linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/cli/cmd/testdata/install_ha_output.golden

3807 lines
121 KiB
Plaintext
Raw Blame History

---
###
### Linkerd Namespace
###
---
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
linkerd.io/inject: disabled
labels:
linkerd.io/is-control-plane: "true"
config.linkerd.io/admission-webhooks: disabled
linkerd.io/control-plane-ns: linkerd
---
###
### Identity Controller Service RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
---
###
### Controller RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list" , "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-controller
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-controller
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
---
###
### Destination Controller Service
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
---
###
### Heartbeat RBAC
###
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
---
###
### Web RBAC
###
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-web
namespace: linkerd
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
- apiGroups: [""]
resources: ["namespaces", "configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts", "pods"]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-web
namespace: linkerd
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-web
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-web
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-linkerd-web-check
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings"]
verbs: ["list"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["list"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["list"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-linkerd-web-check
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: ClusterRole
name: linkerd-linkerd-web-check
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-web
namespace: linkerd
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-web-admin
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-tap-admin
subjects:
- kind: ServiceAccount
name: linkerd-web
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-web
namespace: linkerd
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
---
###
### Service Profile CRD
###
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: serviceprofiles.linkerd.io
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
linkerd.io/control-plane-ns: linkerd
spec:
group: linkerd.io
versions:
- name: v1alpha1
served: true
storage: false
- name: v1alpha2
served: true
storage: true
scope: Namespaced
names:
plural: serviceprofiles
singular: serviceprofile
kind: ServiceProfile
shortNames:
- sp
---
###
### TrafficSplit CRD
### Copied from https://github.com/deislabs/smi-sdk-go/blob/cea7e1e9372304bbb6c74a3f6ca788d9eaa9cc58/crds/split.yaml
###
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: trafficsplits.split.smi-spec.io
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
linkerd.io/control-plane-ns: linkerd
spec:
group: split.smi-spec.io
version: v1alpha1
scope: Namespaced
names:
kind: TrafficSplit
shortNames:
- ts
plural: trafficsplits
singular: trafficsplit
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
JSONPath: .spec.service
---
###
### Proxy Injector RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-proxy-injector-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
type: kubernetes.io/tls
data:
tls.crt: cHJveHkgaW5qZWN0b3IgY3J0
tls.key: cHJveHkgaW5qZWN0b3Iga2V5
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: cHJveHkgaW5qZWN0b3IgQ0EgYnVuZGxl
failurePolicy: Fail
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
sideEffects: None
---
###
### Service Profile Validator RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-sp-validator
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-sp-validator-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
type: kubernetes.io/tls
data:
tls.crt: cHJvZmlsZSB2YWxpZGF0b3IgY3J0
tls.key: cHJvZmlsZSB2YWxpZGF0b3Iga2V5
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: cHJvZmlsZSB2YWxpZGF0b3IgQ0EgYnVuZGxl
failurePolicy: Fail
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
###
### Tap RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-tap
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["pods", "services", "replicationcontrollers", "namespaces", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list" , "get", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-tap-admin
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["tap.linkerd.io"]
resources: ["*"]
verbs: ["watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-tap
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-tap
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-linkerd-tap-auth-delegator
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-tap
namespace: linkerd
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-linkerd-tap-auth-reader
namespace: kube-system
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: linkerd-tap
namespace: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-tap-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
type: kubernetes.io/tls
data:
tls.crt: dGFwIGNydA==
tls.key: dGFwIGtleQ==
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.tap.linkerd.io
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
spec:
group: tap.linkerd.io
version: v1alpha1
groupPriorityMinimum: 1000
versionPriority: 100
service:
name: linkerd-tap
namespace: linkerd
caBundle: dGFwIENBIGJ1bmRsZQ==
---
###
### Control Plane PSP
###
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-linkerd-control-plane
labels:
linkerd.io/control-plane-ns: linkerd
spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-psp
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ['policy', 'extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- linkerd-linkerd-control-plane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-psp
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
- kind: ServiceAccount
name: linkerd-grafana
namespace: linkerd
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
- kind: ServiceAccount
name: linkerd-prometheus
namespace: linkerd
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
- kind: ServiceAccount
name: linkerd-tap
namespace: linkerd
- kind: ServiceAccount
name: linkerd-web
namespace: linkerd
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
values: |
controllerImage: ghcr.io/linkerd/controller
controllerReplicas: 3
controllerUID: 2103
dashboard:
replicas: 1
debugContainer:
image:
name: ghcr.io/linkerd/debug
pullPolicy: IfNotPresent
version: install-debug-version
destinationProxyResources: null
destinationResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
disableHeartBeat: false
enableH2Upgrade: true
enablePodAntiAffinity: true
global:
cliVersion: linkerd/cli dev-undefined
clusterDomain: cluster.local
clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
cniEnabled: false
controlPlaneTracing: false
controllerComponentLabel: linkerd.io/control-plane-component
controllerImageVersion: install-control-plane-version
controllerLogLevel: info
controllerNamespaceLabel: linkerd.io/control-plane-ns
createdByAnnotation: linkerd.io/created-by
enableEndpointSlices: false
grafanaUrl: ""
highAvailability: false
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: IfNotPresent
imagePullSecrets: null
linkerdNamespaceLabel: linkerd.io/is-control-plane
linkerdVersion: dev-undefined
namespace: linkerd
podAnnotations: {}
podLabels: {}
prometheusUrl: ""
proxy:
capabilities: null
component: linkerd-controller
disableIdentity: false
disableTap: false
enableExternalProfiles: false
image:
name: ghcr.io/linkerd/proxy
pullPolicy: IfNotPresent
version: install-proxy-version
inboundConnectTimeout: 100ms
isGateway: false
isIngress: false
logFormat: plain
logLevel: warn,linkerd=info
opaquePorts: ""
outboundConnectTimeout: 1000ms
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 20Mi
saMountPath: null
trace:
collectorSvcAccount: default
collectorSvcAddr: ""
uid: 2102
waitBeforeExitSeconds: 0
workloadKind: deployment
proxyContainerName: linkerd-proxy
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: 25,443,587,3306,11211
ignoreOutboundPorts: 25,443,587,3306,11211
image:
name: ghcr.io/linkerd/proxy-init
pullPolicy: IfNotPresent
version: v1.3.6
resources:
cpu:
limit: 100m
request: 10m
memory:
limit: 50Mi
request: 10Mi
saMountPath: null
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjectAnnotation: linkerd.io/inject
proxyInjectDisabled: disabled
workloadNamespaceLabel: linkerd.io/workload-ns
grafana:
enabled: true
resources:
cpu:
limit: "1"
request: 100m
memory:
limit: 1024Mi
request: 50Mi
heartbeatResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
heartbeatSchedule: 1 2 3 4 5
identity:
issuer:
clockSkewAllowance: 20s
crtExpiry: "2030-08-26T07:13:47Z"
crtExpiryAnnotation: linkerd.io/identity-issuer-expiry
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBwDCCAWegAwIBAgIRAJRIgZ8RtO8Ewg1Xepf8T44wCgYIKoZIzj0EAwIwKTEn
MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDgy
ODA3MTM0N1oXDTMwMDgyNjA3MTM0N1owKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu
a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/Fp
fcRnDcedL6AjUaXYPv4DIMBaJufOI5NWty+XSX7JjXgZtM72dQvRaYanuxD36Dt1
2/JxyiSgxKWRdoay+aNwMG4wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFI1WnrqMYKaHHOo+zpyiiDq2pO0KMCkGA1UdEQQiMCCC
HmlkZW50aXR5LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAKBggqhkjOPQQDAgNHADBE
AiAtuoI5XuCtrGVRzSmRTl2ra28aV9MyTU7d5qnTAFHKSgIgRKCvluOSgA5O21p5
51tdrmkHEZRr0qlLSJdHYgEfMzk=
-----END CERTIFICATE-----
identityProxyResources: null
identityResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 10Mi
installNamespace: true
nodeSelector:
beta.kubernetes.io/os: linux
omitWebhookSideEffects: false
profileValidator:
caBundle: profile validator CA bundle
crtPEM: profile validator crt
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
prometheus:
enabled: true
resources:
cpu:
limit: "4"
request: 300m
memory:
limit: 8192Mi
request: 300Mi
proxyInjector:
caBundle: proxy injector CA bundle
crtPEM: proxy injector crt
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
proxyInjectorProxyResources: null
proxyInjectorResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
publicAPIProxyResources: null
publicAPIResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
restrictDashboardPrivileges: false
spValidatorProxyResources: null
spValidatorResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
tap:
caBundle: tap CA bundle
crtPEM: tap crt
externalSecret: false
tapProxyResources: null
tapResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
tolerations: null
tracing:
enabled: false
webImage: ghcr.io/linkerd/web
webProxyResources: null
webResources:
cpu:
limit: "1"
request: 100m
memory:
limit: 250Mi
request: 50Mi
webhookFailurePolicy: Fail
---
###
### Identity Controller Service
###
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-issuer-expiry: 2030-08-26T07:13:47Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3RENDQVdlZ0F3SUJBZ0lSQUpSSWdaOFJ0TzhFd2cxWGVwZjhUNDR3Q2dZSUtvWkl6ajBFQXdJd0tURW4KTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQpPREEzTVRNME4xb1hEVE13TURneU5qQTNNVE0wTjFvd0tURW5NQ1VHQTFVRUF4TWVhV1JsYm5ScGRIa3ViR2x1CmEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTEvRnAKZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQoyL0p4eWlTZ3hLV1Jkb2F5K2FOd01HNHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CSUdBMVVkRXdFQi93UUlNQVlCCkFmOENBUUF3SFFZRFZSME9CQllFRkkxV25ycU1ZS2FISE9vK3pweWlpRHEycE8wS01Da0dBMVVkRVFRaU1DQ0MKSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQpBaUF0dW9JNVh1Q3RyR1ZSelNtUlRsMnJhMjhhVjlNeVRVN2Q1cW5UQUZIS1NnSWdSS0N2bHVPU2dBNU8yMXA1CjUxdGRybWtIRVpScjBxbExTSmRIWWdFZk16az0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFBZThuZmJ6WnU5Yy9PQjIrOHhKTTBGejdOVXdUUWF6dWxrRk5zNFRJNStvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgpkUXZSYVlhbnV4RDM2RHQxMi9KeHlpU2d4S1dSZG9heStRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- identity
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- identity
topologyKey: kubernetes.io/hostname
containers:
- args:
- identity
- -log-level=info
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-trust-anchors-pem=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKSlFZRFZRUURFeDVwWkdWdWRHbDBlUzVzYVc1clpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d0hoY05NakF3T0RJNApNRGN4TWpRM1doY05NekF3T0RJMk1EY3hNalEzV2pBcE1TY3dKUVlEVlFRREV4NXBaR1Z1ZEdsMGVTNXNhVzVyClpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKbDF2Z3c3OXJqQjV1U0lUSUNVQTZHeWZ2U0ZmY3VJaXM3Qi9YRlNra3dBSFU1Uy9zMUFBUCtSMFRYN0hCV1VDNAp1YUc0V1dzaXdKS05uN21nbzNBd2JqQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCi93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01Bb0dDQ3FHU000OUJBTUNBMGtBTUVZQwpJUUNON2xCRkxERHZqeDZWMCtYa2pwS0VSUnNKWWY1YWRNdm5sb0ZsNDhpbEpnSWhBTnR4aG5kY3IrUUpQdUM4CnZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
- -identity-scheme=linkerd.io/tls
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "10Mi"
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Controller
###
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-controller-api
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: controller
ports:
- name: http
port: 8085
targetPort: 8085
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
name: linkerd-controller
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-controller
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-controller
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- controller
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname
containers:
- args:
- public-api
- -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086
- -controller-namespace=linkerd
- -log-level=info
- -cluster-domain=cluster.local
- -prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: public-api
ports:
- containerPort: 8085
name: http
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-controller
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- destination
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- destination
topologyKey: kubernetes.io/hostname
containers:
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=info
- -enable-endpoint-slices=false
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-destination
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
schedule: "1 2 3 4 5"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/workload-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
nodeSelector:
beta.kubernetes.io/os: linux
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
containers:
- name: heartbeat
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=info"
- "-prometheus-url=http://linkerd-prometheus.linkerd.svc.cluster.local:9090"
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
---
###
### Web
###
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-web
namespace: linkerd
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: web
ports:
- name: http
port: 8084
targetPort: 8084
- name: admin-http
port: 9994
targetPort: 9994
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: web
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
name: linkerd-web
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-web
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: web
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-web
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085
- -cluster-domain=cluster.local
- -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000
- -controller-namespace=linkerd
- -log-level=info
- -enforced-host=^(localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$
image: ghcr.io/linkerd/web:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9994
initialDelaySeconds: 10
name: web
ports:
- containerPort: 8084
name: http
- containerPort: 9994
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9994
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-web
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Proxy Injector
###
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- proxy-injector
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- proxy-injector
topologyKey: kubernetes.io/hostname
containers:
- args:
- proxy-injector
- -log-level=info
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
###
### Service Profile Validator
###
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: sp-validator
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: sp-validator
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
name: linkerd-sp-validator
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: sp-validator
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-sp-validator
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- sp-validator
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- sp-validator
topologyKey: kubernetes.io/hostname
containers:
- args:
- sp-validator
- -log-level=info
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-sp-validator
volumes:
- name: tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Tap
###
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-tap
namespace: linkerd
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: tap
ports:
- name: grpc
port: 8088
targetPort: 8088
- name: apiserver
port: 443
targetPort: apiserver
---
kind: Deployment
apiVersion: apps/v1
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: tap
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
name: linkerd-tap
namespace: linkerd
spec:
replicas: 3
selector:
matchLabels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-tap
strategy:
rollingUpdate:
maxUnavailable: 1
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: tap
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-tap
spec:
nodeSelector:
beta.kubernetes.io/os: linux
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- tap
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: linkerd.io/control-plane-component
operator: In
values:
- tap
topologyKey: kubernetes.io/hostname
containers:
- args:
- tap
- -controller-namespace=linkerd
- -log-level=info
- -identity-trust-domain=cluster.local
image: ghcr.io/linkerd/controller:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9998
initialDelaySeconds: 10
name: tap
ports:
- containerPort: 8088
name: grpc
- containerPort: 8089
name: apiserver
- containerPort: 9998
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9998
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-tap
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
- name: tls
secret:
secretName: linkerd-tap-k8s-tls
---
###
### Grafana RBAC
###
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-grafana
namespace: linkerd
labels:
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
---
###
### Grafana
###
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-grafana-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
grafana.ini: |-
instance_name = linkerd-grafana
[server]
root_url = %(protocol)s://%(domain)s:/grafana/
[auth]
disable_login_form = true
[auth.anonymous]
enabled = true
org_role = Editor
[auth.basic]
enabled = false
[analytics]
check_for_updates = false
[panels]
disable_sanitize_html = true
datasources.yaml: |-
apiVersion: 1
datasources:
- name: prometheus
type: prometheus
access: proxy
orgId: 1
url: http://linkerd-prometheus.linkerd.svc.cluster.local:9090
isDefault: true
jsonData:
timeInterval: "5s"
version: 1
editable: true
dashboards.yaml: |-
apiVersion: 1
providers:
- name: 'default'
orgId: 1
folder: ''
type: file
disableDeletion: true
editable: true
options:
path: /var/lib/grafana/dashboards
homeDashboardId: linkerd-top-line
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-grafana
namespace: linkerd
labels:
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: grafana
ports:
- name: http
port: 3000
targetPort: 3000
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
name: linkerd-grafana
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-grafana
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: grafana
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-grafana
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- env:
- name: GF_PATHS_DATA
value: /data
# Force using the go-based DNS resolver instead of the OS' to avoid failures in some environments
# see https://github.com/grafana/grafana/issues/20096
- name: GODEBUG
value: netdns=go
image: ghcr.io/linkerd/grafana:install-control-plane-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /api/health
port: 3000
initialDelaySeconds: 30
name: grafana
ports:
- containerPort: 3000
name: http
readinessProbe:
httpGet:
path: /api/health
port: 3000
resources:
limits:
cpu: "1"
memory: "1024Mi"
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
runAsUser: 472
volumeMounts:
- mountPath: /data
name: data
- mountPath: /etc/grafana
name: grafana-config
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-grafana
volumes:
- emptyDir: {}
name: data
- configMap:
items:
- key: grafana.ini
path: grafana.ini
- key: datasources.yaml
path: provisioning/datasources/datasources.yaml
- key: dashboards.yaml
path: provisioning/dashboards/dashboards.yaml
name: linkerd-grafana-config
name: grafana-config
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Prometheus RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-prometheus
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["nodes", "nodes/proxy", "pods"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-prometheus
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-prometheus
subjects:
- kind: ServiceAccount
name: linkerd-prometheus
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-prometheus
namespace: linkerd
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
---
###
### Prometheus
###
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-prometheus-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
data:
prometheus.yml: |-
global:
evaluation_interval: 10s
scrape_interval: 10s
scrape_timeout: 10s
rule_files:
- /etc/prometheus/*_rules.yml
- /etc/prometheus/*_rules.yaml
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'grafana'
kubernetes_sd_configs:
- role: pod
namespaces:
names: ['linkerd']
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_container_name
action: keep
regex: ^grafana$
# Required for: https://grafana.com/grafana/dashboards/315
- job_name: 'kubernetes-nodes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
metric_relabel_configs:
- source_labels: [__name__]
regex: '(container|machine)_(cpu|memory|network|fs)_(.+)'
action: keep
- source_labels: [__name__]
regex: 'container_memory_failures_total' # unneeded large metric
action: drop
- job_name: 'linkerd-controller'
kubernetes_sd_configs:
- role: pod
namespaces:
names: ['linkerd']
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_label_linkerd_io_control_plane_component
- __meta_kubernetes_pod_container_port_name
action: keep
regex: (.*);admin-http$
- source_labels: [__meta_kubernetes_pod_container_name]
action: replace
target_label: component
- job_name: 'linkerd-service-mirror'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_label_linkerd_io_control_plane_component
- __meta_kubernetes_pod_container_port_name
action: keep
regex: linkerd-service-mirror;admin-http$
- source_labels: [__meta_kubernetes_pod_container_name]
action: replace
target_label: component
- job_name: 'linkerd-proxy'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels:
- __meta_kubernetes_pod_container_name
- __meta_kubernetes_pod_container_port_name
- __meta_kubernetes_pod_label_linkerd_io_control_plane_ns
action: keep
regex: ^linkerd-proxy;linkerd-admin;linkerd$
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
# special case k8s' "job" label, to not interfere with prometheus' "job"
# label
# __meta_kubernetes_pod_label_linkerd_io_proxy_job=foo =>
# k8s_job=foo
- source_labels: [__meta_kubernetes_pod_label_linkerd_io_proxy_job]
action: replace
target_label: k8s_job
# drop __meta_kubernetes_pod_label_linkerd_io_proxy_job
- action: labeldrop
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job
# __meta_kubernetes_pod_label_linkerd_io_proxy_deployment=foo =>
# deployment=foo
- action: labelmap
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
# drop all labels that we just made copies of in the previous labelmap
- action: labeldrop
regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+)
# __meta_kubernetes_pod_label_linkerd_io_foo=bar =>
# foo=bar
- action: labelmap
regex: __meta_kubernetes_pod_label_linkerd_io_(.+)
# Copy all pod labels to tmp labels
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
replacement: __tmp_pod_label_$1
# Take `linkerd_io_` prefixed labels and copy them without the prefix
- action: labelmap
regex: __tmp_pod_label_linkerd_io_(.+)
replacement: __tmp_pod_label_$1
# Drop the `linkerd_io_` originals
- action: labeldrop
regex: __tmp_pod_label_linkerd_io_(.+)
# Copy tmp labels into real labels
- action: labelmap
regex: __tmp_pod_label_(.+)
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-prometheus
namespace: linkerd
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: prometheus
ports:
- name: admin-http
port: 9090
targetPort: 9090
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
labels:
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: install-control-plane-version
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
name: linkerd-prometheus
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-prometheus
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli dev-undefined
linkerd.io/identity-mode: default
linkerd.io/proxy-version: install-proxy-version
labels:
linkerd.io/control-plane-component: prometheus
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-prometheus
spec:
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:
fsGroup: 65534
containers:
- args:
- --config.file=/etc/prometheus/prometheus.yml
- --log.level=info
- --storage.tsdb.path=/data
- --storage.tsdb.retention.time=6h
image: prom/prometheus:v2.19.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
name: prometheus
ports:
- containerPort: 9090
name: admin-http
readinessProbe:
httpGet:
path: /-/ready
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
resources:
limits:
cpu: "4"
memory: "8192Mi"
requests:
cpu: "300m"
memory: "300Mi"
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
volumeMounts:
- mountPath: /data
name: data
- mountPath: /etc/prometheus/prometheus.yml
name: prometheus-config
subPath: prometheus.yml
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBwTCCAWagAwIBAgIQeDZp5lDaIygQ5UfMKZrFATAKBggqhkjOPQQDAjApMScw
JQYDVQQDEx5pZGVudGl0eS5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjAwODI4
MDcxMjQ3WhcNMzAwODI2MDcxMjQ3WjApMScwJQYDVQQDEx5pZGVudGl0eS5saW5r
ZXJkLmNsdXN0ZXIubG9jYWwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqc70Z
l1vgw79rjB5uSITICUA6GyfvSFfcuIis7B/XFSkkwAHU5S/s1AAP+R0TX7HBWUC4
uaG4WWsiwJKNn7mgo3AwbjAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBATAdBgNVHQ4EFgQU5YtjVVPfd7I7NLHsn2C26EByGV0wKQYDVR0RBCIwIIIe
aWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMAoGCCqGSM49BAMCA0kAMEYC
IQCN7lBFLDDvjx6V0+XkjpKERRsJYf5adMvnloFl48ilJgIhANtxhndcr+QJPuC8
vgUC0d2/9FMueIVMb+46WTCOjsqr
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_TAP_SVC_NAME
value: linkerd-tap.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: ghcr.io/linkerd/proxy:install-proxy-version
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
limits:
cpu: "1"
memory: "250Mi"
requests:
cpu: "100m"
memory: "20Mi"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- 4190,4191,25,443,587,3306,11211
- --outbound-ports-to-ignore
- 443,25,443,587,3306,11211
image: ghcr.io/linkerd/proxy-init:v1.3.6
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-prometheus
volumes:
- name: data
emptyDir: {}
- configMap:
name: linkerd-prometheus-config
name: prometheus-config
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
apiVersion: v1
data:
linkerd-config-overrides: Y29udHJvbGxlclJlcGxpY2FzOiAzCmRlYnVnQ29udGFpbmVyOgogIGltYWdlOgogICAgdmVyc2lvbjogaW5zdGFsbC1kZWJ1Zy12ZXJzaW9uCmRlc3RpbmF0aW9uUmVzb3VyY2VzOgogIGNwdToKICAgIGxpbWl0OiAiMSIKICAgIHJlcXVlc3Q6IDEwMG0KICBtZW1vcnk6CiAgICBsaW1pdDogMjUwTWkKICAgIHJlcXVlc3Q6IDUwTWkKZW5hYmxlUG9kQW50aUFmZmluaXR5OiB0cnVlCmdsb2JhbDoKICBjb250cm9sbGVySW1hZ2VWZXJzaW9uOiBpbnN0YWxsLWNvbnRyb2wtcGxhbmUtdmVyc2lvbgogIGlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgIE1JSUJ3VENDQVdhZ0F3SUJBZ0lRZURacDVsRGFJeWdRNVVmTUtackZBVEFLQmdncWhrak9QUVFEQWpBcE1TY3cKICAgIEpRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXJaWEprTG1Oc2RYTjBaWEl1Ykc5allXd3dIaGNOTWpBd09ESTQKICAgIE1EY3hNalEzV2hjTk16QXdPREkyTURjeE1qUTNXakFwTVNjd0pRWURWUVFERXg1cFpHVnVkR2wwZVM1c2FXNXIKICAgIFpYSmtMbU5zZFhOMFpYSXViRzlqWVd3d1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFScWM3MFoKICAgIGwxdmd3NzlyakI1dVNJVElDVUE2R3lmdlNGZmN1SWlzN0IvWEZTa2t3QUhVNVMvczFBQVArUjBUWDdIQldVQzQKICAgIHVhRzRXV3Npd0pLTm43bWdvM0F3YmpBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKICAgIC93SUJBVEFkQmdOVkhRNEVGZ1FVNVl0alZWUGZkN0k3TkxIc24yQzI2RUJ5R1Ywd0tRWURWUjBSQkNJd0lJSWUKICAgIGFXUmxiblJwZEhrdWJHbHVhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUMKICAgIElRQ043bEJGTEREdmp4NlYwK1hranBLRVJSc0pZZjVhZE12bmxvRmw0OGlsSmdJaEFOdHhobmRjcitRSlB1QzgKICAgIHZnVUMwZDIvOUZNdWVJVk1iKzQ2V1RDT2pzcXIKICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICBpbWFnZVB1bGxTZWNyZXRzOiBudWxsCiAgcHJveHk6CiAgICBpbWFnZToKICAgICAgdmVyc2lvbjogaW5zdGFsbC1wcm94eS12ZXJzaW9uCiAgICByZXNvdXJjZXM6CiAgICAgIGNwdToKICAgICAgICBsaW1pdDogIjEiCiAgICAgICAgcmVxdWVzdDogMTAwbQogICAgICBtZW1vcnk6CiAgICAgICAgbGltaXQ6IDI1ME1pCiAgICAgICAgcmVxdWVzdDogMjBNaQpncmFmYW5hOgogIHJlc291cmNlczoKICAgIGNwdToKICAgICAgbGltaXQ6ICIxIgogICAgICByZXF1ZXN0OiAxMDBtCiAgICBtZW1vcnk6CiAgICAgIGxpbWl0OiAxMDI0TWkKICAgICAgcmVxdWVzdDogNTBNaQpoZWFydGJlYXRSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpoZWFydGJlYXRTY2hlZHVsZTogMSAyIDMgNCA1CmlkZW50aXR5OgogIGlzc3VlcjoKICAgIGNydEV4cGlyeTogIjIwMzAtMDgtMjZUMDc6MTM6NDdaIgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCd0RDQ0FXZWdBd0lCQWdJUkFKUklnWjhSdE84RXdnMVhlcGY4VDQ0d0NnWUlLb1pJemowRUF3SXdLVEVuCiAgICAgICAgTUNVR0ExVUVBeE1lYVdSbGJuUnBkSGt1YkdsdWEyVnlaQzVqYkhWemRHVnlMbXh2WTJGc01CNFhEVEl3TURneQogICAgICAgIE9EQTNNVE0wTjFvWERUTXdNRGd5TmpBM01UTTBOMW93S1RFbk1DVUdBMVVFQXhNZWFXUmxiblJwZEhrdWJHbHUKICAgICAgICBhMlZ5WkM1amJIVnpkR1Z5TG14dlkyRnNNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUUxL0ZwCiAgICAgICAgZmNSbkRjZWRMNkFqVWFYWVB2NERJTUJhSnVmT0k1Tld0eStYU1g3SmpYZ1p0TTcyZFF2UmFZYW51eEQzNkR0MQogICAgICAgIDIvSnh5aVNneEtXUmRvYXkrYU53TUc0d0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKICAgICAgICBBZjhDQVFBd0hRWURWUjBPQkJZRUZJMVducnFNWUthSEhPbyt6cHlpaURxMnBPMEtNQ2tHQTFVZEVRUWlNQ0NDCiAgICAgICAgSG1sa1pXNTBhWFI1TG14cGJtdGxjbVF1WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRQogICAgICAgIEFpQXR1b0k1WHVDdHJHVlJ6U21SVGwycmEyOGFWOU15VFU3ZDVxblRBRkhLU2dJZ1JLQ3ZsdU9TZ0E1TzIxcDUKICAgICAgICA1MXRkcm1rSEVaUnIwcWxMU0pkSFlnRWZNems9CiAgICAgICAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQogICAgICBrZXlQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KICAgICAgICBNSGNDQVFFRUlBQWU4bmZielp1OWMvT0IyKzh4Sk0wRno3TlV3VFFhenVsa0ZOczRUSTUrb0FvR0NDcUdTTTQ5CiAgICAgICAgQXdFSG9VUURRZ0FFMS9GcGZjUm5EY2VkTDZBalVhWFlQdjRESU1CYUp1Zk9JNU5XdHkrWFNYN0pqWGdadE03MgogICAgICAgIGRRdlJhWWFudXhEMzZEdDEyL0p4eWlTZ3hLV1Jkb2F5K1E9PQogICAgICAgIC0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0KaWRlbnRpdHlSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogMTBNaQpwcm9maWxlVmFsaWRhdG9yOgogIGNhQnVuZGxlOiBwcm9maWxlIHZhbGlkYXRvciBDQSBidW5kbGUKICBjcnRQRU06IHByb2ZpbGUgdmFsaWRhdG9yIGNydAogIGtleVBFTTogcHJvZmlsZSB2YWxpZGF0b3Iga2V5CnByb21ldGhldXM6CiAgcmVzb3VyY2VzOgogICAgY3B1OgogICAgICBsaW1pdDogIjQiCiAgICAgIHJlcXVlc3Q6IDMwMG0KICAgIG1lbW9yeToKICAgICAgbGltaXQ6IDgxOTJNaQogICAgICByZXF1ZXN0OiAzMDBNaQpwcm94eUluamVjdG9yOgogIGNhQnVuZGxlOiBwcm94eSBpbmplY3RvciBDQSBidW5kbGUKICBjcnRQRU06IHByb3h5IGluamVjdG9yIGNydAogIGtleVBFTTogcHJveHkgaW5qZWN0b3Iga2V5CnByb3h5SW5qZWN0b3JSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpwdWJsaWNBUElSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQpzcFZhbGlkYXRvclJlc291cmNlczoKICBjcHU6CiAgICBsaW1pdDogIjEiCiAgICByZXF1ZXN0OiAxMDBtCiAgbWVtb3J5OgogICAgbGltaXQ6IDI1ME1pCiAgICByZXF1ZXN0OiA1ME1pCnRhcDoKICBjYUJ1bmRsZTogdGFwIENBIGJ1bmRsZQogIGNydFBFTTogdGFwIGNydAogIGtleVBFTTogdGFwIGtleQp0YXBSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQp3ZWJSZXNvdXJjZXM6CiAgY3B1OgogICAgbGltaXQ6ICIxIgogICAgcmVxdWVzdDogMTAwbQogIG1lbW9yeToKICAgIGxpbWl0OiAyNTBNaQogICAgcmVxdWVzdDogNTBNaQp3ZWJob29rRmFpbHVyZVBvbGljeTogRmFpbAo=
kind: Secret
metadata:
creationTimestamp: null
name: linkerd-config-overrides
namespace: linkerd
Reference in New Issue View Git Blame Copy Permalink