mirror of https://github.com/linkerd/linkerd2.git
Add support for Pod Security Admission (#9719)
Closes #9676 This adds the `pod-security.kubernetes.io/enforce` label as described in [Pod Security Admission labels for namespaces](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces). PSA gives us three different possible values (policies or modes): [privileged, baseline and restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/). For non-CNI mode, the proxy-init container relies on granting the NET_RAW and NET_ADMIN capabilities, which places those pods under the `restricted` policy. OTOH for CNI mode we can enforce the `restricted` policy, by setting some defaults on the containers' `securityContext` as done in this PR. Also note this change also adds the `cniEnabled` entry in the `values.yaml` file for all the extension charts, which determines what policy to use. Final note: this includes the fix from #9717, otherwise an empty gateway UID prevents the pod to be created under the `restricted` policy. ## How to test As this is only enforced as of k8s 1.25, here are the instructions to run 1.25 with k3d using Calico as CNI: ```bash # launch k3d with k8s v1.25, with no flannel CI $ k3d cluster create --image='+v1.25' --k3s-arg '--disable=local-storage,metrics-server@server:0' --no-lb --k3s-arg --write-kubeconfig-mode=644 --k3s-arg --flannel-backend=none --k3s-arg --cluster-cidr=192.168.0.0/16 --k3s-arg '--disable=servicelb,traefik@server:0' # install Calico $ k apply -f https://k3d.io/v5.1.0/usage/advanced/calico.yaml # load all the images $ bin/image-load --k3d proxy controller policy-controller web metrics-api tap cni-plugin jaeger-webhook # install linkerd-cni $ bin/go-run cli install-cni|k apply -f - # install linkerd-crds $ bin/go-run cli install --crds|k apply -f - # install linkerd-control-plane in CNI mode $ bin/go-run cli install --linkerd-cni-enabled|k apply -f - # Pods should come up without issues. You can also try the viz and jaeger extensions. # Try removing one of the securityContext entries added in this PR, and the Pod # won't come up. You should be able to see the PodSecurity error in the associated # ReplicaSet. ``` To test the multicluster extension using CNI, check this [gist](https://gist.github.com/alpeb/4cbbd5ad87538b9e0d39a29b4e3f02eb) with a patch to run the multicluster integration test with CNI in k8s 1.25.
This commit is contained in:
Alejandro Pedraza
GitHub
parent
774f9f6760
commit
faf0ff62f7
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
{{- with .Values.commonLabels }}
|
||||
labels: {{ toYaml . | trim | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
|
|
@ -188,6 +188,7 @@ spec:
|
|||
cluster network.
|
||||
*/}}
|
||||
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
|
||||
{{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
|
||||
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
- args:
|
||||
- destination
|
||||
|
|
@ -224,8 +225,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.destinationResources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level={{.Values.controllerLogLevel}}
|
||||
|
|
@ -253,8 +260,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.spValidatorResources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -303,8 +316,14 @@ spec:
|
|||
{{- include "partials.resources" $res | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
|
|||
|
|
@ -66,6 +66,12 @@ spec:
|
|||
{{- include "partials.resources" .Values.heartbeatResources | nindent 12 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -184,8 +184,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.identityResources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -204,6 +210,7 @@ spec:
|
|||
*/}}
|
||||
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
|
||||
{{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }}
|
||||
{{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
|
||||
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
initContainers:
|
||||
{{ if .Values.cniEnabled -}}
|
||||
|
|
|
|||
|
|
@ -13,4 +13,6 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: {{.Release.Namespace}}
|
||||
{{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}
|
||||
pod-security.kubernetes.io/enforce: {{ ternary "restricted" "privileged" .Values.cniEnabled }}
|
||||
{{ end -}}
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ spec:
|
|||
cluster network.
|
||||
*/}}
|
||||
{{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }}
|
||||
{{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }}
|
||||
- {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
|
||||
- args:
|
||||
- proxy-injector
|
||||
|
|
@ -97,8 +98,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.controllerUID}}
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
{{ end -}}
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -3,10 +3,14 @@ name: linkerd-network-validator
|
|||
image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }}
|
||||
imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}}
|
||||
securityContext:
|
||||
runAsUser: 65534
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command:
|
||||
- /usr/lib/linkerd/linkerd2-network-validator
|
||||
args:
|
||||
|
|
|
|||
|
|
@ -161,7 +161,10 @@ securityContext:
|
|||
{{- include "partials.proxy.capabilities" . | nindent 2 -}}
|
||||
{{- end }}
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.proxy.uid}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
{{- if or (.Values.proxy.await) (.Values.proxy.waitBeforeExitSeconds) }}
|
||||
lifecycle:
|
||||
|
|
|
|||
|
|
@ -14,11 +14,9 @@ import (
|
|||
jsonpatch "github.com/evanphx/json-patch"
|
||||
"github.com/linkerd/linkerd2/cli/flag"
|
||||
"github.com/linkerd/linkerd2/pkg/charts/linkerd2"
|
||||
charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2"
|
||||
"github.com/linkerd/linkerd2/pkg/healthcheck"
|
||||
"github.com/linkerd/linkerd2/pkg/inject"
|
||||
"github.com/linkerd/linkerd2/pkg/k8s"
|
||||
api "github.com/linkerd/linkerd2/pkg/public"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"github.com/spf13/cobra"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
|
@ -49,7 +47,7 @@ func runInjectCmd(inputs []io.Reader, errWriter, outWriter io.Writer, transforme
|
|||
}
|
||||
|
||||
func newCmdInject() *cobra.Command {
|
||||
defaults, err := charts.NewValues()
|
||||
defaults, err := linkerd2.NewValues()
|
||||
if err != nil {
|
||||
fmt.Fprint(os.Stderr, err.Error())
|
||||
os.Exit(1)
|
||||
|
|
@ -357,7 +355,7 @@ func (resourceTransformerInject) generateReport(reports []inject.Report, output
|
|||
|
||||
func fetchConfigs(ctx context.Context) (*linkerd2.Values, error) {
|
||||
|
||||
api.CheckPublicAPIClientOrRetryOrExit(healthcheck.Options{
|
||||
hc := healthcheck.NewWithCoreChecks(&healthcheck.Options{
|
||||
ControlPlaneNamespace: controlPlaneNamespace,
|
||||
KubeConfig: kubeconfigPath,
|
||||
Impersonate: impersonate,
|
||||
|
|
@ -366,6 +364,7 @@ func fetchConfigs(ctx context.Context) (*linkerd2.Values, error) {
|
|||
APIAddr: apiAddr,
|
||||
RetryDeadline: time.Time{},
|
||||
})
|
||||
hc.RunWithExitOnError()
|
||||
|
||||
api, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, impersonateGroup, 0)
|
||||
if err != nil {
|
||||
|
|
@ -380,7 +379,7 @@ func fetchConfigs(ctx context.Context) (*linkerd2.Values, error) {
|
|||
// overrideConfigs uses command-line overrides to update the provided configs.
|
||||
// the overrideAnnotations map keeps track of which configs are overridden, by
|
||||
// storing the corresponding annotations and values.
|
||||
func getOverrideAnnotations(values *charts.Values, base *charts.Values) map[string]string {
|
||||
func getOverrideAnnotations(values *linkerd2.Values, base *linkerd2.Values) map[string]string {
|
||||
overrideAnnotations := make(map[string]string)
|
||||
|
||||
proxy := values.Proxy
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ var (
|
|||
"templates/proxy-injector-rbac.yaml",
|
||||
"templates/psp.yaml",
|
||||
"templates/config.yaml",
|
||||
"templates/config-rbac.yaml",
|
||||
"templates/identity.yaml",
|
||||
"templates/destination.yaml",
|
||||
"templates/heartbeat.yaml",
|
||||
|
|
|
|||
|
|
@ -140,7 +140,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -140,7 +140,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -344,7 +347,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -140,7 +140,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -148,7 +148,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -357,7 +360,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -572,7 +578,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -787,7 +796,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -145,7 +145,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -143,7 +143,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -147,7 +147,10 @@ spec:
|
|||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -159,7 +159,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -357,7 +360,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -143,7 +143,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -181,10 +184,14 @@ spec:
|
|||
imagePullPolicy: IfNotPresent
|
||||
name: linkerd-network-validator
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir:
|
||||
medium: Memory
|
||||
|
|
|
|||
|
|
@ -143,7 +143,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -143,7 +143,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -144,7 +144,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -142,7 +142,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -144,7 +144,10 @@ items:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -358,7 +361,10 @@ items:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -144,7 +144,10 @@ items:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -358,7 +361,10 @@ items:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -133,7 +133,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -136,7 +136,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -135,7 +135,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -144,7 +144,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -143,7 +143,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -138,7 +138,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -355,7 +358,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -159,7 +159,10 @@ spec:
|
|||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
labels:
|
||||
linkerd.io/cni-resource: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -787,8 +801,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -902,8 +922,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1214,8 +1240,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1260,8 +1292,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1286,8 +1324,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1327,8 +1371,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1439,8 +1489,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1592,8 +1648,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1631,8 +1693,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1204,8 +1230,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1247,8 +1279,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1273,8 +1311,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1314,8 +1358,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1419,8 +1469,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1572,8 +1628,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1609,8 +1671,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -667,6 +668,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Fail
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -863,8 +877,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "10Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -983,8 +1003,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1335,8 +1361,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1386,8 +1418,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1412,8 +1450,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1453,8 +1497,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1571,8 +1621,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1748,8 +1804,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1793,8 +1855,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -667,6 +668,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Fail
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -863,8 +877,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "10Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -983,8 +1003,14 @@ spec:
|
|||
memory: "300Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1335,8 +1361,14 @@ spec:
|
|||
memory: "300Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1386,8 +1418,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1412,8 +1450,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1453,8 +1497,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1571,8 +1621,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1748,8 +1804,14 @@ spec:
|
|||
memory: "300Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1793,8 +1855,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -562,6 +563,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -717,8 +731,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -832,8 +852,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1144,8 +1170,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1189,8 +1221,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1215,8 +1253,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1256,8 +1300,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1471,8 +1521,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1510,8 +1566,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -612,6 +612,21 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/config-rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerd-version
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd-dev
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/identity.yaml
|
||||
---
|
||||
###
|
||||
|
|
@ -758,8 +773,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -873,8 +894,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1188,8 +1215,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1233,8 +1266,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1259,8 +1298,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1300,8 +1345,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1414,8 +1465,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/proxy-injector.yaml
|
||||
---
|
||||
|
|
@ -1570,8 +1627,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1609,8 +1672,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -648,6 +648,21 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Fail
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/config-rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerd-version
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd-dev
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/identity.yaml
|
||||
---
|
||||
###
|
||||
|
|
@ -835,8 +850,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "10Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -955,8 +976,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1310,8 +1337,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1361,8 +1394,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1387,8 +1426,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1428,8 +1473,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1548,8 +1599,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/proxy-injector.yaml
|
||||
---
|
||||
|
|
@ -1728,8 +1785,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1773,8 +1836,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -652,6 +652,21 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Fail
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/config-rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerd-version
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd-dev
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/identity.yaml
|
||||
---
|
||||
###
|
||||
|
|
@ -843,8 +858,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "10Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -963,8 +984,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1322,8 +1349,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1373,8 +1406,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1399,8 +1438,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1440,8 +1485,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1564,8 +1615,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/proxy-injector.yaml
|
||||
---
|
||||
|
|
@ -1748,8 +1805,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1793,8 +1856,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -638,6 +638,21 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Fail
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/config-rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/helm linkerd-version
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd-dev
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/identity.yaml
|
||||
---
|
||||
###
|
||||
|
|
@ -825,8 +840,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "10Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -945,8 +966,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1300,8 +1327,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1351,8 +1384,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1377,8 +1416,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1418,8 +1463,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1538,8 +1589,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
# Source: linkerd-control-plane/templates/proxy-injector.yaml
|
||||
---
|
||||
|
|
@ -1718,8 +1775,14 @@ spec:
|
|||
memory: "20Mi"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1763,8 +1826,14 @@ spec:
|
|||
cpu: "100m"
|
||||
memory: "50Mi"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -914,10 +940,14 @@ spec:
|
|||
image: cr.l5d.io/linkerd/proxy:install-proxy-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
runAsUser: 65534
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command:
|
||||
- /usr/lib/linkerd/linkerd2-network-validator
|
||||
args:
|
||||
|
|
@ -1196,8 +1226,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1241,8 +1277,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1267,8 +1309,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1308,8 +1356,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1319,10 +1373,14 @@ spec:
|
|||
image: cr.l5d.io/linkerd/proxy:install-proxy-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
runAsUser: 65534
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command:
|
||||
- /usr/lib/linkerd/linkerd2-network-validator
|
||||
args:
|
||||
|
|
@ -1403,8 +1461,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1556,8 +1620,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1595,8 +1665,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
@ -1610,10 +1686,14 @@ spec:
|
|||
image: cr.l5d.io/linkerd/proxy:install-proxy-version
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
runAsUser: 65534
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command:
|
||||
- /usr/lib/linkerd/linkerd2-network-validator
|
||||
args:
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -611,6 +612,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: WebhookFailurePolicy
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: CliVersion
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -762,8 +776,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -879,8 +899,14 @@ spec:
|
|||
memory: "memory-request"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1188,8 +1214,14 @@ spec:
|
|||
memory: "memory-request"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1233,8 +1265,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=ControllerLogLevel
|
||||
|
|
@ -1259,8 +1297,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1306,8 +1350,14 @@ spec:
|
|||
cpu: "cpu-request"
|
||||
memory: "memory-request"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1418,8 +1468,14 @@ spec:
|
|||
- "-log-format=ControllerLogFormat"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1569,8 +1625,14 @@ spec:
|
|||
memory: "memory-request"
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1608,8 +1670,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ metadata:
|
|||
linkerd.io/is-control-plane: "true"
|
||||
config.linkerd.io/admission-webhooks: disabled
|
||||
linkerd.io/control-plane-ns: linkerd
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
###
|
||||
### Identity Controller Service RBAC
|
||||
|
|
@ -631,6 +632,19 @@ data:
|
|||
tolerations: null
|
||||
webhookFailurePolicy: Ignore
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
annotations:
|
||||
linkerd.io/created-by: linkerd/cli dev-undefined
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
namespace: linkerd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get"]
|
||||
resourceNames: ["linkerd-config"]
|
||||
---
|
||||
###
|
||||
### Identity Controller Service
|
||||
###
|
||||
|
|
@ -786,8 +800,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9990
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/issuer
|
||||
name: identity-issuer
|
||||
|
|
@ -901,8 +921,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/identity/end-entity
|
||||
|
|
@ -1213,8 +1239,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1258,8 +1290,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9996
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
- args:
|
||||
- sp-validator
|
||||
- -log-level=info
|
||||
|
|
@ -1284,8 +1322,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9997
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: sp-tls
|
||||
|
|
@ -1325,8 +1369,14 @@ spec:
|
|||
initialDelaySeconds: 10
|
||||
resources:
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: policy-tls
|
||||
|
|
@ -1437,8 +1487,14 @@ spec:
|
|||
- "-log-format=plain"
|
||||
- "-prometheus-url=http://prometheus.linkerd-viz.svc.example.com:9090"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
---
|
||||
###
|
||||
### Proxy Injector
|
||||
|
|
@ -1590,8 +1646,14 @@ spec:
|
|||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2102
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
terminationMessagePolicy: FallbackToLogsOnError
|
||||
lifecycle:
|
||||
postStart:
|
||||
|
|
@ -1629,8 +1691,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -338,7 +338,11 @@
|
|||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"readOnlyRootFilesystem": true,
|
||||
"runAsUser": 2102
|
||||
"runAsNonRoot": true,
|
||||
"runAsUser": 2102,
|
||||
"seccompProfile": {
|
||||
"type": "RuntimeDefault"
|
||||
}
|
||||
},
|
||||
"terminationMessagePolicy": "FallbackToLogsOnError",
|
||||
"volumeMounts": [
|
||||
|
|
|
|||
|
|
@ -346,7 +346,11 @@
|
|||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"readOnlyRootFilesystem": true,
|
||||
"runAsUser": 2102
|
||||
"runAsNonRoot": true,
|
||||
"runAsUser": 2102,
|
||||
"seccompProfile": {
|
||||
"type": "RuntimeDefault"
|
||||
}
|
||||
},
|
||||
"terminationMessagePolicy": "FallbackToLogsOnError",
|
||||
"volumeMounts": [
|
||||
|
|
|
|||
|
|
@ -328,7 +328,11 @@
|
|||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"readOnlyRootFilesystem": true,
|
||||
"runAsUser": 2102
|
||||
"runAsNonRoot": true,
|
||||
"runAsUser": 2102,
|
||||
"seccompProfile": {
|
||||
"type": "RuntimeDefault"
|
||||
}
|
||||
},
|
||||
"terminationMessagePolicy": "FallbackToLogsOnError",
|
||||
"volumeMounts": [
|
||||
|
|
|
|||
|
|
@ -63,7 +63,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.webhook.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
|
|||
|
|
@ -50,3 +50,25 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
namespace: {{ .Values.linkerdNamespace }}
|
||||
{{- with .Values.commonLabels }}
|
||||
labels: {{ toYaml . | trim | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
name: jaeger-namespace-metadata-linkerd-config
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ metadata:
|
|||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-weight": "1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
app.kubernetes.io/name: namespace-metadata
|
||||
|
|
@ -33,7 +33,14 @@ spec:
|
|||
imagePullPolicy: {{.Values.namespaceMetadata.image.pullPolicy | default .Values.imagePullPolicy}}
|
||||
command: ["/bin/sh"]
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
args:
|
||||
- -c
|
||||
- |
|
||||
|
|
@ -46,7 +53,19 @@ spec:
|
|||
ops="$ops{\"op\": \"add\",\"path\": \"/metadata/labels\",\"value\": {}},"
|
||||
fi
|
||||
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"jaeger\"}"
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"jaeger\"},"
|
||||
|
||||
# grab the latest occurence of cniEnabled in linkerd-config, to
|
||||
# discard value in the last-applied-configuration annotation
|
||||
cniEnabled=$(curl -kfv -H "Authorization: Bearer $token" \
|
||||
"https://kubernetes.default.svc/api/v1/namespaces/{{.Values.linkerdNamespace}}/configmaps/linkerd-config" | \
|
||||
sed -r -n 's/.*cniEnabled: (\w+).*/\1/gp' | tail -1)
|
||||
|
||||
level="privileged"
|
||||
if [ "$cniEnabled" = "true" ]; then
|
||||
level="restricted"
|
||||
fi
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/pod-security.kubernetes.io~1enforce\", \"value\": \"$level\"}"
|
||||
|
||||
curl -kfv -XPATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $token" \
|
||||
-d "[$ops]" \
|
||||
|
|
|
|||
|
|
@ -6,4 +6,6 @@ metadata:
|
|||
name: {{.Release.Namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
{{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}
|
||||
pod-security.kubernetes.io/enforce: {{ if .Values.cniEnabled }}restricted{{ else }}privileged{{ end }}
|
||||
{{ end -}}
|
||||
|
|
|
|||
|
|
@ -127,7 +127,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.collector.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.collector.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /conf
|
||||
name: collector-config-val
|
||||
|
|
@ -221,7 +228,14 @@ spec:
|
|||
{{- include "partials.resources" .Values.jaeger.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.jaeger.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: jaeger
|
||||
{{ end -}}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/linkerd/linkerd2/pkg/cmd"
|
||||
"github.com/linkerd/linkerd2/pkg/flags"
|
||||
"github.com/linkerd/linkerd2/pkg/healthcheck"
|
||||
api "github.com/linkerd/linkerd2/pkg/public"
|
||||
"github.com/spf13/cobra"
|
||||
"helm.sh/helm/v3/pkg/chart/loader"
|
||||
"helm.sh/helm/v3/pkg/chartutil"
|
||||
|
|
@ -38,6 +37,7 @@ var (
|
|||
|
||||
func newCmdInstall() *cobra.Command {
|
||||
var registry string
|
||||
var cniEnabled bool
|
||||
var skipChecks bool
|
||||
var ignoreCluster bool
|
||||
var wait time.Duration
|
||||
|
|
@ -59,7 +59,7 @@ A full list of configurable values can be found at https://www.github.com/linker
|
|||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
if !skipChecks && !ignoreCluster {
|
||||
// Wait for the core control-plane to be up and running
|
||||
api.CheckPublicAPIClientOrRetryOrExit(healthcheck.Options{
|
||||
hc := healthcheck.NewWithCoreChecks(&healthcheck.Options{
|
||||
ControlPlaneNamespace: controlPlaneNamespace,
|
||||
KubeConfig: kubeconfigPath,
|
||||
KubeContext: kubeContext,
|
||||
|
|
@ -68,9 +68,11 @@ A full list of configurable values can be found at https://www.github.com/linker
|
|||
APIAddr: apiAddr,
|
||||
RetryDeadline: time.Now().Add(wait),
|
||||
})
|
||||
hc.RunWithExitOnError()
|
||||
cniEnabled = hc.CNIEnabled
|
||||
}
|
||||
|
||||
return install(os.Stdout, options, registry)
|
||||
return install(os.Stdout, options, registry, cniEnabled)
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -86,7 +88,7 @@ A full list of configurable values can be found at https://www.github.com/linker
|
|||
return cmd
|
||||
}
|
||||
|
||||
func install(w io.Writer, options values.Options, registry string) error {
|
||||
func install(w io.Writer, options values.Options, registry string, cniEnabled bool) error {
|
||||
|
||||
// Create values override
|
||||
valuesOverrides, err := options.MergeValues(nil)
|
||||
|
|
@ -94,6 +96,10 @@ func install(w io.Writer, options values.Options, registry string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
if cniEnabled {
|
||||
valuesOverrides["cniEnabled"] = true
|
||||
}
|
||||
|
||||
// TODO: Add any validation logic here
|
||||
|
||||
return render(w, valuesOverrides, registry)
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
name: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
|
|
@ -99,7 +100,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -324,7 +332,14 @@ spec:
|
|||
name: ui
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: jaeger
|
||||
---
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
name: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
|
|
@ -99,7 +100,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -410,7 +418,14 @@ spec:
|
|||
port: 13133
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /conf
|
||||
name: collector-config-val
|
||||
|
|
@ -493,7 +508,14 @@ spec:
|
|||
name: ui
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: jaeger
|
||||
---
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ metadata:
|
|||
name: linkerd-jaeger
|
||||
labels:
|
||||
linkerd.io/extension: jaeger
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
kind: Server
|
||||
|
|
@ -99,7 +100,14 @@ spec:
|
|||
path: /ready
|
||||
port: 9995
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -401,7 +409,14 @@ spec:
|
|||
port: 13133
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /conf
|
||||
name: collector-config-val
|
||||
|
|
|
|||
|
|
@ -123,7 +123,14 @@ spec:
|
|||
image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion}}
|
||||
name: service-mirror
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.serviceMirrorUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
ports:
|
||||
- containerPort: 9999
|
||||
name: admin-http
|
||||
|
|
|
|||
|
|
@ -46,7 +46,14 @@ spec:
|
|||
- name: pause
|
||||
image: {{ .Values.gateway.pauseImage }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.gateway.UID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: {{.Values.gateway.name}}
|
||||
{{- if .Values.enablePodAntiAffinity }}
|
||||
---
|
||||
|
|
|
|||
|
|
@ -49,3 +49,25 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
namespace: {{ .Values.linkerdNamespace }}
|
||||
{{- with .Values.commonLabels }}
|
||||
labels: {{ toYaml . | trim | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
name: mc-namespace-metadata-linkerd-config
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-weight": "1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
app.kubernetes.io/name: namespace-metadata
|
||||
|
|
@ -32,7 +32,14 @@ spec:
|
|||
imagePullPolicy: {{.Values.namespaceMetadata.image.pullPolicy | default .Values.imagePullPolicy}}
|
||||
command: ["/bin/sh"]
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.gateway.UID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
args:
|
||||
- -c
|
||||
- |
|
||||
|
|
@ -45,7 +52,19 @@ spec:
|
|||
ops="$ops{\"op\": \"add\",\"path\": \"/metadata/labels\",\"value\": {}},"
|
||||
fi
|
||||
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"multicluster\"}"
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"multicluster\"},"
|
||||
|
||||
# grab the latest occurence of cniEnabled in linkerd-config, to
|
||||
# discard value in the last-applied-configuration annotation
|
||||
cniEnabled=$(curl -kfv -H "Authorization: Bearer $token" \
|
||||
"https://kubernetes.default.svc/api/v1/namespaces/{{.Values.linkerdNamespace}}/configmaps/linkerd-config" | \
|
||||
sed -r -n 's/.*cniEnabled: (\w+).*/\1/gp' | tail -1)
|
||||
|
||||
level="privileged"
|
||||
if [ "$cniEnabled" = "true" ]; then
|
||||
level="restricted"
|
||||
fi
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/pod-security.kubernetes.io~1enforce\", \"value\": \"$level\"}"
|
||||
|
||||
curl -kfv -XPATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $token" \
|
||||
-d "[$ops]" \
|
||||
|
|
|
|||
|
|
@ -5,4 +5,6 @@ metadata:
|
|||
name: {{ .Release.Namespace }}
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
{{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}
|
||||
pod-security.kubernetes.io/enforce: {{ if .Values.cniEnabled }}restricted{{ else }}privileged{{ end }}
|
||||
{{end -}}
|
||||
|
|
|
|||
|
|
@ -78,4 +78,4 @@ enablePodAntiAffinity: false
|
|||
# -- NodeAffinity section, See the
|
||||
# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity)
|
||||
# for more information
|
||||
# nodeAffinity:
|
||||
# nodeAffinity:
|
||||
|
|
|
|||
|
|
@ -16,12 +16,10 @@ import (
|
|||
partials "github.com/linkerd/linkerd2/pkg/charts/static"
|
||||
"github.com/linkerd/linkerd2/pkg/flags"
|
||||
"github.com/linkerd/linkerd2/pkg/healthcheck"
|
||||
api "github.com/linkerd/linkerd2/pkg/public"
|
||||
"github.com/linkerd/linkerd2/pkg/version"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"github.com/spf13/cobra"
|
||||
"helm.sh/helm/v3/pkg/chart/loader"
|
||||
chartloader "helm.sh/helm/v3/pkg/chart/loader"
|
||||
"helm.sh/helm/v3/pkg/chartutil"
|
||||
valuespkg "helm.sh/helm/v3/pkg/cli/values"
|
||||
"helm.sh/helm/v3/pkg/engine"
|
||||
|
|
@ -42,6 +40,7 @@ func newMulticlusterInstallCommand() *cobra.Command {
|
|||
var wait time.Duration
|
||||
var valuesOptions valuespkg.Options
|
||||
var ignoreCluster bool
|
||||
var cniEnabled bool
|
||||
|
||||
if err != nil {
|
||||
fmt.Fprintln(os.Stderr, err)
|
||||
|
|
@ -58,10 +57,10 @@ func newMulticlusterInstallCommand() *cobra.Command {
|
|||
The installation can be configured by using the --set, --values, --set-string and --set-file flags.
|
||||
A full list of configurable values can be found at https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md
|
||||
`,
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
RunE: func(cmd *cobra.Command, _ []string) error {
|
||||
if !ignoreCluster {
|
||||
// Wait for the core control-plane to be up and running
|
||||
api.CheckPublicAPIClientOrRetryOrExit(healthcheck.Options{
|
||||
hc := healthcheck.NewWithCoreChecks(&healthcheck.Options{
|
||||
ControlPlaneNamespace: controlPlaneNamespace,
|
||||
KubeConfig: kubeconfigPath,
|
||||
KubeContext: kubeContext,
|
||||
|
|
@ -70,8 +69,10 @@ A full list of configurable values can be found at https://github.com/linkerd/li
|
|||
APIAddr: apiAddr,
|
||||
RetryDeadline: time.Now().Add(wait),
|
||||
})
|
||||
hc.RunWithExitOnError()
|
||||
cniEnabled = hc.CNIEnabled
|
||||
}
|
||||
return install(cmd.Context(), stdout, options, valuesOptions, ha, ignoreCluster)
|
||||
return install(cmd.Context(), stdout, options, valuesOptions, ha, ignoreCluster, cniEnabled)
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -101,7 +102,7 @@ A full list of configurable values can be found at https://github.com/linkerd/li
|
|||
return cmd
|
||||
}
|
||||
|
||||
func install(ctx context.Context, w io.Writer, options *multiclusterInstallOptions, valuesOptions valuespkg.Options, ha, ignoreCluster bool) error {
|
||||
func install(ctx context.Context, w io.Writer, options *multiclusterInstallOptions, valuesOptions valuespkg.Options, ha, ignoreCluster, cniEnabled bool) error {
|
||||
values, err := buildMulticlusterInstallValues(ctx, options, ignoreCluster)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -120,11 +121,15 @@ func install(ctx context.Context, w io.Writer, options *multiclusterInstallOptio
|
|||
}
|
||||
}
|
||||
|
||||
if cniEnabled {
|
||||
valuesOverrides["cniEnabled"] = true
|
||||
}
|
||||
|
||||
return render(w, values, valuesOverrides)
|
||||
}
|
||||
|
||||
func render(w io.Writer, values *multicluster.Values, valuesOverrides map[string]interface{}) error {
|
||||
files := []*chartloader.BufferedFile{
|
||||
files := []*loader.BufferedFile{
|
||||
{Name: chartutil.ChartfileName},
|
||||
{Name: chartutil.ValuesfileName},
|
||||
{Name: "templates/namespace.yaml"},
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ metadata:
|
|||
name: linkerd-multicluster
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -41,7 +42,14 @@ spec:
|
|||
- name: pause
|
||||
image: gcr.io/google_containers/pause:3.2
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: linkerd-gateway
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ metadata:
|
|||
name: linkerd-multicluster
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -63,7 +64,14 @@ spec:
|
|||
- name: pause
|
||||
image: gcr.io/google_containers/pause:3.2
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: linkerd-gateway
|
||||
---
|
||||
kind: PodDisruptionBudget
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ metadata:
|
|||
name: linkerd-multicluster
|
||||
labels:
|
||||
linkerd.io/extension: multicluster
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
|
|
@ -41,7 +42,14 @@ spec:
|
|||
- name: pause
|
||||
image: gcr.io/google_containers/pause:3.2
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: linkerd-gateway
|
||||
---
|
||||
apiVersion: v1
|
||||
|
|
|
|||
|
|
@ -113,7 +113,14 @@ spec:
|
|||
image: cr.l5d.io/linkerd/controller:dev-undefined
|
||||
name: service-mirror
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
ports:
|
||||
- containerPort: 9999
|
||||
name: admin-http
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"os"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
|
@ -450,6 +451,11 @@ func NewHealthChecker(categoryIDs []CategoryID, options *Options) *HealthChecker
|
|||
return hc
|
||||
}
|
||||
|
||||
func NewWithCoreChecks(options *Options) *HealthChecker {
|
||||
checks := []CategoryID{KubernetesAPIChecks, LinkerdControlPlaneExistenceChecks}
|
||||
return NewHealthChecker(checks, options)
|
||||
}
|
||||
|
||||
// InitializeKubeAPIClient creates a client for the HealthChecker. It avoids
|
||||
// having to require the KubernetesAPIChecks check to run in order for the
|
||||
// HealthChecker to run other checks.
|
||||
|
|
@ -1594,6 +1600,28 @@ func (hc *HealthChecker) RunChecks(observer CheckObserver) (bool, bool) {
|
|||
return success, warning
|
||||
}
|
||||
|
||||
func (hc *HealthChecker) RunWithExitOnError() (bool, bool) {
|
||||
return hc.RunChecks(func(result *CheckResult) {
|
||||
if result.Retry {
|
||||
fmt.Fprintln(os.Stderr, "Waiting for control plane to become available")
|
||||
return
|
||||
}
|
||||
|
||||
if result.Err != nil && !result.Warning {
|
||||
var msg string
|
||||
switch result.Category {
|
||||
case KubernetesAPIChecks:
|
||||
msg = "Cannot connect to Kubernetes"
|
||||
case LinkerdControlPlaneExistenceChecks:
|
||||
msg = "Cannot find Linkerd"
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "%s: %s\nValidate the install with: 'linkerd check'\n",
|
||||
msg, result.Err)
|
||||
os.Exit(1)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// LinkerdConfig gets the Linkerd configuration values.
|
||||
func (hc *HealthChecker) LinkerdConfig() *l5dcharts.Values {
|
||||
return hc.linkerdConfig
|
||||
|
|
|
|||
|
|
@ -1,46 +0,0 @@
|
|||
package public
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/linkerd/linkerd2/pkg/healthcheck"
|
||||
)
|
||||
|
||||
// CheckPublicAPIClientOrRetryOrExit executes status checks on the control
|
||||
// plane. If the checks fail, then CLI will print an error and exit. If the
|
||||
// hcOptions.retryDeadline param is specified, then the CLI will print a
|
||||
// message to stderr and retry.
|
||||
func CheckPublicAPIClientOrRetryOrExit(hcOptions healthcheck.Options) {
|
||||
checks := []healthcheck.CategoryID{
|
||||
healthcheck.KubernetesAPIChecks,
|
||||
healthcheck.LinkerdControlPlaneExistenceChecks,
|
||||
}
|
||||
|
||||
hc := healthcheck.NewHealthChecker(checks, &hcOptions)
|
||||
|
||||
hc.RunChecks(exitOnError)
|
||||
}
|
||||
|
||||
func exitOnError(result *healthcheck.CheckResult) {
|
||||
if result.Retry {
|
||||
fmt.Fprintln(os.Stderr, "Waiting for control plane to become available")
|
||||
return
|
||||
}
|
||||
|
||||
if result.Err != nil && !result.Warning {
|
||||
var msg string
|
||||
switch result.Category {
|
||||
case healthcheck.KubernetesAPIChecks:
|
||||
msg = "Cannot connect to Kubernetes"
|
||||
case healthcheck.LinkerdControlPlaneExistenceChecks:
|
||||
msg = "Cannot find Linkerd"
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "%s: %s\n", msg, result.Err)
|
||||
|
||||
checkCmd := "linkerd check"
|
||||
fmt.Fprintf(os.Stderr, "Validate the install with: %s\n", checkCmd)
|
||||
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
|
@ -108,6 +108,13 @@ spec:
|
|||
{{- include "partials.resources" .Values.metricsAPI.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: {{.Values.metricsAPI.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
|
|
|
|||
|
|
@ -50,3 +50,25 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
namespace: {{ .Values.linkerdNamespace }}
|
||||
{{- with .Values.commonLabels }}
|
||||
labels: {{ toYaml . | trim | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
name: viz-namespace-metadata-linkerd-config
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: ext-namespace-metadata-linkerd-config
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: namespace-metadata
|
||||
namespace: {{.Release.Namespace}}
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ metadata:
|
|||
annotations:
|
||||
{{ include "partials.annotations.created-by" . }}
|
||||
"helm.sh/hook": post-install
|
||||
"helm.sh/hook-weight": "0"
|
||||
"helm.sh/hook-weight": "1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
app.kubernetes.io/name: namespace-metadata
|
||||
|
|
@ -32,8 +32,15 @@ spec:
|
|||
imagePullPolicy: {{.Values.namespaceMetadata.image.pullPolicy | default .Values.defaultImagePullPolicy}}
|
||||
command: ["/bin/sh"]
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: {{.Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
args:
|
||||
- -c
|
||||
- |
|
||||
|
|
@ -52,7 +59,19 @@ spec:
|
|||
{{- if .Values.prometheusUrl }}
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/annotations/viz.linkerd.io~1external-prometheus\", \"value\": \"{{.Values.prometheusUrl}}\"},"
|
||||
{{- end }}
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"viz\"}"
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/linkerd.io~1extension\", \"value\": \"viz\"},"
|
||||
|
||||
# grab the latest occurence of cniEnabled in linkerd-config, to
|
||||
# discard value in the last-applied-configuration annotation
|
||||
cniEnabled=$(curl -kfv -H "Authorization: Bearer $token" \
|
||||
"https://kubernetes.default.svc/api/v1/namespaces/{{.Values.linkerdNamespace}}/configmaps/linkerd-config" | \
|
||||
sed -r -n 's/.*cniEnabled: (\w+).*/\1/gp' | tail -1)
|
||||
|
||||
level="privileged"
|
||||
if [ "$cniEnabled" = "true" ]; then
|
||||
level="restricted"
|
||||
fi
|
||||
ops="$ops{\"op\": \"add\", \"path\": \"/metadata/labels/pod-security.kubernetes.io~1enforce\", \"value\": \"$level\"}"
|
||||
|
||||
curl -kfv -XPATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $token" \
|
||||
-d "[$ops]" \
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ metadata:
|
|||
name: {{.Release.Namespace}}
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
{{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}}
|
||||
pod-security.kubernetes.io/enforce: {{ if .Values.cniEnabled }}restricted{{ else }}privileged{{ end }}
|
||||
annotations:
|
||||
{{- if .Values.prometheusUrl }}
|
||||
viz.linkerd.io/external-prometheus: {{.Values.prometheusUrl}}
|
||||
|
|
|
|||
|
|
@ -267,10 +267,16 @@ spec:
|
|||
{{- include "partials.resources" .Values.prometheus.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
{{- range .Values.prometheus.ruleConfigMapMounts }}
|
||||
- name: {{ .name }}
|
||||
|
|
|
|||
|
|
@ -104,8 +104,15 @@ spec:
|
|||
{{- include "partials.resources" .Values.tapInjector.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.tapInjector.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
|
|||
|
|
@ -116,8 +116,15 @@ spec:
|
|||
{{- include "partials.resources" .Values.tap.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.tap.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
|
|||
|
|
@ -124,6 +124,13 @@ spec:
|
|||
{{- include "partials.resources" .Values.dashboard.resources | nindent 8 }}
|
||||
{{- end }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{.Values.dashboard.UID | default .Values.defaultUID}}
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
partials "github.com/linkerd/linkerd2/pkg/charts/static"
|
||||
"github.com/linkerd/linkerd2/pkg/flags"
|
||||
"github.com/linkerd/linkerd2/pkg/healthcheck"
|
||||
api "github.com/linkerd/linkerd2/pkg/public"
|
||||
"github.com/linkerd/linkerd2/viz/static"
|
||||
"github.com/spf13/cobra"
|
||||
"helm.sh/helm/v3/pkg/chart/loader"
|
||||
|
|
@ -48,6 +47,7 @@ func newCmdInstall() *cobra.Command {
|
|||
var skipChecks bool
|
||||
var ignoreCluster bool
|
||||
var ha bool
|
||||
var cniEnabled bool
|
||||
var wait time.Duration
|
||||
var options values.Options
|
||||
|
||||
|
|
@ -62,10 +62,10 @@ func newCmdInstall() *cobra.Command {
|
|||
The installation can be configured by using the --set, --values, --set-string and --set-file flags.
|
||||
A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/viz/charts/linkerd-viz/README.md
|
||||
`,
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
RunE: func(_ *cobra.Command, _ []string) error {
|
||||
if !skipChecks && !ignoreCluster {
|
||||
// Wait for the core control-plane to be up and running
|
||||
api.CheckPublicAPIClientOrRetryOrExit(healthcheck.Options{
|
||||
hc := healthcheck.NewWithCoreChecks(&healthcheck.Options{
|
||||
ControlPlaneNamespace: controlPlaneNamespace,
|
||||
KubeConfig: kubeconfigPath,
|
||||
KubeContext: kubeContext,
|
||||
|
|
@ -74,9 +74,10 @@ A full list of configurable values can be found at https://www.github.com/linker
|
|||
APIAddr: apiAddr,
|
||||
RetryDeadline: time.Now().Add(wait),
|
||||
})
|
||||
|
||||
hc.RunWithExitOnError()
|
||||
cniEnabled = hc.CNIEnabled
|
||||
}
|
||||
return install(os.Stdout, options, ha)
|
||||
return install(os.Stdout, options, ha, cniEnabled)
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -91,7 +92,7 @@ A full list of configurable values can be found at https://www.github.com/linker
|
|||
return cmd
|
||||
}
|
||||
|
||||
func install(w io.Writer, options values.Options, ha bool) error {
|
||||
func install(w io.Writer, options values.Options, ha, cniEnabled bool) error {
|
||||
|
||||
// Create values override
|
||||
valuesOverrides, err := options.MergeValues(nil)
|
||||
|
|
@ -114,6 +115,10 @@ func install(w io.Writer, options values.Options, ha bool) error {
|
|||
}
|
||||
}
|
||||
|
||||
if cniEnabled {
|
||||
valuesOverrides["cniEnabled"] = true
|
||||
}
|
||||
|
||||
// TODO: Add any validation logic here
|
||||
|
||||
return render(w, valuesOverrides)
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ metadata:
|
|||
name: linkerd-viz
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
---
|
||||
###
|
||||
|
|
@ -502,7 +503,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -531,8 +532,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
|
|
@ -811,10 +819,16 @@ spec:
|
|||
timeoutSeconds: 30
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
@ -895,7 +909,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- api
|
||||
|
|
@ -926,8 +940,15 @@ spec:
|
|||
port: 9998
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1093,7 +1114,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- injector
|
||||
|
|
@ -1121,8 +1142,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1280,8 +1308,15 @@ spec:
|
|||
port: 9994
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
---
|
||||
apiVersion: linkerd.io/v1alpha2
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ metadata:
|
|||
name: linkerd-viz
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
---
|
||||
###
|
||||
|
|
@ -502,7 +503,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -531,8 +532,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1234
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
|
|
@ -811,10 +819,16 @@ spec:
|
|||
timeoutSeconds: 30
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
@ -895,7 +909,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- api
|
||||
|
|
@ -926,8 +940,15 @@ spec:
|
|||
port: 9998
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 5678
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1093,7 +1114,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- injector
|
||||
|
|
@ -1121,8 +1142,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1234
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1281,8 +1309,15 @@ spec:
|
|||
port: 9994
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1234
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
---
|
||||
apiVersion: linkerd.io/v1alpha2
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ metadata:
|
|||
name: linkerd-viz
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
viz.linkerd.io/external-prometheus: external-prom.com
|
||||
---
|
||||
|
|
@ -462,7 +463,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -491,8 +492,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
|
|
@ -613,7 +621,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- api
|
||||
|
|
@ -644,8 +652,15 @@ spec:
|
|||
port: 9998
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -811,7 +826,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- injector
|
||||
|
|
@ -839,8 +854,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -998,8 +1020,15 @@ spec:
|
|||
port: 9994
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
---
|
||||
apiVersion: linkerd.io/v1alpha2
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ metadata:
|
|||
name: linkerd-viz
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
---
|
||||
###
|
||||
|
|
@ -502,7 +503,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -531,8 +532,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
|
|
@ -811,10 +819,16 @@ spec:
|
|||
timeoutSeconds: 30
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
@ -895,7 +909,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- api
|
||||
|
|
@ -926,8 +940,15 @@ spec:
|
|||
port: 9998
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1093,7 +1114,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- injector
|
||||
|
|
@ -1121,8 +1142,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1280,8 +1308,15 @@ spec:
|
|||
port: 9994
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
---
|
||||
apiVersion: linkerd.io/v1alpha2
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ metadata:
|
|||
name: linkerd-viz
|
||||
labels:
|
||||
linkerd.io/extension: viz
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
annotations:
|
||||
---
|
||||
###
|
||||
|
|
@ -502,7 +503,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- -controller-namespace=linkerd
|
||||
|
|
@ -531,8 +532,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: metrics-api
|
||||
---
|
||||
apiVersion: policy.linkerd.io/v1beta1
|
||||
|
|
@ -815,10 +823,16 @@ spec:
|
|||
timeoutSeconds: 30
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data
|
||||
|
|
@ -903,7 +917,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- api
|
||||
|
|
@ -934,8 +948,15 @@ spec:
|
|||
port: 9998
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1101,7 +1122,7 @@ spec:
|
|||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
|
||||
|
||||
containers:
|
||||
- args:
|
||||
- injector
|
||||
|
|
@ -1129,8 +1150,15 @@ spec:
|
|||
port: 9995
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/linkerd/tls
|
||||
name: tls
|
||||
|
|
@ -1292,8 +1320,15 @@ spec:
|
|||
port: 9994
|
||||
resources:
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 2103
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
serviceAccountName: web
|
||||
---
|
||||
apiVersion: linkerd.io/v1alpha2
|
||||
|
|
|
|||
Loading…
Reference in New Issue