,43 @@ spec:
|
|||
runAsUser: 2103
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Grafana
|
||||
###
|
||||
|
|
@ -631,6 +734,41 @@ spec:
|
|||
name: grafana-config
|
||||
name: grafana-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Prometheus
|
||||
###
|
||||
|
|
@ -977,6 +1115,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -1137,6 +1310,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
|
|
@ -392,6 +392,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -474,6 +540,43 @@ spec:
|
|||
runAsUser: 1234
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Grafana
|
||||
###
|
||||
|
|
@ -631,6 +734,41 @@ spec:
|
|||
name: grafana-config
|
||||
name: grafana-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Prometheus
|
||||
###
|
||||
|
|
@ -977,6 +1115,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -1137,6 +1310,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
|
|
@ -379,6 +379,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -461,6 +527,43 @@ spec:
|
|||
runAsUser: 2103
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Prometheus
|
||||
###
|
||||
|
|
@ -798,6 +901,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -958,6 +1096,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
|
|
@ -352,6 +352,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -434,6 +500,43 @@ spec:
|
|||
runAsUser: 2103
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Grafana
|
||||
###
|
||||
|
|
@ -591,6 +694,41 @@ spec:
|
|||
name: grafana-config
|
||||
name: grafana-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap
|
||||
###
|
||||
|
|
@ -690,6 +828,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -850,6 +1023,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
|
|
@ -392,6 +392,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -474,6 +540,43 @@ spec:
|
|||
runAsUser: 2103
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Grafana
|
||||
###
|
||||
|
|
@ -631,6 +734,41 @@ spec:
|
|||
name: grafana-config
|
||||
name: grafana-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Prometheus
|
||||
###
|
||||
|
|
@ -977,6 +1115,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -1137,6 +1310,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
|
|
@ -392,6 +392,72 @@ metadata:
|
|||
component: web
|
||||
namespace: linkerd-viz
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: admin-http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: admin
|
||||
client:
|
||||
# for kubelet probes and prometheus scraping
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
port: linkerd-admin
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: proxy-admin
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: proxy-admin
|
||||
client:
|
||||
# for kubelet probes
|
||||
unauthenticated: true
|
||||
|
||||
---
|
||||
###
|
||||
### Metrics API
|
||||
###
|
||||
|
|
@ -474,6 +540,43 @@ spec:
|
|||
runAsUser: 2103
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: metrics-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: metrics-api
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: metrics-api
|
||||
client:
|
||||
meshTLS:
|
||||
serviceAccounts:
|
||||
- name: web
|
||||
- name: prometheus
|
||||
---
|
||||
###
|
||||
### Grafana
|
||||
###
|
||||
|
|
@ -635,6 +738,41 @@ spec:
|
|||
name: grafana-config
|
||||
name: grafana-config
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
port: http
|
||||
proxyProtocol: HTTP/1
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: grafana
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: grafana
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: grafana
|
||||
client:
|
||||
# web, prometheus and the kubelet probes
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Prometheus
|
||||
###
|
||||
|
|
@ -989,6 +1127,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-api
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
port: apiserver
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-api
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Tap Injector RBAC
|
||||
###
|
||||
|
|
@ -1149,6 +1322,41 @@ spec:
|
|||
secret:
|
||||
secretName: tap-injector-k8s-tls
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: Server
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector-webhook
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
port: tap-injector
|
||||
proxyProtocol: TLS
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1alpha1
|
||||
kind: ServerAuthorization
|
||||
metadata:
|
||||
namespace: linkerd-viz
|
||||
name: tap-injector
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
component: tap-injector
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm dev-undefined
|
||||
spec:
|
||||
server:
|
||||
name: tap-injector-webhook
|
||||
client:
|
||||
# traffic coming from kube-api
|
||||
unauthenticated: true
|
||||
---
|
||||
###
|
||||
### Web
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in New Issue