kind: Namespace apiVersion: v1 metadata: name: other annotations: linkerd.io/inject: disabled labels: linkerd.io/is-control-plane: "true" config.linkerd.io/admission-webhooks: disabled --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: linkerd-other-cni labels: linkerd.io/cni-resource: "true" spec: allowPrivilegeEscalation: false fsGroup: rule: RunAsAny hostNetwork: true runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - hostPath - secret --- apiVersion: v1 kind: ServiceAccount metadata: name: linkerd-cni namespace: other labels: linkerd.io/cni-resource: "true" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-cni namespace: other labels: linkerd.io/cni-resource: "true" rules: - apiGroups: ['extensions', 'policy'] resources: ['podsecuritypolicies'] resourceNames: - linkerd-other-cni verbs: ['use'] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-cni namespace: other labels: linkerd.io/cni-resource: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: linkerd-cni subjects: - kind: ServiceAccount name: linkerd-cni namespace: other --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-cni labels: linkerd.io/cni-resource: "true" rules: - apiGroups: [""] resources: ["pods", "nodes", "namespaces"] verbs: ["list", "get", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: linkerd-cni labels: linkerd.io/cni-resource: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-cni subjects: - kind: ServiceAccount name: linkerd-cni namespace: other --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-cni-config namespace: other labels: linkerd.io/cni-resource: "true" data: dest_cni_net_dir: "/etc/kubernetes/cni/net.d" dest_cni_bin_dir: "/opt/my-cni/bin" # The CNI network configuration to install on each node. The special # values in this config will be automatically populated. cni_network_config: |- { "name": "linkerd-cni", "type": "linkerd-cni", "log_level": "debug", "policy": { "type": "k8s", "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" }, "linkerd": { "incoming-proxy-port": 5143, "outgoing-proxy-port": 5140, "proxy-uid": 12102, "ports-to-redirect": [], "inbound-ports-to-ignore": ["5190","5191"], "outbound-ports-to-ignore": [], "simulate": false, "use-wait-flag": false } } --- kind: DaemonSet apiVersion: apps/v1 metadata: name: linkerd-cni namespace: other labels: k8s-app: linkerd-cni linkerd.io/cni-resource: "true" annotations: linkerd.io/created-by: linkerd/cli dev-undefined spec: selector: matchLabels: k8s-app: linkerd-cni updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: k8s-app: linkerd-cni annotations: linkerd.io/created-by: linkerd/cli dev-undefined spec: nodeSelector: beta.kubernetes.io/os: linux hostNetwork: true serviceAccountName: linkerd-cni containers: # This container installs the linkerd CNI binaries # and CNI network config file on each node. The install # script copies the files into place and then sleeps so # that Kubernetes doesn't keep trying to restart it. - name: install-cni image: my-docker-registry.io/awesome/cni-plugin-test-image:awesome-linkerd-version.1 env: - name: DEST_CNI_NET_DIR valueFrom: configMapKeyRef: name: linkerd-cni-config key: dest_cni_net_dir - name: DEST_CNI_BIN_DIR valueFrom: configMapKeyRef: name: linkerd-cni-config key: dest_cni_bin_dir - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: linkerd-cni-config key: cni_network_config - name: SLEEP value: "true" lifecycle: preStop: exec: command: ["kill","-15","1"] volumeMounts: - mountPath: /host/opt/my-cni/bin name: cni-bin-dir - mountPath: /host/etc/kubernetes/cni/net.d name: cni-net-dir volumes: - name: cni-bin-dir hostPath: path: /opt/my-cni/bin - name: cni-net-dir hostPath: path: /etc/kubernetes/cni/net.d ---