### Service Account Controller ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-controller namespace: Namespace ### Controller RBAC ### --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-controller namespace: Namespace rules: - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "replicationcontrollers"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["namespaces"] resourceNames: ["Namespace"] verbs: ["list", "get", "watch"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-controller namespace: Namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: linkerd-Namespace-controller subjects: - kind: ServiceAccount name: linkerd-controller namespace: Namespace ### Service Account Prometheus ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-prometheus namespace: Namespace ### Prometheus RBAC ### --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-prometheus namespace: Namespace rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-prometheus namespace: Namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: linkerd-Namespace-prometheus subjects: - kind: ServiceAccount name: linkerd-prometheus namespace: Namespace ### Controller ### --- kind: Service apiVersion: v1 metadata: name: linkerd-controller-api namespace: Namespace labels: ControllerComponentLabel: controller annotations: CreatedByAnnotation: CliVersion spec: type: ClusterIP selector: ControllerComponentLabel: controller ports: - name: http port: 8085 targetPort: 8085 --- kind: Service apiVersion: v1 metadata: name: linkerd-proxy-api namespace: Namespace labels: ControllerComponentLabel: controller annotations: CreatedByAnnotation: CliVersion spec: type: ClusterIP selector: ControllerComponentLabel: controller ports: - name: grpc port: 123 targetPort: 123 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: CreatedByAnnotation: CliVersion creationTimestamp: null labels: ControllerComponentLabel: controller name: linkerd-controller namespace: Namespace spec: replicas: 1 strategy: {} template: metadata: annotations: CreatedByAnnotation: CliVersion linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/proxy-version: dev-undefined creationTimestamp: null labels: ControllerComponentLabel: controller linkerd.io/control-plane-ns: Namespace linkerd.io/proxy-deployment: linkerd-controller spec: containers: - args: - public-api - -prometheus-url=http://linkerd-prometheus.Namespace.svc.cluster.local:9090 - -controller-namespace=Namespace - -single-namespace=true - -log-level=ControllerLogLevel image: ControllerImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: public-api ports: - containerPort: 8085 name: http - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 resources: {} securityContext: runAsUser: 2103 - args: - proxy-api - -addr=:123 - -controller-namespace=Namespace - -single-namespace=true - -enable-tls=true - -enable-h2-upgrade=true - -log-level=ControllerLogLevel image: ControllerImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /ping port: 9996 initialDelaySeconds: 10 name: proxy-api ports: - containerPort: 123 name: grpc - containerPort: 9996 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9996 resources: {} securityContext: runAsUser: 2103 - args: - tap - -controller-namespace=Namespace - -single-namespace=true - -log-level=ControllerLogLevel image: ControllerImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /ping port: 9998 initialDelaySeconds: 10 name: tap ports: - containerPort: 8088 name: grpc - containerPort: 9998 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9998 resources: {} securityContext: runAsUser: 2103 - env: - name: LINKERD2_PROXY_LOG value: warn,linkerd2_proxy=info - name: LINKERD2_PROXY_CONTROL_URL value: tcp://localhost.:8086 - name: LINKERD2_PROXY_CONTROL_LISTENER value: tcp://0.0.0.0:4190 - name: LINKERD2_PROXY_METRICS_LISTENER value: tcp://0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTENER value: tcp://127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: gcr.io/linkerd-io/proxy:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-metrics readinessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 resources: {} securityContext: runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - 4190,4191 image: gcr.io/linkerd-io/proxy-init:dev-undefined imagePullPolicy: IfNotPresent name: linkerd-init resources: {} securityContext: capabilities: add: - NET_ADMIN privileged: false runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: linkerd-controller status: {} --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-web namespace: Namespace ### Web ### --- kind: Service apiVersion: v1 metadata: name: linkerd-web namespace: Namespace labels: ControllerComponentLabel: web annotations: CreatedByAnnotation: CliVersion spec: type: ClusterIP selector: ControllerComponentLabel: web ports: - name: http port: 8084 targetPort: 8084 - name: admin-http port: 9994 targetPort: 9994 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: CreatedByAnnotation: CliVersion creationTimestamp: null labels: ControllerComponentLabel: web name: linkerd-web namespace: Namespace spec: replicas: 1 strategy: {} template: metadata: annotations: CreatedByAnnotation: CliVersion linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/proxy-version: dev-undefined creationTimestamp: null labels: ControllerComponentLabel: web linkerd.io/control-plane-ns: Namespace linkerd.io/proxy-deployment: linkerd-web spec: containers: - args: - -api-addr=linkerd-controller-api.Namespace.svc.cluster.local:8085 - -grafana-addr=linkerd-grafana.Namespace.svc.cluster.local:3000 - -uuid=UUID - -controller-namespace=Namespace - -single-namespace=true - -log-level=ControllerLogLevel image: WebImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /ping port: 9994 initialDelaySeconds: 10 name: web ports: - containerPort: 8084 name: http - containerPort: 9994 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9994 resources: {} securityContext: runAsUser: 2103 - env: - name: LINKERD2_PROXY_LOG value: warn,linkerd2_proxy=info - name: LINKERD2_PROXY_CONTROL_URL value: tcp://linkerd-proxy-api.Namespace.svc.cluster.local:8086 - name: LINKERD2_PROXY_CONTROL_LISTENER value: tcp://0.0.0.0:4190 - name: LINKERD2_PROXY_METRICS_LISTENER value: tcp://0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTENER value: tcp://127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: gcr.io/linkerd-io/proxy:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-metrics readinessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 resources: {} securityContext: runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - 4190,4191 image: gcr.io/linkerd-io/proxy-init:dev-undefined imagePullPolicy: IfNotPresent name: linkerd-init resources: {} securityContext: capabilities: add: - NET_ADMIN privileged: false runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: linkerd-web status: {} --- kind: Service apiVersion: v1 metadata: name: linkerd-prometheus namespace: Namespace labels: ControllerComponentLabel: prometheus annotations: CreatedByAnnotation: CliVersion spec: type: ClusterIP selector: ControllerComponentLabel: prometheus ports: - name: admin-http port: 9090 targetPort: 9090 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: CreatedByAnnotation: CliVersion creationTimestamp: null labels: ControllerComponentLabel: prometheus name: linkerd-prometheus namespace: Namespace spec: replicas: 1 strategy: {} template: metadata: annotations: CreatedByAnnotation: CliVersion linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/proxy-version: dev-undefined creationTimestamp: null labels: ControllerComponentLabel: prometheus linkerd.io/control-plane-ns: Namespace linkerd.io/proxy-deployment: linkerd-prometheus spec: containers: - args: - --storage.tsdb.path=/data - --storage.tsdb.retention=6h - --config.file=/etc/prometheus/prometheus.yml image: PrometheusImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /-/healthy port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 name: prometheus ports: - containerPort: 9090 name: admin-http readinessProbe: httpGet: path: /-/ready port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 resources: {} securityContext: runAsUser: 65534 volumeMounts: - mountPath: /data name: data - mountPath: /etc/prometheus name: prometheus-config readOnly: true - env: - name: LINKERD2_PROXY_LOG value: warn,linkerd2_proxy=info - name: LINKERD2_PROXY_CONTROL_URL value: tcp://linkerd-proxy-api.Namespace.svc.cluster.local:8086 - name: LINKERD2_PROXY_CONTROL_LISTENER value: tcp://0.0.0.0:4190 - name: LINKERD2_PROXY_METRICS_LISTENER value: tcp://0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTENER value: tcp://127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LINKERD2_PROXY_OUTBOUND_ROUTER_CAPACITY value: "10000" image: gcr.io/linkerd-io/proxy:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-metrics readinessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 resources: {} securityContext: runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - 4190,4191 image: gcr.io/linkerd-io/proxy-init:dev-undefined imagePullPolicy: IfNotPresent name: linkerd-init resources: {} securityContext: capabilities: add: - NET_ADMIN privileged: false runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: linkerd-prometheus volumes: - emptyDir: {} name: data - configMap: name: linkerd-prometheus-config name: prometheus-config status: {} --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-prometheus-config namespace: Namespace labels: ControllerComponentLabel: prometheus annotations: CreatedByAnnotation: CliVersion data: prometheus.yml: |- global: scrape_interval: 10s scrape_timeout: 10s evaluation_interval: 10s rule_files: - /etc/prometheus/*_rules.yml scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] - job_name: 'grafana' kubernetes_sd_configs: - role: pod namespaces: names: ['Namespace'] relabel_configs: - source_labels: - __meta_kubernetes_pod_container_name action: keep regex: ^grafana$ - job_name: 'linkerd-controller' kubernetes_sd_configs: - role: pod namespaces: names: ['Namespace'] relabel_configs: - source_labels: - __meta_kubernetes_pod_label_linkerd_io_control_plane_component - __meta_kubernetes_pod_container_port_name action: keep regex: (.*);admin-http$ - source_labels: [__meta_kubernetes_pod_container_name] action: replace target_label: component - job_name: 'linkerd-proxy' kubernetes_sd_configs: - role: pod namespaces: names: ['Namespace'] relabel_configs: - source_labels: - __meta_kubernetes_pod_container_name - __meta_kubernetes_pod_container_port_name - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns action: keep regex: ^ProxyContainerName;linkerd-metrics;Namespace$ - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod # special case k8s' "job" label, to not interfere with prometheus' "job" # label # __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo => # k8s_job=foo - source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job] action: replace target_label: k8s_job # drop __meta_kubernetes_pod_label_linkerd_io_proxy_job - action: labeldrop regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job # __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo => # deployment=foo - action: labelmap regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) # drop all labels that we just made copies of in the previous labelmap - action: labeldrop regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) # __meta_kubernetes_pod_label_linkerd_io_foo=bar => # foo=bar - action: labelmap regex: __meta_kubernetes_pod_label_linkerd_io_(.+) ### Service Account Grafana ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-grafana namespace: Namespace ### Grafana ### --- kind: Service apiVersion: v1 metadata: name: linkerd-grafana namespace: Namespace labels: ControllerComponentLabel: grafana annotations: CreatedByAnnotation: CliVersion spec: type: ClusterIP selector: ControllerComponentLabel: grafana ports: - name: http port: 3000 targetPort: 3000 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: CreatedByAnnotation: CliVersion creationTimestamp: null labels: ControllerComponentLabel: grafana name: linkerd-grafana namespace: Namespace spec: replicas: 1 strategy: {} template: metadata: annotations: CreatedByAnnotation: CliVersion linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/proxy-version: dev-undefined creationTimestamp: null labels: ControllerComponentLabel: grafana linkerd.io/control-plane-ns: Namespace linkerd.io/proxy-deployment: linkerd-grafana spec: containers: - env: - name: GF_PATHS_DATA value: /data image: GrafanaImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /api/health port: 3000 initialDelaySeconds: 30 name: grafana ports: - containerPort: 3000 name: http readinessProbe: httpGet: path: /api/health port: 3000 resources: {} securityContext: runAsUser: 472 volumeMounts: - mountPath: /data name: data - mountPath: /etc/grafana name: grafana-config readOnly: true - env: - name: LINKERD2_PROXY_LOG value: warn,linkerd2_proxy=info - name: LINKERD2_PROXY_CONTROL_URL value: tcp://linkerd-proxy-api.Namespace.svc.cluster.local:8086 - name: LINKERD2_PROXY_CONTROL_LISTENER value: tcp://0.0.0.0:4190 - name: LINKERD2_PROXY_METRICS_LISTENER value: tcp://0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTENER value: tcp://127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: gcr.io/linkerd-io/proxy:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-metrics readinessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 resources: {} securityContext: runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - 4190,4191 image: gcr.io/linkerd-io/proxy-init:dev-undefined imagePullPolicy: IfNotPresent name: linkerd-init resources: {} securityContext: capabilities: add: - NET_ADMIN privileged: false runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: linkerd-grafana volumes: - emptyDir: {} name: data - configMap: items: - key: grafana.ini path: grafana.ini - key: datasources.yaml path: provisioning/datasources/datasources.yaml - key: dashboards.yaml path: provisioning/dashboards/dashboards.yaml name: linkerd-grafana-config name: grafana-config status: {} --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-grafana-config namespace: Namespace labels: ControllerComponentLabel: grafana annotations: CreatedByAnnotation: CliVersion data: grafana.ini: |- instance_name = linkerd-grafana [server] root_url = %(protocol)s://%(domain)s:/grafana/ [auth] disable_login_form = true [auth.anonymous] enabled = true org_role = Editor [auth.basic] enabled = false [analytics] check_for_updates = false datasources.yaml: |- apiVersion: 1 datasources: - name: prometheus type: prometheus access: proxy orgId: 1 url: http://linkerd-prometheus.Namespace.svc.cluster.local:9090 isDefault: true jsonData: timeInterval: "5s" version: 1 editable: true dashboards.yaml: |- apiVersion: 1 providers: - name: 'default' orgId: 1 folder: '' type: file disableDeletion: true editable: true options: path: /var/lib/grafana/dashboards homeDashboardId: linkerd-top-line ### Service Account CA ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-ca namespace: Namespace ### CA RBAC ### --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-ca namespace: Namespace rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] - apiGroups: [""] resources: ["configmaps"] resourceNames: [TLSTrustAnchorConfigMapName] verbs: ["update"] - apiGroups: [""] resources: ["pods"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "update"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-Namespace-ca namespace: Namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: linkerd-Namespace-ca subjects: - kind: ServiceAccount name: linkerd-ca namespace: Namespace ### CA ### --- apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: CreatedByAnnotation: CliVersion creationTimestamp: null labels: ControllerComponentLabel: ca name: linkerd-ca namespace: Namespace spec: replicas: 1 strategy: {} template: metadata: annotations: CreatedByAnnotation: CliVersion linkerd.io/created-by: linkerd/cli dev-undefined linkerd.io/proxy-version: dev-undefined creationTimestamp: null labels: ControllerComponentLabel: ca linkerd.io/control-plane-ns: Namespace linkerd.io/proxy-deployment: linkerd-ca spec: containers: - args: - ca - -controller-namespace=Namespace - -single-namespace=true - -log-level=ControllerLogLevel image: ControllerImage imagePullPolicy: ImagePullPolicy livenessProbe: httpGet: path: /ping port: 9997 initialDelaySeconds: 10 name: ca ports: - containerPort: 9997 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9997 resources: {} securityContext: runAsUser: 2103 - env: - name: LINKERD2_PROXY_LOG value: warn,linkerd2_proxy=info - name: LINKERD2_PROXY_CONTROL_URL value: tcp://linkerd-proxy-api.Namespace.svc.cluster.local:8086 - name: LINKERD2_PROXY_CONTROL_LISTENER value: tcp://0.0.0.0:4190 - name: LINKERD2_PROXY_METRICS_LISTENER value: tcp://0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTENER value: tcp://127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: gcr.io/linkerd-io/proxy:dev-undefined imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-metrics readinessProbe: httpGet: path: /metrics port: 4191 initialDelaySeconds: 10 resources: {} securityContext: runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - 4190,4191 image: gcr.io/linkerd-io/proxy-init:dev-undefined imagePullPolicy: IfNotPresent name: linkerd-init resources: {} securityContext: capabilities: add: - NET_ADMIN privileged: false runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError serviceAccountName: linkerd-ca status: {} ---