--- ### ### Linkerd Namespace ### kind: Namespace apiVersion: v1 metadata: name: linkerd annotations: linkerd.io/inject: disabled labels: linkerd.io/is-control-plane: "true" config.linkerd.io/admission-webhooks: disabled linkerd.io/control-plane-ns: linkerd --- ### ### Identity Controller Service RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-identity labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd rules: - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-identity labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-identity subjects: - kind: ServiceAccount name: linkerd-identity namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-identity namespace: linkerd labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd --- ### ### Controller RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-controller labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd rules: - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list" , "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] verbs: ["list", "get", "watch"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] - apiGroups: ["split.smi-spec.io"] resources: ["trafficsplits"] verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-controller labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-controller subjects: - kind: ServiceAccount name: linkerd-controller namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-controller namespace: linkerd labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd --- ### ### Destination Controller Service ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-destination labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd rules: - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["list", "get", "watch"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "nodes", "namespaces"] verbs: ["list", "get", "watch"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] - apiGroups: ["split.smi-spec.io"] resources: ["trafficsplits"] verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-destination labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-destination subjects: - kind: ServiceAccount name: linkerd-destination namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-destination namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd --- ### ### Heartbeat RBAC ### apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-heartbeat namespace: linkerd labels: linkerd.io/control-plane-ns: linkerd rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["linkerd-config"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-heartbeat namespace: linkerd labels: linkerd.io/control-plane-ns: linkerd roleRef: kind: Role name: linkerd-heartbeat apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: linkerd-heartbeat labels: linkerd.io/control-plane-ns: linkerd rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: linkerd-heartbeat labels: linkerd.io/control-plane-ns: linkerd roleRef: kind: ClusterRole name: linkerd-heartbeat apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-heartbeat namespace: linkerd labels: linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd --- ### ### Service Profile CRD ### apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: serviceprofiles.linkerd.io annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: linkerd.io/control-plane-ns: linkerd spec: group: linkerd.io versions: - name: v1alpha1 served: true storage: false schema: openAPIV3Schema: type: object properties: spec: type: object description: Spec is the custom resource spec required: - routes properties: dstOverrides: type: array required: - authority - weight items: type: object description: WeightedDst is a weighted alternate destination. properties: authority: type: string weight: x-kubernetes-int-or-string: true anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ opaquePorts: type: array items: type: string retryBudget: type: object required: - minRetriesPerSecond - retryRatio - ttl description: RetryBudget describes the maximum number of retries that should be issued to this service. properties: minRetriesPerSecond: format: int32 type: integer retryRatio: type: number format: float ttl: type: string routes: type: array items: type: object description: RouteSpec specifies a Route resource. required: - condition - name properties: condition: type: object description: RequestMatch describes the conditions under which to match a Route. properties: pathRegex: type: string method: type: string all: type: array items: type: object x-kubernetes-preserve-unknown-fields: true any: type: array items: type: object x-kubernetes-preserve-unknown-fields: true not: type: array items: type: object x-kubernetes-preserve-unknown-fields: true isRetryable: type: boolean name: type: string timeout: type: string responseClasses: type: array items: type: object required: - condition description: ResponseClass describes how to classify a response (e.g. success or failures). properties: condition: type: object description: ResponseMatch describes the conditions under which to classify a response. properties: all: type: array items: type: object x-kubernetes-preserve-unknown-fields: true any: type: array items: type: object x-kubernetes-preserve-unknown-fields: true not: type: array items: type: object x-kubernetes-preserve-unknown-fields: true status: type: object description: Range describes a range of integers (e.g. status codes). properties: max: format: int32 type: integer min: format: int32 type: integer isFailure: type: boolean - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object description: Spec is the custom resource spec required: - routes properties: dstOverrides: type: array required: - authority - weight items: type: object description: WeightedDst is a weighted alternate destination. properties: authority: type: string weight: x-kubernetes-int-or-string: true anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ opaquePorts: type: array items: type: string retryBudget: type: object required: - minRetriesPerSecond - retryRatio - ttl description: RetryBudget describes the maximum number of retries that should be issued to this service. properties: minRetriesPerSecond: format: int32 type: integer retryRatio: type: number format: float ttl: type: string routes: type: array items: type: object description: RouteSpec specifies a Route resource. required: - condition - name properties: condition: type: object description: RequestMatch describes the conditions under which to match a Route. properties: pathRegex: type: string method: type: string all: type: array items: type: object x-kubernetes-preserve-unknown-fields: true any: type: array items: type: object x-kubernetes-preserve-unknown-fields: true not: type: array items: type: object x-kubernetes-preserve-unknown-fields: true isRetryable: type: boolean name: type: string timeout: type: string responseClasses: type: array items: type: object required: - condition description: ResponseClass describes how to classify a response (e.g. success or failures). properties: condition: type: object description: ResponseMatch describes the conditions under which to classify a response. properties: all: type: array items: type: object x-kubernetes-preserve-unknown-fields: true any: type: array items: type: object x-kubernetes-preserve-unknown-fields: true not: type: array items: type: object x-kubernetes-preserve-unknown-fields: true status: type: object description: Range describes a range of integers (e.g. status codes). properties: max: format: int32 type: integer min: format: int32 type: integer isFailure: type: boolean scope: Namespaced preserveUnknownFields: false names: plural: serviceprofiles singular: serviceprofile kind: ServiceProfile shortNames: - sp --- ### ### TrafficSplit CRD ### Copied from github.com/servicemeshinterface/smi-sdk-go/blob/d4e76b1cd7a33ead5f38d1262dd838a31c80f4e5/crds/split.yaml ### apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: trafficsplits.split.smi-spec.io annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: linkerd.io/control-plane-ns: linkerd spec: group: split.smi-spec.io scope: Namespaced conversion: strategy: None names: kind: TrafficSplit listKind: TrafficSplitList shortNames: - ts plural: trafficsplits singular: trafficsplit versions: - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object required: - service - backends properties: service: description: The apex service of this split. type: string backends: description: The backend services of this split. type: array items: type: object required: ['service', 'weight'] properties: service: description: Name of the Kubernetes service. type: string weight: description: Traffic weight value of this backend. x-kubernetes-int-or-string: true additionalPrinterColumns: - name: Service type: string description: The apex service of this split. jsonPath: .spec.service - name: v1alpha2 served: true storage: false additionalPrinterColumns: - name: Service type: string description: The apex service of this split. jsonPath: .spec.service schema: openAPIV3Schema: type: object properties: spec: type: object required: - service - backends properties: service: description: The apex service of this split. type: string backends: description: The backend services of this split. type: array items: type: object required: ['service', 'weight'] properties: service: description: Name of the Kubernetes service. type: string weight: description: Traffic weight value of this backend. type: number preserveUnknownFields: false --- ### ### Proxy Injector RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-proxy-injector labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - apiGroups: [""] resources: ["namespaces", "replicationcontrollers"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["list", "watch"] - apiGroups: ["extensions", "apps"] resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-proxy-injector labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd subjects: - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd apiGroup: "" roleRef: kind: ClusterRole name: linkerd-linkerd-proxy-injector apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: linkerd labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd --- kind: Secret apiVersion: v1 metadata: name: linkerd-proxy-injector-k8s-tls namespace: linkerd labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 type: kubernetes.io/tls data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWp1Z0F3SUJBZ0lSQU5nTTJmVHlxTkJYdHo0UDNQNURHbTB3RFFZSktvWklodmNOQVFFTEJRQXcKTFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5WkMxd2NtOTRlUzFwYm1wbFkzUnZjaTVzYVc1clpYSmtMbk4yWXpBZQpGdzB5TVRBME1UVXdOVEkyTlRGYUZ3MHlNakEwTVRVd05USTJOVEZhTUMweEt6QXBCZ05WQkFNVElteHBibXRsCmNtUXRjSEp2ZUhrdGFXNXFaV04wYjNJdWJHbHVhMlZ5WkM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRREtxQitNZnhwOXhRYzRJUnBlSzIzekJ1WWxTb05MOTk4VUpEajVWRUhMQWp4RgpZMVFUakdjYjNwRElnWWk2MDd5OFJtOVEzY1hXZ2tCS0FBZThHM1Fld2REczNtRXRreWhickt3L3psWEZ0aHZFCnByTmJIM3o5OGoxcEZ5V29Rc1ZuY2grZ1lXRjJSTzRrSjlOSnd5V0MzYkgxVm56SFNYc25HVXFrT3MwR0ZMdG0KWmFHY0ovd2hJODYyS0N3Z28zRnNWOVljZUNQTjAyRjk0RmlrWitPNUovWjhzWVVlZ1BmZkJDSjYzeHVSSVFwYwp5a0hBNGxkZ0pIM20vNWlCY3VqK0xqY0V1RnVrZlNHckJ6NFMrT05qL3lxMUYwV3FWQWF3d2xsTlVrdEpxc21KCkg5LysvK3JybHpyUWNKemVTckxnZGZ6a2FreWdmYjRYdmpaMkZWZEpBZ01CQUFHamJqQnNNQTRHQTFVZER3RUIKL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBdEJnTlZIUkVFSmpBa2dpSnNhVzVyWlhKa0xYQnliM2g1TFdsdWFtVmpkRzl5TG14cGJtdGxjbVF1CmMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUN2bHVVbk5hRXhXb2s2QzhzTTdSQXdUR1BxdWQvU0tldk8KVmVwaGF4SEFmbTF2WEovbE5acGh6STVrT2swT1czZFdDZ09tVklKT1VuSGJkcVBPTFJXZW9jTWtFOVRXc05WNwpmemhMU2FjRWhSdEdtSmZFRVZZa2lSbDlLVzh2T3ZWaWpMcGlPUTc1V0xCY0N1SUZydm5sU3dmR0YxVnVONnM3CmNucmxZNnFCdnIrTGNzVExsRlFpN1MzQVlZRGQrdHdDdmxjZnR3YUpoemhhTTA0K01tV09nR0tBT2JkZXkxazcKdFdKL2NUMGhLdmoyY0dvcnpTanZ4NFhMOVhWZU9TTGc3VGkyVGZyZWxYYUszdHRBSVQrYUdlWmQyUXlidndwRgpyNFNXYW1jcldURnhPaE9jaWpDRUFSdGpCM3lTQ1VwY1BGUTVmbnJpVjFvWnJKcmhnelhiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeXFnZmpIOGFmY1VIT0NFYVhpdHQ4d2JtSlVxRFMvZmZGQ1E0K1ZSQnl3SThSV05VCkU0eG5HOTZReUlHSXV0Tzh2RVp2VU4zRjFvSkFTZ0FIdkJ0MEhzSFE3TjVoTFpNb1c2eXNQODVWeGJZYnhLYXoKV3g5OC9mSTlhUmNscUVMRlozSWZvR0ZoZGtUdUpDZlRTY01sZ3QyeDlWWjh4MGw3SnhsS3BEck5CaFM3Wm1XaApuQ2Y4SVNQT3RpZ3NJS054YkZmV0hIZ2p6ZE5oZmVCWXBHZmp1U2YyZkxHRkhvRDMzd1FpZXQ4YmtTRUtYTXBCCndPSlhZQ1I5NXYrWWdYTG8vaTQzQkxoYnBIMGhxd2MrRXZqalkvOHF0UmRGcWxRR3NNSlpUVkpMU2FySmlSL2YKL3YvcTY1YzYwSENjM2txeTRIWDg1R3BNb0gyK0Y3NDJkaFZYU1FJREFRQUJBb0lCQUc1R21oUkx2ZENlZkZVdwp2alpzRDRKbFNLc1dKdWdaMDR3VVFlUjYwdXB6SnZUakhnY2RLYVppc0FwTFltbTNla1pCVmFWOWFJQlhsRUF3ClVBVXVNenZoWDV6bFRhQU5LYkxvL1RvalAwMDgwVk5yR3NJRkduRGRka2xQVFRDSVZQNzdmUFk2eDF3aUdpd1cKZDhUMXFkM1NZVm9OWEF6ZGtXUXZRUXlvNnBQWmtDQkdGendjZ05yNWhzZnB6c0VqZzNxUHpFU3FNaWJWWXM5UwpIbFJ0QXFOZDFhMUNhWWpaRHNBeitSclFZNDFKamJGT0RQR2p0YkxvaG1GOXdBOTV0SVYrd0cyYnM3S1hNd2FHCkUybG9ORUkwNVdPWmZYNk9ZaHZoQThIdTdzWmRBL2dTam52UDgwMUw3SVl0bG90M3VVYVY0VmtzT280V1JYZXgKbUs3MU1Ca0NnWUVBN1RoaWR2Q0ZFZ1kvY0ZHSHM4NVpGampEUE4xa2FnV3dFNzVacDg1Vlg2cVUxbzh0bTlCVApicndBb1JBbndGQW9CdDNUVTNSeW5vTkZOWFFhOVU4YzEwMFlWUWlOYmpXMU9XdU5Kem95VzRjZURJR1dlSEd0CjNjUnRhd01wY0g3UXZLY254U3RCMmllRjdETVhqaXB0MDBtV2ZDZ2x4Z1BMaXgyUnJuL2ZJWWNDZ1lFQTJyTkMKSURBNXIxaHp4TFNJcFp4dG5OZGJMYzg3aUNnVEo1VUZ6M0VFbkZGTmdBTHZjSkZ6VzFRdWFNWko5N3Uzbi9BdgpsUFVEQjZaUVhTNGk2K1JMQ3Y0bEVySWdxc3k2RGpJUFBxbVo0ZjVEK0EwUUpndytZZTdadkdDOC9Ed2svZGZVClR3cDdqa2ZGSlBiVm1YRDFCK3Ara0pQNGR0dzBvc2FOaGovU05LOENnWUFZZktLRlhveU44TUVwcWZEVkdhN08KZ1d0OTQraVNuU1d3MUF4VEt4UmEvTFBDZGlNaUcxNFJaeXkxYzRKMjhvOC9MalM3UDZENVJkbW1DK2NnZlZzZgp5bUNCbnBGaTEvNXQvL0VoSkh2QVFQRlVIeWhXSkgzckQzU3dBREtOM3psU3ovcGwrdklnUDhZdVBKUG80KzVVClNodFRrNTFhbEZlMWM0YnZPVm5pRHdLQmdDc0M0RGxtWXFIcW1uSVFNMk9tdlNRQWNxMHl1WG1Rc0J1endqM0cKODJvdXp6Z2kyNlplNUxvTWQwZ2gzMEE2aWVXSm5rSUVZY0VxWTFuQURod29mTjIvbDlqeWNWeEdBVDF6ZU80UQordk9vUndQTXhlVkZ1U3NYaDNqMTZaVU4yeFNWVXVyc205b2lvVklndldkOUFLTzY2WU5UcHFUeHIrUm5la1B4CjMweC9Bb0dBRVVrSzFjZFRuSmJnbzVya3VLWGIxci9QcHhQZERPaEplV21TZnFNMTQvMmZQWm1HbGVFV3UvWVAKZTY0UTNvSFBxNE9YZ29nekpETVp1SFBpTGp1ZWdIUGNCbmJSQ0Z4NzVOU29oeE90MjN3dFJMdTdOajh2N0t6WQo1KzRQdFdJc054MldHbE8xQXBveGNWVGtPZWozUk1Od3NIWXRNb3RscWhoRTRoZkZjUlk9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: linkerd-proxy-injector-webhook-config labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd webhooks: - name: linkerd-proxy-injector.linkerd.io namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled clientConfig: service: name: linkerd-proxy-injector namespace: linkerd path: "/" caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWp1Z0F3SUJBZ0lSQU5nTTJmVHlxTkJYdHo0UDNQNURHbTB3RFFZSktvWklodmNOQVFFTEJRQXcKTFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5WkMxd2NtOTRlUzFwYm1wbFkzUnZjaTVzYVc1clpYSmtMbk4yWXpBZQpGdzB5TVRBME1UVXdOVEkyTlRGYUZ3MHlNakEwTVRVd05USTJOVEZhTUMweEt6QXBCZ05WQkFNVElteHBibXRsCmNtUXRjSEp2ZUhrdGFXNXFaV04wYjNJdWJHbHVhMlZ5WkM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRREtxQitNZnhwOXhRYzRJUnBlSzIzekJ1WWxTb05MOTk4VUpEajVWRUhMQWp4RgpZMVFUakdjYjNwRElnWWk2MDd5OFJtOVEzY1hXZ2tCS0FBZThHM1Fld2REczNtRXRreWhickt3L3psWEZ0aHZFCnByTmJIM3o5OGoxcEZ5V29Rc1ZuY2grZ1lXRjJSTzRrSjlOSnd5V0MzYkgxVm56SFNYc25HVXFrT3MwR0ZMdG0KWmFHY0ovd2hJODYyS0N3Z28zRnNWOVljZUNQTjAyRjk0RmlrWitPNUovWjhzWVVlZ1BmZkJDSjYzeHVSSVFwYwp5a0hBNGxkZ0pIM20vNWlCY3VqK0xqY0V1RnVrZlNHckJ6NFMrT05qL3lxMUYwV3FWQWF3d2xsTlVrdEpxc21KCkg5LysvK3JybHpyUWNKemVTckxnZGZ6a2FreWdmYjRYdmpaMkZWZEpBZ01CQUFHamJqQnNNQTRHQTFVZER3RUIKL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBdEJnTlZIUkVFSmpBa2dpSnNhVzVyWlhKa0xYQnliM2g1TFdsdWFtVmpkRzl5TG14cGJtdGxjbVF1CmMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUN2bHVVbk5hRXhXb2s2QzhzTTdSQXdUR1BxdWQvU0tldk8KVmVwaGF4SEFmbTF2WEovbE5acGh6STVrT2swT1czZFdDZ09tVklKT1VuSGJkcVBPTFJXZW9jTWtFOVRXc05WNwpmemhMU2FjRWhSdEdtSmZFRVZZa2lSbDlLVzh2T3ZWaWpMcGlPUTc1V0xCY0N1SUZydm5sU3dmR0YxVnVONnM3CmNucmxZNnFCdnIrTGNzVExsRlFpN1MzQVlZRGQrdHdDdmxjZnR3YUpoemhhTTA0K01tV09nR0tBT2JkZXkxazcKdFdKL2NUMGhLdmoyY0dvcnpTanZ4NFhMOVhWZU9TTGc3VGkyVGZyZWxYYUszdHRBSVQrYUdlWmQyUXlidndwRgpyNFNXYW1jcldURnhPaE9jaWpDRUFSdGpCM3lTQ1VwY1BGUTVmbnJpVjFvWnJKcmhnelhiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= failurePolicy: Ignore admissionReviewVersions: ["v1", "v1beta1"] rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods", "services"] sideEffects: None --- ### ### Service Profile Validator RBAC ### kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-sp-validator labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd rules: - apiGroups: [""] resources: ["pods"] verbs: ["list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-sp-validator labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd subjects: - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd apiGroup: "" roleRef: kind: ClusterRole name: linkerd-linkerd-sp-validator apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-sp-validator namespace: linkerd labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd --- kind: Secret apiVersion: v1 metadata: name: linkerd-sp-validator-k8s-tls namespace: linkerd labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 type: kubernetes.io/tls data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxyYTNKOXBseXh2ZVhRRm9xeWtYL013RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNakV3TkRFMU1EVXlOalV4V2hjTk1qSXdOREUxTURVeU5qVXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtGN3B3V1QzWjlPU2VMakNITGdSYllhNEs5WGZZTEdnc1kvN3hBY1ExYjBKMit5ZWZ5dgo3WERXbXFON1AvRDNVZFVsRDRMOU13dlRnc21CWVQwRXF4d3NzY1pvUFErKzU1bmpBWFBMVGw5NFhZL3ZwV2d0ClVzZXM0bmtrd1o3RW1xVFE1ZG9UaW8xN3RCaWZxQXlJK3M1VnM3WVAyY3RSZkFXZU5weFpVNHNHSFU2YkNkMTAKMWZhckhnY3RhbTUrcS84cHI1aGZqUk5ENitBY2taYS8wbTQwNUtjbFBqV1lRY0V6MHZNdTl1aFduOWY3d0VGOQpaaVlQY3A3RDV4VVFJSUszbFdRWFpHZWc0RHhZeTdLN0VJTXdIUktRMDZBTTgraWQ5ZGo3ZWdoaU9UNVYvZXdGCnJWdFB3UmxwaU5GZjQ1VFdSQlgzelkxSCs0M0dZMm1Jam9NQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCQmQ3WWRoamxZVXlWeEpzRzgwNHZ3eDQxQlNKYzl5YlVJcEFjVWd2d28KYjBEQ3ZrNnJEVDJqcnF1d0Z6eTZKQloyeFd6aWMrYlRoU2NsTjNtRXhlZE8rRWN2clVXUUtnVzVqM1V6WWxNTwpUMHpHUWs0RWJPVFZCWE82ZVYzclNteW54MENnem84V2NKQ1U3ODFGbUJod2JSQ1ZIY3pNZ1lnYWsxZ05oV2xECi9HK3BmMWlvbHVLb2czTytPdGhLNUxYWEhqSk0yUGt1ZEtNemV4TXpncjM1Mi96akdFdlV3TlVuaytWYVE5VkwKNnNhejJWYWdsN01panA3Rk5kTUZiQXRrdmRiK2NTL1RQQWFnbGtSY2c2MnRZTTZKYWlReFZUNXhUNzZMUjI2RQpQMHJ6OEVsQ1NxcEZsbXI4NEZaREFoUWE1bWJlWlBHUGY4K1F4a041dnBNbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1h1bkJaUGRuMDVKNHVNSWN1QkZ0aHJncjFkOWdzYUN4ai92RUJ4RFZ2UW5iN0o1Ci9LL3RjTmFhbzNzLzhQZFIxU1VQZ3YwekM5T0N5WUZoUFFTckhDeXh4bWc5RDc3bm1lTUJjOHRPWDNoZGorK2wKYUMxU3g2emllU1RCbnNTYXBORGwyaE9Lalh1MEdKK29ESWo2emxXenRnL1p5MUY4Qlo0Mm5GbFRpd1lkVHBzSgozWFRWOXFzZUJ5MXFibjZyL3ltdm1GK05FMFByNEJ5UmxyL1NialRrcHlVK05aaEJ3VFBTOHk3MjZGYWYxL3ZBClFYMW1KZzl5bnNQbkZSQWdncmVWWkJka1o2RGdQRmpMc3JzUWd6QWRFcERUb0F6ejZKMzEyUHQ2Q0dJNVBsWDkKN0FXdFcwL0JHV21JMFYvamxOWkVGZmZOalVmN2pjWmphWWlPZ3dJREFRQUJBb0lCQUVOVmF4U0JUcFVCc1A5aApTWUdWRUp4WllyemFUMlI3WDhaSW5HZHNVWXZ0YkpBL3JHdjM4NXJzY1RpZnlNNnlZYlh0cVNVbWJPV09nV2VDCmdraE9MUWNuZjgxS1k4T3dCNlI4S252ZEYwWHB5NkdiL0syTzBJaWdCeU1hZDMyN1h2eEFlc2RQQktQd0krMXMKalVjRXl3ZkVacFlRei9EZWZrZGRiRW9QV1MyTGFuTDhWU0JYdHNhM1FzV1lia1NpZXF4Yis3Y2FjMzN4Rkh3UApvZ01vWnRVTURoOGVkeVJxaXU4clJHMEliWDNHUDlBTnNhdkRraGhYU3R0SUhtcW5SWWprc2tHNTU0QTRidUlICjRxRGVDQnZNQU53bFpBNlMvWmQ0bUJjTlBxTVhMaS9PQ3ZtT2tvNEtXdXFhRitGcWQ0N3hoRFNtcWIzTCtIak8KOFhrU0plRUNnWUVBMDlPRzZ2WG1XbDh2Y2dJRE9pTnhXaVJ0ZmVkSStXVWNUYXlyTXNYQVg4dThaMlEzdG14Ygp0RTFKZm4vRTNDRVozc1p4WDRaNVhrWTBnWWhpWExtUVp3emExZFJITVhTSDljTFFLb1B4WVMwR3lwbUZjUDliCjBqQk1YSktudjJWV21TVmRUZ1hRTjN4VDRFYmZzNE55Ukl5Y1NQK2VoeWttSkFqL2NZQUVScEVDZ1lFQXd5aUYKTHE3dHFTbkRzcmc3a1U3Tk5pTE9ldE85TEJnb2NEaXJTc3lFRzhVbThzem5hNFlidEhrclBxWU16YlNrNjgxMwp2UEh3TG1XR0laU1BKWlowYnlrNnpVWEpIOERiYzRzWGNHQ3ZZNXRvcHpsVWgyWEVRQlBTNk9ETmVwTkFySVVKCjc0bzg0UDBYOUYrMjVmUzdZOTZFODZOZDZKRHAveDZQQ0xId2xkTUNnWUFsbzNkY3RwYll4Z01MTWZwYTBVTnAKN2dFYWx3Y3JjV0RuR0dCUEpENDdoMXNSMEFmcVBUVEtROVZrU2RXeis1bTZNTzZpTjZYSEw1aFN6K1lTYmRLUAp6UVB4Yk1lOXJPUWZzaDhFL3U3Y0FvRXJiTDMrUnhHTXRwSksvTEFiM1NqWEM0R1p4SVNyNTBhTUdtdlRYTzduCjZVZzMzRnZSem1qOWpDKy9maXpFVVFLQmdRQ3cvQXhjRzlQNGQ2RzhjSXZFNlh2OVBtK1d3SE5zaTdRUW9iUG0KTDdjWElDS0VTd01NWmlDMStMVVpLYW11MjhZOCtxYytPUU1pY0h2RjlGNGxMbDhGZUpTVkdGYWZiMTBWV2V5MQp3MWtMc2lLa2xMOXQwd0s1UWNFaDVNMHovbHJHbWhnNm5sazdpUXV5V1NNYlJHaTAxMVluUmQ2aVRObUl2Z1BsClZNbmtkUUtCZ0RYcFJiSHFtZjNoVUxnMXE5QXI1S3kvczNyZ0hyNU56S3BwYkJlNzNiS2N4N09NRmJMaUs1QUUKTnNBdXpCRGdrakVUSDAzRUorR2pKby9zU2RiUXErbTF4Q0dYTXgwdk50NWlVOGZCUXZjbnBDdVFqaTRqa1FIVQpPSEVvaUFNcjBNZERtTWJucXJXSzRLa3pzQStrOG9tb0hxYUlDOFpseVVuZWQrUkwvdU1FCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: linkerd-sp-validator-webhook-config labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd webhooks: - name: linkerd-sp-validator.linkerd.io namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled clientConfig: service: name: linkerd-sp-validator namespace: linkerd path: "/" caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxyYTNKOXBseXh2ZVhRRm9xeWtYL013RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNakV3TkRFMU1EVXlOalV4V2hjTk1qSXdOREUxTURVeU5qVXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtGN3B3V1QzWjlPU2VMakNITGdSYllhNEs5WGZZTEdnc1kvN3hBY1ExYjBKMit5ZWZ5dgo3WERXbXFON1AvRDNVZFVsRDRMOU13dlRnc21CWVQwRXF4d3NzY1pvUFErKzU1bmpBWFBMVGw5NFhZL3ZwV2d0ClVzZXM0bmtrd1o3RW1xVFE1ZG9UaW8xN3RCaWZxQXlJK3M1VnM3WVAyY3RSZkFXZU5weFpVNHNHSFU2YkNkMTAKMWZhckhnY3RhbTUrcS84cHI1aGZqUk5ENitBY2taYS8wbTQwNUtjbFBqV1lRY0V6MHZNdTl1aFduOWY3d0VGOQpaaVlQY3A3RDV4VVFJSUszbFdRWFpHZWc0RHhZeTdLN0VJTXdIUktRMDZBTTgraWQ5ZGo3ZWdoaU9UNVYvZXdGCnJWdFB3UmxwaU5GZjQ1VFdSQlgzelkxSCs0M0dZMm1Jam9NQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCQmQ3WWRoamxZVXlWeEpzRzgwNHZ3eDQxQlNKYzl5YlVJcEFjVWd2d28KYjBEQ3ZrNnJEVDJqcnF1d0Z6eTZKQloyeFd6aWMrYlRoU2NsTjNtRXhlZE8rRWN2clVXUUtnVzVqM1V6WWxNTwpUMHpHUWs0RWJPVFZCWE82ZVYzclNteW54MENnem84V2NKQ1U3ODFGbUJod2JSQ1ZIY3pNZ1lnYWsxZ05oV2xECi9HK3BmMWlvbHVLb2czTytPdGhLNUxYWEhqSk0yUGt1ZEtNemV4TXpncjM1Mi96akdFdlV3TlVuaytWYVE5VkwKNnNhejJWYWdsN01panA3Rk5kTUZiQXRrdmRiK2NTL1RQQWFnbGtSY2c2MnRZTTZKYWlReFZUNXhUNzZMUjI2RQpQMHJ6OEVsQ1NxcEZsbXI4NEZaREFoUWE1bWJlWlBHUGY4K1F4a041dnBNbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t failurePolicy: Ignore admissionReviewVersions: ["v1", "v1beta1"] rules: - operations: [ "CREATE" , "UPDATE" ] apiGroups: ["linkerd.io"] apiVersions: ["v1alpha1", "v1alpha2"] resources: ["serviceprofiles"] sideEffects: None --- ### ### Control Plane PSP ### apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: linkerd-linkerd-control-plane labels: linkerd.io/control-plane-ns: linkerd spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true allowedCapabilities: - NET_ADMIN - NET_RAW requiredDropCapabilities: - ALL hostNetwork: false hostIPC: false hostPID: false seLinux: rule: RunAsAny runAsUser: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 65535 volumes: - configMap - emptyDir - secret - projected - downwardAPI - persistentVolumeClaim --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: linkerd-psp namespace: linkerd labels: linkerd.io/control-plane-ns: linkerd rules: - apiGroups: ['policy', 'extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - linkerd-linkerd-control-plane --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: linkerd-psp namespace: linkerd labels: linkerd.io/control-plane-ns: linkerd roleRef: kind: Role name: linkerd-psp apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: linkerd-controller namespace: linkerd - kind: ServiceAccount name: linkerd-destination namespace: linkerd - kind: ServiceAccount name: linkerd-heartbeat namespace: linkerd - kind: ServiceAccount name: linkerd-identity namespace: linkerd - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd --- kind: ConfigMap apiVersion: v1 metadata: name: linkerd-config namespace: linkerd labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 data: values: | cliVersion: linkerd/cli edge-21.4.3 clusterDomain: cluster.local clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 cniEnabled: false controlPlaneTracing: false controlPlaneTracingNamespace: linkerd-jaeger controllerImage: cr.l5d.io/linkerd/controller controllerImageVersion: edge-21.4.3 controllerLogFormat: plain controllerLogLevel: info controllerReplicas: 1 controllerUID: 2103 debugContainer: image: name: cr.l5d.io/linkerd/debug pullPolicy: "" version: edge-21.4.3 destinationProxyResources: null destinationResources: null disableHeartBeat: false enableEndpointSlices: false enableH2Upgrade: true enablePodAntiAffinity: false grafanaUrl: "" heartbeatResources: null heartbeatSchedule: "" highAvailability: false identity: issuer: clockSkewAllowance: 20s crtExpiry: "2022-04-15T05:27:01Z" issuanceLifetime: 24h0m0s scheme: linkerd.io/tls tls: crtPEM: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- identityProxyResources: null identityResources: null identityTrustAnchorsPEM: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- identityTrustDomain: cluster.local imagePullPolicy: IfNotPresent imagePullSecrets: [] installNamespace: true linkerdVersion: edge-21.4.3 namespace: linkerd nodeSelector: beta.kubernetes.io/os: linux omitWebhookSideEffects: false podAnnotations: {} podLabels: {} profileValidator: caBundle: "" crtPEM: "" externalSecret: false namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled prometheusUrl: "" proxy: capabilities: null disableIdentity: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy pullPolicy: "" version: edge-21.4.3 inboundConnectTimeout: 100ms isGateway: false isIngress: false logFormat: plain logLevel: warn,linkerd=info opaquePorts: 25,443,587,3306,5432,11211 outboundConnectTimeout: 1000ms ports: admin: 4191 control: 4190 inbound: 4143 outbound: 4140 requireIdentityOnInboundPorts: "" resources: cpu: limit: "" request: "" memory: limit: "" request: "" saMountPath: null uid: 2102 waitBeforeExitSeconds: 0 proxyContainerName: linkerd-proxy proxyInit: capabilities: null closeWaitTimeoutSecs: 0 ignoreInboundPorts: "" ignoreOutboundPorts: "" image: name: cr.l5d.io/linkerd/proxy-init pullPolicy: "" version: v1.3.11 resources: cpu: limit: 100m request: 10m memory: limit: 50Mi request: 10Mi saMountPath: null xtMountPath: mountPath: /run name: linkerd-proxy-init-xtables-lock readOnly: false proxyInjector: caBundle: "" crtPEM: "" externalSecret: false namespaceSelector: matchExpressions: - key: config.linkerd.io/admission-webhooks operator: NotIn values: - disabled proxyInjectorProxyResources: null proxyInjectorResources: null publicAPIProxyResources: null publicAPIResources: null spValidatorProxyResources: null spValidatorResources: null tolerations: null webhookFailurePolicy: Ignore --- ### ### Identity Controller Service ### --- kind: Secret apiVersion: v1 metadata: name: linkerd-identity-issuer namespace: linkerd labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-issuer-expiry: 2022-04-15T05:27:01Z data: crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKZVM1c2FXNXJaWEprTGpBZUZ3MHlNVEEwTVRVd05USTJOREZhRncweU1qQTBNVFV3TlRJM01ERmFNQnd4R2pBWQpCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKd0IzdGh6a2lNVU1XSXlTajhiMEwzMG9CWnFOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKeHU1OGlwUENocklFOExEdFhONTEyU2lnbmhaMFR5VEJjUUlnR3NxMTVtdFRCOTlWTERKNHJHZEQ1TVVYRnNTbQplT0dkckR0NGcyM2RGYjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUo4T2JTcnU4NHNGQVdhVlE1Y3Fhd2s0SnRBd3ZvVUUwUUU0R2svbmdHWWVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFd2V1MEpHWXlyVU4wc3J3T1RxWi85emNYQUduVnIrRDF3YUVIRngrVmFZbWVtOW9EaEhGaAplUlNZajVuZndCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ== --- kind: Service apiVersion: v1 metadata: name: linkerd-identity namespace: linkerd labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: type: ClusterIP selector: linkerd.io/control-plane-component: identity ports: - name: grpc port: 8080 targetPort: 8080 --- kind: Service apiVersion: v1 metadata: name: linkerd-identity-headless namespace: linkerd labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: clusterIP: None selector: linkerd.io/control-plane-component: identity ports: - name: grpc port: 8080 targetPort: 8080 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: app.kubernetes.io/name: identity app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd name: linkerd-identity namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd linkerd.io/proxy-deployment: linkerd-identity template: metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-mode: default linkerd.io/proxy-version: edge-21.4.3 labels: linkerd.io/control-plane-component: identity linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-identity spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - identity - -log-level=info - -log-format=plain - -controller-namespace=linkerd - -identity-trust-domain=cluster.local - -identity-issuance-lifetime=24h0m0s - -identity-clock-skew-allowance=20s - -identity-scheme=linkerd.io/tls env: - name: LINKERD2_IDENTITY_TRUST_ANCHORS value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKZVM1c2FXNXJaWEprTGpBZUZ3MHlNVEEwTVRVd05USTJOREZhRncweU1qQTBNVFV3TlRJM01ERmFNQnd4R2pBWQpCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKd0IzdGh6a2lNVU1XSXlTajhiMEwzMG9CWnFOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKeHU1OGlwUENocklFOExEdFhONTEyU2lnbmhaMFR5VEJjUUlnR3NxMTVtdFRCOTlWTERKNHJHZEQ1TVVYRnNTbQplT0dkckR0NGcyM2RGYjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - name: LINKERD_DISABLED value: "linkerd-await cannot block the identity controller" image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9990 initialDelaySeconds: 10 name: identity ports: - containerPort: 8080 name: grpc - containerPort: 9990 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9990 securityContext: runAsUser: 2103 volumeMounts: - mountPath: /var/run/linkerd/identity/issuer name: identity-issuer - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,443,587,3306,5432,11211" - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: localhost.:8080 - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: cr.l5d.io/linkerd/proxy:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191" - --outbound-ports-to-ignore - "443" image: cr.l5d.io/linkerd/proxy-init:v1.3.11 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "50Mi" requests: cpu: "10m" memory: "10Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock serviceAccountName: linkerd-identity volumes: - name: identity-issuer secret: secretName: linkerd-identity-issuer - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity --- ### ### Controller ### kind: Service apiVersion: v1 metadata: name: linkerd-controller-api namespace: linkerd labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: type: ClusterIP selector: linkerd.io/control-plane-component: controller ports: - name: http port: 8085 targetPort: 8085 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: app.kubernetes.io/name: controller app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd name: linkerd-controller namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd linkerd.io/proxy-deployment: linkerd-controller template: metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-mode: default linkerd.io/proxy-version: edge-21.4.3 labels: linkerd.io/control-plane-component: controller linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-controller spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - public-api - -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086 - -controller-namespace=linkerd - -log-level=info - -log-format=plain - -cluster-domain=cluster.local image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: public-api ports: - containerPort: 8085 name: http - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 securityContext: runAsUser: 2103 - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,443,587,3306,5432,11211" - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: cr.l5d.io/linkerd/proxy:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191" - --outbound-ports-to-ignore - "443" image: cr.l5d.io/linkerd/proxy-init:v1.3.11 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "50Mi" requests: cpu: "10m" memory: "10Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock serviceAccountName: linkerd-controller volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity --- ### ### Destination Controller Service ### kind: Service apiVersion: v1 metadata: name: linkerd-dst namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- kind: Service apiVersion: v1 metadata: name: linkerd-dst-headless namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: clusterIP: None selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: app.kubernetes.io/name: destination app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd name: linkerd-destination namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd linkerd.io/proxy-deployment: linkerd-destination template: metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-mode: default linkerd.io/proxy-version: edge-21.4.3 labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-destination spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - destination - -addr=:8086 - -controller-namespace=linkerd - -enable-h2-upgrade=true - -log-level=info - -log-format=plain - -enable-endpoint-slices=false - -cluster-domain=cluster.local - -identity-trust-domain=cluster.local - -default-opaque-ports=25,443,587,3306,5432,11211 image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9996 initialDelaySeconds: 10 name: destination ports: - containerPort: 8086 name: grpc - containerPort: 9996 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9996 securityContext: runAsUser: 2103 - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: localhost.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,443,587,3306,5432,11211" - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: cr.l5d.io/linkerd/proxy:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191" - --outbound-ports-to-ignore - "443" image: cr.l5d.io/linkerd/proxy-init:v1.3.11 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "50Mi" requests: cpu: "10m" memory: "10Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock serviceAccountName: linkerd-destination volumes: - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity --- ### ### Heartbeat ### apiVersion: batch/v1beta1 kind: CronJob metadata: name: linkerd-heartbeat namespace: linkerd labels: app.kubernetes.io/name: heartbeat app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: concurrencyPolicy: Replace schedule: "36 05 * * *" successfulJobsHistoryLimit: 0 jobTemplate: spec: template: metadata: labels: linkerd.io/control-plane-component: heartbeat linkerd.io/workload-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: nodeSelector: beta.kubernetes.io/os: linux serviceAccountName: linkerd-heartbeat restartPolicy: Never containers: - name: heartbeat image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent env: - name: LINKERD_DISABLED value: "the heartbeat controller does not use the proxy" args: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - "-log-format=plain" - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: runAsUser: 2103 --- ### ### Proxy Injector ### apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: app.kubernetes.io/name: proxy-injector app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd name: linkerd-proxy-injector namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: proxy-injector template: metadata: annotations: checksum/config: 21210c2185a216dd8028027ff17506163783c644a4acf93f5ec998ce5b7cec43 linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-mode: default linkerd.io/proxy-version: edge-21.4.3 labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-proxy-injector spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - proxy-injector - -log-level=info - -log-format=plain image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: proxy-injector ports: - containerPort: 8443 name: proxy-injector - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 securityContext: runAsUser: 2103 volumeMounts: - mountPath: /var/run/linkerd/config name: config - mountPath: /var/run/linkerd/tls name: tls readOnly: true - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,443,587,3306,5432,11211" - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: cr.l5d.io/linkerd/proxy:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191" - --outbound-ports-to-ignore - "443" image: cr.l5d.io/linkerd/proxy-init:v1.3.11 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "50Mi" requests: cpu: "10m" memory: "10Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock serviceAccountName: linkerd-proxy-injector volumes: - configMap: name: linkerd-config name: config - name: tls secret: secretName: linkerd-proxy-injector-k8s-tls - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity --- kind: Service apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: linkerd labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: type: ClusterIP selector: linkerd.io/control-plane-component: proxy-injector ports: - name: proxy-injector port: 443 targetPort: proxy-injector --- ### ### Service Profile Validator ### kind: Service apiVersion: v1 metadata: name: linkerd-sp-validator namespace: linkerd labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 spec: type: ClusterIP selector: linkerd.io/control-plane-component: sp-validator ports: - name: sp-validator port: 443 targetPort: sp-validator --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli edge-21.4.3 labels: app.kubernetes.io/name: sp-validator app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: edge-21.4.3 linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd name: linkerd-sp-validator namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: sp-validator template: metadata: annotations: checksum/config: 2fc29e224918533099d39b6322b373acd3cf75c24f6691d7da5c9930c3f253bf linkerd.io/created-by: linkerd/cli edge-21.4.3 linkerd.io/identity-mode: default linkerd.io/proxy-version: edge-21.4.3 labels: linkerd.io/control-plane-component: sp-validator linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-sp-validator spec: nodeSelector: beta.kubernetes.io/os: linux containers: - args: - sp-validator - -log-level=info - -log-format=plain image: cr.l5d.io/linkerd/controller:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9997 initialDelaySeconds: 10 name: sp-validator ports: - containerPort: 8443 name: sp-validator - containerPort: 9997 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9997 securityContext: runAsUser: 2103 volumeMounts: - mountPath: /var/run/linkerd/tls name: tls readOnly: true - env: - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,443,587,3306,5432,11211" - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"} - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS value: | -----BEGIN CERTIFICATE----- MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0 eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1 xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm eOGdrDt4g23dFb4= -----END CERTIFICATE----- - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/kubernetes.io/serviceaccount/token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain) image: cr.l5d.io/linkerd/proxy:edge-21.4.3 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 2102 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191" - --outbound-ports-to-ignore - "443" image: cr.l5d.io/linkerd/proxy-init:v1.3.11 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "50Mi" requests: cpu: "10m" memory: "10Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock serviceAccountName: linkerd-sp-validator volumes: - name: tls secret: secretName: linkerd-sp-validator-k8s-tls - emptyDir: {} name: linkerd-proxy-init-xtables-lock - emptyDir: medium: Memory name: linkerd-identity-end-entity --- apiVersion: v1 data: linkerd-config-overrides: aWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAyMi0wNC0xNVQwNToyNzowMVoiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKICAgICAgICBlUzVzYVc1clpYSmtMakFlRncweU1UQTBNVFV3TlRJMk5ERmFGdzB5TWpBME1UVXdOVEkzTURGYU1Cd3hHakFZCiAgICAgICAgQmdOVkJBTVRFV2xrWlc1MGFYUjVMbXhwYm10bGNtUXVNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRAogICAgICAgIFFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKICAgICAgICB3QjN0aHpraU1VTVdJeVNqOGIwTDMwb0JacU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUIwR0ExVWRKUVFXCiAgICAgICAgTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRVwogICAgICAgIEJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKICAgICAgICB4dTU4aXBQQ2hySUU4TER0WE41MTJTaWduaFowVHlUQmNRSWdHc3ExNW10VEI5OVZMREo0ckdkRDVNVVhGc1NtCiAgICAgICAgZU9HZHJEdDRnMjNkRmI0PQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJSjhPYlNydTg0c0ZBV2FWUTVjcWF3azRKdEF3dm9VRTBRRTRHay9uZ0dZZW9Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRXdldTBKR1l5clVOMHNyd09UcVovOXpjWEFHblZyK0Qxd2FFSEZ4K1ZhWW1lbTlvRGhIRmgKICAgICAgICBlUlNZajVuZndCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpnPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQmh6Q0NBUzZnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBY01Sb3dHQVlEVlFRREV4RnBaR1Z1ZEdsMAogIGVTNXNhVzVyWlhKa0xqQWVGdzB5TVRBME1UVXdOVEkyTkRGYUZ3MHlNakEwTVRVd05USTNNREZhTUJ3eEdqQVkKICBCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNECiAgUWdBRXdldTBKR1l5clVOMHNyd09UcVovOXpjWEFHblZyK0Qxd2FFSEZ4K1ZhWW1lbTlvRGhIRmhlUlNZajVuZgogIHdCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpxTmhNRjh3RGdZRFZSMFBBUUgvQkFRREFnRUdNQjBHQTFVZEpRUVcKICBNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCiAgQkJTT2ZHQnY1RCtXdTNTdVdsYjRJazRRQWFTU3p6QUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQnFwYlRidFRrMQogIHh1NThpcFBDaHJJRThMRHRYTjUxMlNpZ25oWjBUeVRCY1FJZ0dzcTE1bXRUQjk5VkxESjRyR2RENU1VWEZzU20KICBlT0dkckR0NGcyM2RGYjQ9CiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= kind: Secret metadata: creationTimestamp: null labels: linkerd.io/control-plane-ns: linkerd name: linkerd-config-overrides namespace: linkerd