linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/cli/cmd/testdata/install_output.golden

2287 lines
76 KiB
Plaintext
Raw Blame History

---
###
### Linkerd Namespace
###
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
ProxyInjectAnnotation: ProxyInjectDisabled
labels:
LinkerdNamespaceLabel: "true"
config.linkerd.io/admission-webhooks: disabled
ControllerNamespaceLabel: linkerd
---
###
### Identity Controller Service RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
---
###
### Controller RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list" , "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-controller
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-controller
namespace: linkerd
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
---
###
### Destination Controller Service
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
---
###
### Heartbeat RBAC
###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
ControllerNamespaceLabel: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
ControllerComponentLabel: heartbeat
ControllerNamespaceLabel: linkerd
---
###
### Service Profile CRD
###
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: serviceprofiles.linkerd.io
annotations:
CreatedByAnnotation: CliVersion
labels:
ControllerNamespaceLabel: linkerd
spec:
group: linkerd.io
versions:
- name: v1alpha1
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
description: Spec is the custom resource spec
required:
- routes
properties:
dstOverrides:
type: array
required:
- authority
- weight
items:
type: object
description: WeightedDst is a weighted alternate destination.
properties:
authority:
type: string
weight:
x-kubernetes-int-or-string: true
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
opaquePorts:
type: array
items:
type: string
retryBudget:
type: object
required:
- minRetriesPerSecond
- retryRatio
- ttl
description: RetryBudget describes the maximum number of retries that should be issued to this service.
properties:
minRetriesPerSecond:
format: int32
type: integer
retryRatio:
type: number
format: float
ttl:
type: string
routes:
type: array
items:
type: object
description: RouteSpec specifies a Route resource.
required:
- condition
- name
properties:
condition:
type: object
description: RequestMatch describes the conditions under which to match a Route.
properties:
pathRegex:
type: string
method:
type: string
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
isRetryable:
type: boolean
name:
type: string
timeout:
type: string
responseClasses:
type: array
items:
type: object
required:
- condition
description: ResponseClass describes how to classify a response (e.g. success or failures).
properties:
condition:
type: object
description: ResponseMatch describes the conditions under
which to classify a response.
properties:
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
description: Range describes a range of integers (e.g. status codes).
properties:
max:
format: int32
type: integer
min:
format: int32
type: integer
isFailure:
type: boolean
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
description: Spec is the custom resource spec
required:
- routes
properties:
dstOverrides:
type: array
required:
- authority
- weight
items:
type: object
description: WeightedDst is a weighted alternate destination.
properties:
authority:
type: string
weight:
x-kubernetes-int-or-string: true
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
opaquePorts:
type: array
items:
type: string
retryBudget:
type: object
required:
- minRetriesPerSecond
- retryRatio
- ttl
description: RetryBudget describes the maximum number of retries that should be issued to this service.
properties:
minRetriesPerSecond:
format: int32
type: integer
retryRatio:
type: number
format: float
ttl:
type: string
routes:
type: array
items:
type: object
description: RouteSpec specifies a Route resource.
required:
- condition
- name
properties:
condition:
type: object
description: RequestMatch describes the conditions under which to match a Route.
properties:
pathRegex:
type: string
method:
type: string
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
isRetryable:
type: boolean
name:
type: string
timeout:
type: string
responseClasses:
type: array
items:
type: object
required:
- condition
description: ResponseClass describes how to classify a response (e.g. success or failures).
properties:
condition:
type: object
description: ResponseMatch describes the conditions under
which to classify a response.
properties:
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
description: Range describes a range of integers (e.g. status codes).
properties:
max:
format: int32
type: integer
min:
format: int32
type: integer
isFailure:
type: boolean
scope: Namespaced
preserveUnknownFields: false
names:
plural: serviceprofiles
singular: serviceprofile
kind: ServiceProfile
shortNames:
- sp
---
###
### TrafficSplit CRD
### Copied from github.com/servicemeshinterface/smi-sdk-go/blob/d4e76b1cd7a33ead5f38d1262dd838a31c80f4e5/crds/split.yaml
###
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficsplits.split.smi-spec.io
annotations:
CreatedByAnnotation: CliVersion
labels:
ControllerNamespaceLabel: linkerd
spec:
group: split.smi-spec.io
scope: Namespaced
names:
kind: TrafficSplit
listKind: TrafficSplitList
shortNames:
- ts
plural: trafficsplits
singular: trafficsplit
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- service
- backends
properties:
service:
description: The apex service of this split.
type: string
matches:
description: The HTTP route groups that this traffic split should match.
type: array
items:
type: object
required: ['kind', 'name']
properties:
kind:
description: Kind of the matching group.
type: string
enum:
- HTTPRouteGroup
name:
description: Name of the matching group.
type: string
backends:
description: The backend services of this split.
type: array
items:
type: object
required: ['service', 'weight']
properties:
service:
description: Name of the Kubernetes service.
type: string
weight:
description: Traffic weight value of this backend.
x-kubernetes-int-or-string: true
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
jsonPath: .spec.service
preserveUnknownFields: false
---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-proxy-injector-k8s-tls
namespace: linkerd
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
type: kubernetes.io/tls
data:
tls.crt: cHJveHkgaW5qZWN0b3IgY3J0
tls.key: cHJveHkgaW5qZWN0b3Iga2V5
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
failurePolicy: WebhookFailurePolicy
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
sideEffects: None
---
###
### Service Profile Validator RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-sp-validator
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-sp-validator-k8s-tls
namespace: linkerd
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
type: kubernetes.io/tls
data:
tls.crt: cHJvZmlsZSB2YWxpZGF0b3IgY3J0
tls.key: cHJvZmlsZSB2YWxpZGF0b3Iga2V5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
failurePolicy: WebhookFailurePolicy
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
###
### Control Plane PSP
###
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-linkerd-control-plane
labels:
ControllerNamespaceLabel: linkerd
spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-psp
namespace: linkerd
labels:
ControllerNamespaceLabel: linkerd
rules:
- apiGroups: ['policy', 'extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- linkerd-linkerd-control-plane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-psp
namespace: linkerd
labels:
ControllerNamespaceLabel: linkerd
roleRef:
kind: Role
name: linkerd-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
data:
values: |
controllerImage: ControllerImage
controllerReplicas: 1
controllerUID: 2103
debugContainer:
image:
name: DebugImageName
pullPolicy: DebugImagePullPolicy
version: DebugVersion
destinationProxyResources: null
destinationResources: null
disableHeartBeat: false
enableH2Upgrade: true
enablePodAntiAffinity: false
global:
cliVersion: CliVersion
clusterDomain: cluster.local
clusterNetworks: ClusterNetworks
cniEnabled: false
controlPlaneTracing: false
controlPlaneTracingNamespace: ""
controllerComponentLabel: ControllerComponentLabel
controllerImageVersion: ControllerImageVersion
controllerLogFormat: ControllerLogFormat
controllerLogLevel: ControllerLogLevel
controllerNamespaceLabel: ControllerNamespaceLabel
createdByAnnotation: CreatedByAnnotation
enableEndpointSlices: false
grafanaUrl: ""
highAvailability: false
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: ImagePullPolicy
imagePullSecrets: null
linkerdNamespaceLabel: LinkerdNamespaceLabel
linkerdVersion: ""
namespace: linkerd
podAnnotations: {}
podLabels: {}
prometheusUrl: ""
proxy:
capabilities: null
disableIdentity: false
disableTap: false
enableExternalProfiles: false
image:
name: ProxyImageName
pullPolicy: ImagePullPolicy
version: ProxyVersion
inboundConnectTimeout: ""
isGateway: false
isIngress: false
logFormat: plain
logLevel: warn,linkerd=info
opaquePorts: ""
outboundConnectTimeout: ""
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: cpu-limit
request: cpu-request
memory:
limit: memory-limit
request: memory-request
saMountPath: null
uid: 2102
waitBeforeExitSeconds: 0
proxyContainerName: ProxyContainerName
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: ""
ignoreOutboundPorts: "443"
image:
name: ProxyInitImageName
pullPolicy: ImagePullPolicy
version: ProxyInitVersion
resources:
cpu:
limit: 100m
request: 10m
memory:
limit: 50Mi
request: 10Mi
saMountPath: null
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjectAnnotation: ProxyInjectAnnotation
proxyInjectDisabled: ProxyInjectDisabled
workloadNamespaceLabel: WorkloadNamespaceLabel
heartbeatResources: null
heartbeatSchedule: ""
identity:
issuer:
clockSkewAllowance: 20s
crtExpiry: "2030-08-26T07:13:47Z"
crtExpiryAnnotation: linkerd.io/identity-issuer-expiry
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
51tdrmkHEZRr0qlLSJdHYgEfMzk=
-----END CERTIFICATE-----
identityProxyResources: null
identityResources: null
installNamespace: true
nodeSelector:
beta.kubernetes.io/os: linux
omitWebhookSideEffects: false
profileValidator:
caBundle: profile validator CA bundle
crtPEM: profile validator crt
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
proxyInjector:
caBundle: proxy injector CA bundle
crtPEM: proxy injector crt
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
proxyInjectorProxyResources: null
proxyInjectorResources: null
publicAPIProxyResources: null
publicAPIResources: null
spValidatorProxyResources: null
spValidatorResources: null
tolerations: null
webhookFailurePolicy: WebhookFailurePolicy
---
###
### Identity Controller Service
###
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/identity-issuer-expiry: 2030-08-26T07:13:47Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
clusterIP: None
selector:
ControllerComponentLabel: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-identity
template:
metadata:
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
labels:
ControllerComponentLabel: identity
ControllerNamespaceLabel: linkerd
WorkloadNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- identity
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-trust-anchors-pem=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNApNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyClpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAp1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCi93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwpJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CnZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- -identity-scheme=linkerd.io/tls
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Controller
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-controller-api
namespace: linkerd
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: controller
ports:
- name: http
port: 8085
targetPort: 8085
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
name: linkerd-controller
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-controller
template:
metadata:
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
labels:
ControllerComponentLabel: controller
ControllerNamespaceLabel: linkerd
WorkloadNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-controller
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- public-api
- -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086
- -controller-namespace=linkerd
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -cluster-domain=cluster.local
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: public-api
ports:
- containerPort: 8085
name: http
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-controller
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
clusterIP: None
selector:
ControllerComponentLabel: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-destination
template:
metadata:
annotations:
CreatedByAnnotation: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
labels:
ControllerComponentLabel: destination
ControllerNamespaceLabel: linkerd
WorkloadNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
- -enable-endpoint-slices=false
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-destination
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: heartbeat
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
schedule: ""
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
ControllerComponentLabel: heartbeat
WorkloadNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
nodeSelector:
beta.kubernetes.io/os: linux
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
containers:
- name: heartbeat
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=ControllerLogLevel"
- "-log-format=ControllerLogFormat"
- "-prometheus-url=http://linkerd-prometheus.linkerd-viz.svc.cluster.local:9090"
securityContext:
runAsUser: 2103
---
###
### Proxy Injector
###
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
ControllerComponentLabel: proxy-injector
template:
metadata:
annotations:
checksum/config: b65674201363653c6dbae41dbaec0c9f8ea674c2098808ad3dbbf0854771e605
CreatedByAnnotation: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
WorkloadNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- proxy-injector
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
ControllerComponentLabel: proxy-injector
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
###
### Service Profile Validator
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
annotations:
CreatedByAnnotation: CliVersion
spec:
type: ClusterIP
selector:
ControllerComponentLabel: sp-validator
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
CreatedByAnnotation: CliVersion
labels:
app.kubernetes.io/name: sp-validator
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: ControllerImageVersion
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
name: linkerd-sp-validator
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
ControllerComponentLabel: sp-validator
template:
metadata:
annotations:
checksum/config: 07bd272aac5c2028cfc06b05b3d790f3273585565ff8a5a94a806e271140c62b
CreatedByAnnotation: CliVersion
linkerd.io/identity-mode: default
linkerd.io/proxy-version: ProxyVersion
labels:
ControllerComponentLabel: sp-validator
ControllerNamespaceLabel: linkerd
WorkloadNamespaceLabel: linkerd
linkerd.io/proxy-deployment: linkerd-sp-validator
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- sp-validator
- -log-level=ControllerLogLevel
- -log-format=ControllerLogFormat
image: ControllerImage:ControllerImageVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "ClusterNetworks"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ProxyImageName:ProxyVersion
imagePullPolicy: ImagePullPolicy
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "cpu-limit"
memory: "memory-limit"
requests:
cpu: "cpu-request"
memory: "memory-request"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: ProxyInitImageName:ProxyInitVersion
imagePullPolicy: ImagePullPolicy
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-sp-validator
volumes:
- name: tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
apiVersion: v1
data:
linkerd-config-overrides: Y29udHJvbGxlckltYWdlOiBDb250cm9sbGVySW1hZ2UKZGVidWdDb250YWluZXI6CiAgaW1hZ2U6CiAgICBuYW1lOiBEZWJ1Z0ltYWdlTmFtZQogICAgcHVsbFBvbGljeTogRGVidWdJbWFnZVB1bGxQb2xpY3kKICAgIHZlcnNpb246IERlYnVnVmVyc2lvbgpnbG9iYWw6CiAgY2xpVmVyc2lvbjogQ2xpVmVyc2lvbgogIGNsdXN0ZXJOZXR3b3JrczogQ2x1c3Rlck5ldHdvcmtzCiAgY29udHJvbFBsYW5lVHJhY2luZ05hbWVzcGFjZTogIiIKICBjb250cm9sbGVyQ29tcG9uZW50TGFiZWw6IENvbnRyb2xsZXJDb21wb25lbnRMYWJlbAogIGNvbnRyb2xsZXJJbWFnZVZlcnNpb246IENvbnRyb2xsZXJJbWFnZVZlcnNpb24KICBjb250cm9sbGVyTG9nRm9ybWF0OiBDb250cm9sbGVyTG9nRm9ybWF0CiAgY29udHJvbGxlckxvZ0xldmVsOiBDb250cm9sbGVyTG9nTGV2ZWwKICBjb250cm9sbGVyTmFtZXNwYWNlTGFiZWw6IENvbnRyb2xsZXJOYW1lc3BhY2VMYWJlbAogIGNyZWF0ZWRCeUFubm90YXRpb246IENyZWF0ZWRCeUFubm90YXRpb24KICBpZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogICAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICBNSUlCd1RDQ0FXYWdBd0lCQWdJUWVEWnA1bERhSXlnUTVVZk1LWnJGQVRBS0JnZ3Foa2pPUFFRREFqQXBNU2N3CiAgICBKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyWlhKa0xtTnNkWE4wWlhJdWJHOWpZV3d3SGhjTk1qQXdPREk0CiAgICBNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyCiAgICBaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBUnFjNzBaCiAgICBsMXZndzc5cmpCNXVTSVRJQ1VBNkd5ZnZTRmZjdUlpczdCL1hGU2trd0FIVTVTL3MxQUFQK1IwVFg3SEJXVUM0CiAgICB1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCiAgICAvd0lCQVRBZEJnTlZIUTRFRmdRVTVZdGpWVlBmZDdJN05MSHNuMkMyNkVCeUdWMHdLUVlEVlIwUkJDSXdJSUllCiAgICBhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCiAgICBJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CiAgICB2Z1VDMGQyLzlGTXVlSVZNYis0NldUQ09qc3FyCiAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgaW1hZ2VQdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICBpbWFnZVB1bGxTZWNyZXRzOiBudWxsCiAgbGlua2VyZE5hbWVzcGFjZUxhYmVsOiBMaW5rZXJkTmFtZXNwYWNlTGFiZWwKICBsaW5rZXJkVmVyc2lvbjogIiIKICBwcm94eToKICAgIGltYWdlOgogICAgICBuYW1lOiBQcm94eUltYWdlTmFtZQogICAgICBwdWxsUG9saWN5OiBJbWFnZVB1bGxQb2xpY3kKICAgICAgdmVyc2lvbjogUHJveHlWZXJzaW9uCiAgICBpbmJvdW5kQ29ubmVjdFRpbWVvdXQ6ICIiCiAgICBvdXRib3VuZENvbm5lY3RUaW1lb3V0OiAiIgogICAgcmVzb3VyY2VzOgogICAgICBjcHU6CiAgICAgICAgbGltaXQ6IGNwdS1saW1pdAogICAgICAgIHJlcXVlc3Q6IGNwdS1yZXF1ZXN0CiAgICAgIG1lbW9yeToKICAgICAgICBsaW1pdDogbWVtb3J5LWxpbWl0CiAgICAgICAgcmVxdWVzdDogbWVtb3J5LXJlcXVlc3QKICBwcm94eUNvbnRhaW5lck5hbWU6IFByb3h5Q29udGFpbmVyTmFtZQogIHByb3h5SW5pdDoKICAgIGlnbm9yZUluYm91bmRQb3J0czogIiIKICAgIGlnbm9yZU91dGJvdW5kUG9ydHM6ICI0NDMiCiAgICBpbWFnZToKICAgICAgbmFtZTogUHJveHlJbml0SW1hZ2VOYW1lCiAgICAgIHB1bGxQb2xpY3k6IEltYWdlUHVsbFBvbGljeQogICAgICB2ZXJzaW9uOiBQcm94eUluaXRWZXJzaW9uCiAgcHJveHlJbmplY3RBbm5vdGF0aW9uOiBQcm94eUluamVjdEFubm90YXRpb24KICBwcm94eUluamVjdERpc2FibGVkOiBQcm94eUluamVjdERpc2FibGVkCiAgd29ya2xvYWROYW1lc3BhY2VMYWJlbDogV29ya2xvYWROYW1lc3BhY2VMYWJlbApoZWFydGJlYXRTY2hlZHVsZTogIiIKaWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAzMC0wOC0yNlQwNzoxMzo0N1oiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KICAgICAgICBNQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1YTJWeVpDNWpiSFZ6ZEdWeUxteHZZMkZzTUI0WERUSXdNRGd5CiAgICAgICAgT0RBM01UTTBOMW9YRFRNd01EZ3lOakEzTVRNME4xb3dLVEVuTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdQogICAgICAgIGEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKICAgICAgICBmY1JuRGNlZEw2QWpVYVhZUHY0RElNQmFKdWZPSTVOV3R5K1hTWDdKalhnWnRNNzJkUXZSYVlhbnV4RDM2RHQxCiAgICAgICAgMi9KeHlpU2d4S1dSZG9heSthTndNRzR3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQgogICAgICAgIEFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKICAgICAgICBIbWxrWlc1MGFYUjVMbXhwYm10bGNtUXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFCiAgICAgICAgQWlBdHVvSTVYdUN0ckdWUnpTbVJUbDJyYTI4YVY5TXlUVTdkNXFuVEFGSEtTZ0lnUktDdmx1T1NnQTVPMjFwNQogICAgICAgIDUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUUxL0ZwZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyCiAgICAgICAgZFF2UmFZYW51eEQzNkR0MTIvSnh5aVNneEtXUmRvYXkrUT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb3h5SW5qZWN0b3I6CiAgY2FCdW5kbGU6IHByb3h5IGluamVjdG9yIENBIGJ1bmRsZQogIGNydFBFTTogcHJveHkgaW5qZWN0b3IgY3J0CiAga2V5UEVNOiBwcm94eSBpbmplY3RvciBrZXkKd2ViaG9va0ZhaWx1cmVQb2xpY3k6IFdlYmhvb2tGYWlsdXJlUG9saWN5Cg==
kind: Secret
metadata:
creationTimestamp: null
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-config-overrides
namespace: linkerd
Reference in New Issue View Git Blame Copy Permalink