linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/cli/cmd/testdata/install_output.golden

1901 lines
61 KiB
Plaintext
Raw Blame History

---
###
### Linkerd Namespace
###
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
linkerd.io/inject: disabled
labels:
linkerd.io/is-control-plane: "true"
config.linkerd.io/admission-webhooks: disabled
linkerd.io/control-plane-ns: linkerd
pod-security.kubernetes.io/enforce: privileged
---
###
### Identity Controller Service RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# TODO(ver) Restrict this to the Linkerd namespace. See
# https://github.com/linkerd/linkerd2/issues/9367
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
---
###
### Destination Controller Service
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
failurePolicy: WebhookFailurePolicy
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-policy-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-policy-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-policy-validator
namespace: linkerd
path: "/"
caBundle: cG9saWN5IHZhbGlkYXRvciBDQSBidW5kbGU=
failurePolicy: WebhookFailurePolicy
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["policy.linkerd.io"]
apiVersions: ["*"]
resources:
- authorizationpolicies
- httproutes
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
- operations: ["CREATE", "UPDATE"]
apiGroups: ["gateway.networking.k8s.io"]
apiVersions: ["*"]
resources:
- httproutes
sideEffects: None
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- httproutes
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
verbs:
- get
- list
- watch
- apiGroups:
- policy.linkerd.io
resources:
- httproutes/status
verbs:
- patch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
verbs:
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-destination-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-policy
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-destination-remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: remote-discovery
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
###
### Heartbeat RBAC
###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: ClusterRole
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
objectSelector:
null
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
failurePolicy: WebhookFailurePolicy
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods", "services"]
sideEffects: None
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
data:
linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
values: |
cliVersion: CliVersion
clusterDomain: cluster.local
clusterNetworks: ClusterNetworks
cniEnabled: false
controlPlaneTracing: false
controlPlaneTracingNamespace: ""
controllerImage: ControllerImage
controllerLogFormat: ControllerLogFormat
controllerLogLevel: ControllerLogLevel
controllerReplicas: 1
controllerUID: 2103
debugContainer:
image:
name: DebugImageName
pullPolicy: DebugImagePullPolicy
version: DebugVersion
destinationProxyResources: null
destinationResources: null
disableHeartBeat: false
enableEndpointSlices: false
enableH2Upgrade: true
enablePodAntiAffinity: false
enablePodDisruptionBudget: false
heartbeatResources: null
heartbeatSchedule: 1 2 3 4 5
highAvailability: false
identity:
externalCA: false
issuer:
clockSkewAllowance: 20s
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
51tdrmkHEZRr0qlLSJdHYgEfMzk=
-----END CERTIFICATE-----
serviceAccountTokenProjection: true
identityProxyResources: null
identityResources: null
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: ImagePullPolicy
imagePullSecrets: null
linkerdVersion: LinkerdVersion
networkValidator:
connectAddr: 1.1.1.1:20001
enableSecurityContext: false
listenAddr: 0.0.0.0:4140
logFormat: plain
logLevel: debug
timeout: 10s
nodeAffinity: null
nodeSelector:
kubernetes.io/os: linux
podAnnotations: {}
podLabels: {}
podMonitor: null
policyController:
image:
name: PolicyControllerImageName
pullPolicy: ImagePullPolicy
version: PolicyControllerVersion
logLevel: log-level
probeNetworks:
- 1.0.0.0/0
- 2.0.0.0/0
resources:
cpu:
limit: cpu-limit
request: cpu-request
ephemeral-storage:
limit: ""
request: ""
memory:
limit: memory-limit
request: memory-request
policyValidator:
caBundle: policy validator CA bundle
crtPEM: ""
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
priorityClassName: PriorityClassName
profileValidator:
caBundle: profile validator CA bundle
crtPEM: ""
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
prometheusUrl: ""
proxy:
accessLog: ""
await: true
capabilities: null
defaultInboundPolicy: default-allow-policy
disableInboundProtocolDetectTimeout: false
disableOutboundProtocolDetectTimeout: false
enableExternalProfiles: false
image:
name: ProxyImageName
pullPolicy: ImagePullPolicy
version: ProxyVersion
inboundConnectTimeout: ""
inboundDiscoveryCacheUnusedTimeout: ""
isGateway: false
isIngress: false
logFormat: plain
logLevel: warn,linkerd=info
nativeSidecar: false
opaquePorts: 25,443,587,3306,5432,11211
outboundConnectTimeout: ""
outboundDiscoveryCacheUnusedTimeout: ""
podInboundPorts: ""
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: cpu-limit
request: cpu-request
ephemeral-storage:
limit: ""
request: ""
memory:
limit: memory-limit
request: memory-request
saMountPath: null
shutdownGracePeriod: ""
startupProbe: null
uid: 2102
waitBeforeExitSeconds: 0
proxyContainerName: ProxyContainerName
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: ""
ignoreOutboundPorts: "443"
image:
name: ProxyInitImageName
pullPolicy: ImagePullPolicy
version: ProxyInitVersion
iptablesMode: legacy
kubeAPIServerPorts: ""
logFormat: ""
logLevel: ""
privileged: false
resources:
cpu:
limit: 100m
request: 10m
ephemeral-storage:
limit: ""
request: ""
memory:
limit: 50Mi
request: 10Mi
runAsRoot: false
runAsUser: 65534
saMountPath: null
skipSubnets: ""
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjector:
caBundle: proxy injector CA bundle
crtPEM: ""
externalSecret: true
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
proxyInjectorProxyResources: null
proxyInjectorResources: null
tolerations: null
webhookFailurePolicy: WebhookFailurePolicy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
linkerd.io/created-by: CliVersion
name: ext-namespace-metadata-linkerd-config
namespace: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
###
### Identity Controller Service
###
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-identity-trust-roots
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
data:
ca-bundle.crt: |-
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: CliVersion
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: LinkerdVersion
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
template:
metadata:
annotations:
linkerd.io/created-by: CliVersion
linkerd.io/proxy-version: ProxyVersion
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- args:
- identity
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-scheme=linkerd.io/tls
- -enable-pprof=false
env:
- name: LINKERD_DISABLED
value: "linkerd-await cannot block the identity controller"
image: ControllerImage:LinkerdVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- mountPath: /var/run/linkerd/identity/trust-roots/
name: trust-roots
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
value: "8080"
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8080,9990"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
priorityClassName: PriorityClassName
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8090
targetPort: 8090
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: policy-https
port: 443
targetPort: policy-https
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: CliVersion
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: LinkerdVersion
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
template:
metadata:
annotations:
checksum/config: d3eac3abc6cf5f1943e0f005fd15ad0107229283fa6f8db72f9ccb4766bb2228
linkerd.io/created-by: CliVersion
linkerd.io/proxy-version: ProxyVersion
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8086,8090,8443,9443,9990,9996,9997"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -enable-endpoint-slices=false
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
- -default-opaque-ports=25,443,587,3306,5432,11211
- -enable-pprof=false
image: ControllerImage:LinkerdVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- args:
- sp-validator
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -enable-pprof=false
image: ControllerImage:LinkerdVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: sp-tls
readOnly: true
- args:
- --admin-addr=0.0.0.0:9990
- --control-plane-namespace=linkerd
- --grpc-addr=0.0.0.0:8090
- --server-addr=0.0.0.0:9443
- --server-tls-key=/var/run/linkerd/tls/tls.key
- --server-tls-certs=/var/run/linkerd/tls/tls.crt
- --cluster-networks=ClusterNetworks
- --identity-domain=cluster.local
- --cluster-domain=cluster.local
- --default-policy=default-allow-policy
- --log-level=log-level
- --log-format=ControllerLogFormat
- --default-opaque-ports=25,443,587,3306,5432,11211
- --probe-networks=1.0.0.0/0,2.0.0.0/0
image: PolicyControllerImageName:PolicyControllerVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: admin-http
name: policy
ports:
- containerPort: 8090
name: grpc
- containerPort: 9990
name: admin-http
- containerPort: 9443
name: policy-https
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: admin-http
initialDelaySeconds: 10
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: policy-tls
readOnly: true
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
priorityClassName: PriorityClassName
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-destination
volumes:
- name: sp-tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- name: policy-tls
secret:
secretName: linkerd-policy-validator-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
apiVersion: batch/v1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: LinkerdVersion
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
concurrencyPolicy: Replace
schedule: "1 2 3 4 5"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/workload-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
spec:
priorityClassName: PriorityClassName
nodeSelector:
kubernetes.io/os: linux
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
containers:
- name: heartbeat
image: ControllerImage:LinkerdVersion
imagePullPolicy: ImagePullPolicy
env:
- name: LINKERD_DISABLED
value: "the heartbeat controller does not use the proxy"
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=ControllerLogLevel"
- "-log-format=ControllerLogFormat"
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
---
###
### Proxy Injector
###
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: CliVersion
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: LinkerdVersion
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
template:
metadata:
annotations:
checksum/config: 543c65ff6faff4112a64971371380e01188b1bbc583fef84c7b50844cb1a896d
linkerd.io/created-by: CliVersion
linkerd.io/proxy-version: ProxyVersion
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 8dc603abd4e755c25c94da05abbf29b9b283a784733651020d72f97ca8ab98e4
config.linkerd.io/opaque-ports: "8443"
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: "$(_pod_ns):$(_pod_name)"
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8443,9995"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- proxy-injector
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -linkerd-namespace=linkerd
- -enable-pprof=false
image: ControllerImage:LinkerdVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/trust-roots
name: trust-roots
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
priorityClassName: PriorityClassName
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: CliVersion
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
apiVersion: v1
data:
linkerd-config-overrides: Y2xpVmVyc2lvbjogQ2xpVmVyc2lvbgpjbHVzdGVyTmV0d29ya3M6IENsdXN0ZXJOZXR3b3Jrcwpjb250cm9sUGxhbmVUcmFjaW5nTmFtZXNwYWNlOiAiIgpjb250cm9sbGVySW1hZ2U6IENvbnRyb2xsZXJJbWFnZQpjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CmNvbnRyb2xsZXJMb2dMZXZlbDogQ29udHJvbGxlckxvZ0xldmVsCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgbmFtZTogRGVidWdJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IERlYnVnSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBEZWJ1Z1ZlcnNpb24KZW5hYmxlRW5kcG9pbnRTbGljZXM6IGZhbHNlCmhlYXJ0YmVhdFNjaGVkdWxlOiAxIDIgMyA0IDUKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlUcnVzdEFuY2hvcnNQRU06IHwKICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNAogIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAogIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwogIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQppbWFnZVB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQppbWFnZVB1bGxTZWNyZXRzOiBudWxsCmxpbmtlcmRWZXJzaW9uOiBMaW5rZXJkVmVyc2lvbgpuZXR3b3JrVmFsaWRhdG9yOgogIGVuYWJsZVNlY3VyaXR5Q29udGV4dDogZmFsc2UKcG9kTW9uaXRvcjogbnVsbApwb2xpY3lDb250cm9sbGVyOgogIGltYWdlOgogICAgbmFtZTogUG9saWN5Q29udHJvbGxlckltYWdlTmFtZQogICAgcHVsbFBvbGljeTogSW1hZ2VQdWxsUG9saWN5CiAgICB2ZXJzaW9uOiBQb2xpY3lDb250cm9sbGVyVmVyc2lvbgogIGxvZ0xldmVsOiBsb2ctbGV2ZWwKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdApwb2xpY3lWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHBvbGljeSB2YWxpZGF0b3IgQ0EgYnVuZGxlCiAgZXh0ZXJuYWxTZWNyZXQ6IHRydWUKcHJpb3JpdHlDbGFzc05hbWU6IFByaW9yaXR5Q2xhc3NOYW1lCnByb2ZpbGVWYWxpZGF0b3I6CiAgY2FCdW5kbGU6IHByb2ZpbGUgdmFsaWRhdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCnByb3h5OgogIGRlZmF1bHRJbmJvdW5kUG9saWN5OiBkZWZhdWx0LWFsbG93LXBvbGljeQogIGltYWdlOgogICAgbmFtZTogUHJveHlJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgaW5ib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogIGluYm91bmREaXNjb3ZlcnlDYWNoZVVudXNlZFRpbWVvdXQ6ICIiCiAgbG9nTGV2ZWw6IHdhcm4sbGlua2VyZD1pbmZvCiAgb3BhcXVlUG9ydHM6IDI1LDQ0Myw1ODcsMzMwNiw1NDMyLDExMjExCiAgb3V0Ym91bmRDb25uZWN0VGltZW91dDogIiIKICBvdXRib3VuZERpc2NvdmVyeUNhY2hlVW51c2VkVGltZW91dDogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIGxpbWl0OiBjcHUtbGltaXQKICAgICAgcmVxdWVzdDogY3B1LXJlcXVlc3QKICAgIG1lbW9yeToKICAgICAgbGltaXQ6IG1lbW9yeS1saW1pdAogICAgICByZXF1ZXN0OiBtZW1vcnktcmVxdWVzdAogIHN0YXJ0dXBQcm9iZTogbnVsbApwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQpwcm94eUluaXQ6CiAgaWdub3JlSW5ib3VuZFBvcnRzOiAiIgogIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgaW1hZ2U6CiAgICBuYW1lOiBQcm94eUluaXRJbWFnZU5hbWUKICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgdmVyc2lvbjogUHJveHlJbml0VmVyc2lvbgogIGt1YmVBUElTZXJ2ZXJQb3J0czogIiIKICByZXNvdXJjZXM6CiAgICBjcHU6CiAgICAgIHJlcXVlc3Q6IDEwbQogICAgbWVtb3J5OgogICAgICBsaW1pdDogNTBNaQogICAgICByZXF1ZXN0OiAxME1pCnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGV4dGVybmFsU2VjcmV0OiB0cnVlCndlYmhvb2tGYWlsdXJlUG9saWN5OiBXZWJob29rRmFpbHVyZVBvbGljeQo=
kind: Secret
metadata:
creationTimestamp: null
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-config-overrides
namespace: linkerd
Reference in New Issue View Git Blame Copy Permalink