mirror of https://github.com/linkerd/linkerd2.git
168 lines
5.5 KiB
YAML
168 lines
5.5 KiB
YAML
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
annotations:
|
|
config.linkerd.io/skip-inbound-ports: 22,8100-8102
|
|
config.linkerd.io/skip-outbound-ports: "5432"
|
|
linkerd.io/created-by: linkerd/cli dev-undefined
|
|
linkerd.io/identity-mode: default
|
|
linkerd.io/proxy-version: test-inject-proxy-version
|
|
labels:
|
|
app: vote-bot
|
|
linkerd.io/control-plane-ns: linkerd
|
|
linkerd.io/workload-ns: emojivoto
|
|
name: vote-bot
|
|
namespace: emojivoto
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- emojivoto-vote-bot
|
|
env:
|
|
- name: WEB_HOST
|
|
value: web-svc.emojivoto:80
|
|
image: buoyantio/emojivoto-web:v10
|
|
name: vote-bot
|
|
- env:
|
|
- name: LINKERD2_PROXY_LOG
|
|
value: warn,linkerd=info
|
|
- name: LINKERD2_PROXY_LOG_FORMAT
|
|
value: plain
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
|
|
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
|
|
value: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
|
|
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
|
|
value: 100ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
|
|
value: 1000ms
|
|
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
|
|
value: 0.0.0.0:4190
|
|
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
|
|
value: 0.0.0.0:4191
|
|
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
|
|
value: 127.0.0.1:4140
|
|
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
|
|
value: 0.0.0.0:4143
|
|
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
|
|
value: svc.cluster.local.
|
|
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
|
|
value: 10000ms
|
|
- name: _pod_ns
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: _pod_nodeName
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
|
|
value: |
|
|
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
|
|
- name: LINKERD2_PROXY_IDENTITY_DIR
|
|
value: /var/run/linkerd/identity/end-entity
|
|
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
|
|
value: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
|
|
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
|
|
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
|
|
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
|
|
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
|
|
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
|
|
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
|
|
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
|
|
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
|
|
vgUC0d2/9FMueIVMb+46WTCOjsqr
|
|
-----END CERTIFICATE-----
|
|
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
|
|
value: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
|
|
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
|
|
- name: _pod_sa
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.serviceAccountName
|
|
- name: _l5d_ns
|
|
value: linkerd
|
|
- name: _l5d_trustdomain
|
|
value: cluster.local
|
|
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
|
|
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
|
|
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
|
|
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
- name: LINKERD2_PROXY_TAP_SVC_NAME
|
|
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
|
|
image: ghcr.io/linkerd/proxy:test-inject-proxy-version
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /live
|
|
port: 4191
|
|
initialDelaySeconds: 10
|
|
name: linkerd-proxy
|
|
ports:
|
|
- containerPort: 4143
|
|
name: linkerd-proxy
|
|
- containerPort: 4191
|
|
name: linkerd-admin
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 4191
|
|
initialDelaySeconds: 2
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 2102
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /var/run/linkerd/identity/end-entity
|
|
name: linkerd-identity-end-entity
|
|
initContainers:
|
|
- args:
|
|
- --incoming-proxy-port
|
|
- "4143"
|
|
- --outgoing-proxy-port
|
|
- "4140"
|
|
- --proxy-uid
|
|
- "2102"
|
|
- --inbound-ports-to-ignore
|
|
- 4190,4191,22,8100-8102
|
|
- --outbound-ports-to-ignore
|
|
- "5432"
|
|
image: ghcr.io/linkerd/proxy-init:v1.3.6
|
|
imagePullPolicy: IfNotPresent
|
|
name: linkerd-init
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 50Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 10Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
volumeMounts:
|
|
- mountPath: /run
|
|
name: linkerd-proxy-init-xtables-lock
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: linkerd-proxy-init-xtables-lock
|
|
- emptyDir:
|
|
medium: Memory
|
|
name: linkerd-identity-end-entity
|
|
---
|