mirror of https://github.com/linkerd/linkerd2.git
d08dcb0a37
linkerd/linkerd2#2349 introduced a `SelfSubjectAccessReview` check at startup, to determine whether each control-plane component should establish Kubernetes watches cluster-wide or namespace-wide. If this check occurs before the linkerd-proxy sidecar is ready, it fails, and the control-plane component restarts. This change configures each control-plane pod to skip outbound port 443 when injecting the proxy, allowing the control-plane to connect to Kubernetes regardless of the `linkerd-proxy` state. A longer-term fix should involve a more robust control-plane startup, that is resilient to failed Kubernetes API requests. An even longer-term fix could involve injecting `linkerd-proxy` as a Kubernetes "sidecar" container, when that becomes available. Workaround for #2407 Signed-off-by: Andrew Seigner <siggy@buoyant.io> |
||
|---|---|---|
| .. | ||
| cmd | ||
| install | ||
| installsp | ||
| static | ||
| Dockerfile-bin | ||
| main.go | ||