marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-08 17:03:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
docker-development-youtube-.../kubernetes/servicemesh/linkerd/manifest/linkerd-edge-21.4.3.yaml
marcel-dempers fc920a27de tracing wip
2021-04-15 22:15:24 +10:00

2329 lines
86 KiB
YAML
Raw Blame History

---
###
### Linkerd Namespace
###
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
linkerd.io/inject: disabled
labels:
linkerd.io/is-control-plane: "true"
config.linkerd.io/admission-webhooks: disabled
linkerd.io/control-plane-ns: linkerd
---
###
### Identity Controller Service RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
---
###
### Controller RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["extensions", "apps"]
resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list" , "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-controller
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-controller
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-controller
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
---
###
### Destination Controller Service
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes", "namespaces"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["split.smi-spec.io"]
resources: ["trafficsplits"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
---
###
### Heartbeat RBAC
###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: ClusterRole
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
---
###
### Service Profile CRD
###
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: serviceprofiles.linkerd.io
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
linkerd.io/control-plane-ns: linkerd
spec:
group: linkerd.io
versions:
- name: v1alpha1
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
description: Spec is the custom resource spec
required:
- routes
properties:
dstOverrides:
type: array
required:
- authority
- weight
items:
type: object
description: WeightedDst is a weighted alternate destination.
properties:
authority:
type: string
weight:
x-kubernetes-int-or-string: true
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
opaquePorts:
type: array
items:
type: string
retryBudget:
type: object
required:
- minRetriesPerSecond
- retryRatio
- ttl
description: RetryBudget describes the maximum number of retries that should be issued to this service.
properties:
minRetriesPerSecond:
format: int32
type: integer
retryRatio:
type: number
format: float
ttl:
type: string
routes:
type: array
items:
type: object
description: RouteSpec specifies a Route resource.
required:
- condition
- name
properties:
condition:
type: object
description: RequestMatch describes the conditions under which to match a Route.
properties:
pathRegex:
type: string
method:
type: string
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
isRetryable:
type: boolean
name:
type: string
timeout:
type: string
responseClasses:
type: array
items:
type: object
required:
- condition
description: ResponseClass describes how to classify a response (e.g. success or failures).
properties:
condition:
type: object
description: ResponseMatch describes the conditions under
which to classify a response.
properties:
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
description: Range describes a range of integers (e.g. status codes).
properties:
max:
format: int32
type: integer
min:
format: int32
type: integer
isFailure:
type: boolean
- name: v1alpha2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
description: Spec is the custom resource spec
required:
- routes
properties:
dstOverrides:
type: array
required:
- authority
- weight
items:
type: object
description: WeightedDst is a weighted alternate destination.
properties:
authority:
type: string
weight:
x-kubernetes-int-or-string: true
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
opaquePorts:
type: array
items:
type: string
retryBudget:
type: object
required:
- minRetriesPerSecond
- retryRatio
- ttl
description: RetryBudget describes the maximum number of retries that should be issued to this service.
properties:
minRetriesPerSecond:
format: int32
type: integer
retryRatio:
type: number
format: float
ttl:
type: string
routes:
type: array
items:
type: object
description: RouteSpec specifies a Route resource.
required:
- condition
- name
properties:
condition:
type: object
description: RequestMatch describes the conditions under which to match a Route.
properties:
pathRegex:
type: string
method:
type: string
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
isRetryable:
type: boolean
name:
type: string
timeout:
type: string
responseClasses:
type: array
items:
type: object
required:
- condition
description: ResponseClass describes how to classify a response (e.g. success or failures).
properties:
condition:
type: object
description: ResponseMatch describes the conditions under
which to classify a response.
properties:
all:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
any:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
not:
type: array
items:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
type: object
description: Range describes a range of integers (e.g. status codes).
properties:
max:
format: int32
type: integer
min:
format: int32
type: integer
isFailure:
type: boolean
scope: Namespaced
preserveUnknownFields: false
names:
plural: serviceprofiles
singular: serviceprofile
kind: ServiceProfile
shortNames:
- sp
---
###
### TrafficSplit CRD
### Copied from github.com/servicemeshinterface/smi-sdk-go/blob/d4e76b1cd7a33ead5f38d1262dd838a31c80f4e5/crds/split.yaml
###
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: trafficsplits.split.smi-spec.io
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
linkerd.io/control-plane-ns: linkerd
spec:
group: split.smi-spec.io
scope: Namespaced
conversion:
strategy: None
names:
kind: TrafficSplit
listKind: TrafficSplitList
shortNames:
- ts
plural: trafficsplits
singular: trafficsplit
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- service
- backends
properties:
service:
description: The apex service of this split.
type: string
backends:
description: The backend services of this split.
type: array
items:
type: object
required: ['service', 'weight']
properties:
service:
description: Name of the Kubernetes service.
type: string
weight:
description: Traffic weight value of this backend.
x-kubernetes-int-or-string: true
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
jsonPath: .spec.service
- name: v1alpha2
served: true
storage: false
additionalPrinterColumns:
- name: Service
type: string
description: The apex service of this split.
jsonPath: .spec.service
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
required:
- service
- backends
properties:
service:
description: The apex service of this split.
type: string
backends:
description: The backend services of this split.
type: array
items:
type: object
required: ['service', 'weight']
properties:
service:
description: Name of the Kubernetes service.
type: string
weight:
description: Traffic weight value of this backend.
type: number
preserveUnknownFields: false
---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-proxy-injector-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWp1Z0F3SUJBZ0lSQU5nTTJmVHlxTkJYdHo0UDNQNURHbTB3RFFZSktvWklodmNOQVFFTEJRQXcKTFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5WkMxd2NtOTRlUzFwYm1wbFkzUnZjaTVzYVc1clpYSmtMbk4yWXpBZQpGdzB5TVRBME1UVXdOVEkyTlRGYUZ3MHlNakEwTVRVd05USTJOVEZhTUMweEt6QXBCZ05WQkFNVElteHBibXRsCmNtUXRjSEp2ZUhrdGFXNXFaV04wYjNJdWJHbHVhMlZ5WkM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRREtxQitNZnhwOXhRYzRJUnBlSzIzekJ1WWxTb05MOTk4VUpEajVWRUhMQWp4RgpZMVFUakdjYjNwRElnWWk2MDd5OFJtOVEzY1hXZ2tCS0FBZThHM1Fld2REczNtRXRreWhickt3L3psWEZ0aHZFCnByTmJIM3o5OGoxcEZ5V29Rc1ZuY2grZ1lXRjJSTzRrSjlOSnd5V0MzYkgxVm56SFNYc25HVXFrT3MwR0ZMdG0KWmFHY0ovd2hJODYyS0N3Z28zRnNWOVljZUNQTjAyRjk0RmlrWitPNUovWjhzWVVlZ1BmZkJDSjYzeHVSSVFwYwp5a0hBNGxkZ0pIM20vNWlCY3VqK0xqY0V1RnVrZlNHckJ6NFMrT05qL3lxMUYwV3FWQWF3d2xsTlVrdEpxc21KCkg5LysvK3JybHpyUWNKemVTckxnZGZ6a2FreWdmYjRYdmpaMkZWZEpBZ01CQUFHamJqQnNNQTRHQTFVZER3RUIKL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBdEJnTlZIUkVFSmpBa2dpSnNhVzVyWlhKa0xYQnliM2g1TFdsdWFtVmpkRzl5TG14cGJtdGxjbVF1CmMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUN2bHVVbk5hRXhXb2s2QzhzTTdSQXdUR1BxdWQvU0tldk8KVmVwaGF4SEFmbTF2WEovbE5acGh6STVrT2swT1czZFdDZ09tVklKT1VuSGJkcVBPTFJXZW9jTWtFOVRXc05WNwpmemhMU2FjRWhSdEdtSmZFRVZZa2lSbDlLVzh2T3ZWaWpMcGlPUTc1V0xCY0N1SUZydm5sU3dmR0YxVnVONnM3CmNucmxZNnFCdnIrTGNzVExsRlFpN1MzQVlZRGQrdHdDdmxjZnR3YUpoemhhTTA0K01tV09nR0tBT2JkZXkxazcKdFdKL2NUMGhLdmoyY0dvcnpTanZ4NFhMOVhWZU9TTGc3VGkyVGZyZWxYYUszdHRBSVQrYUdlWmQyUXlidndwRgpyNFNXYW1jcldURnhPaE9jaWpDRUFSdGpCM3lTQ1VwY1BGUTVmbnJpVjFvWnJKcmhnelhiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBeXFnZmpIOGFmY1VIT0NFYVhpdHQ4d2JtSlVxRFMvZmZGQ1E0K1ZSQnl3SThSV05VCkU0eG5HOTZReUlHSXV0Tzh2RVp2VU4zRjFvSkFTZ0FIdkJ0MEhzSFE3TjVoTFpNb1c2eXNQODVWeGJZYnhLYXoKV3g5OC9mSTlhUmNscUVMRlozSWZvR0ZoZGtUdUpDZlRTY01sZ3QyeDlWWjh4MGw3SnhsS3BEck5CaFM3Wm1XaApuQ2Y4SVNQT3RpZ3NJS054YkZmV0hIZ2p6ZE5oZmVCWXBHZmp1U2YyZkxHRkhvRDMzd1FpZXQ4YmtTRUtYTXBCCndPSlhZQ1I5NXYrWWdYTG8vaTQzQkxoYnBIMGhxd2MrRXZqalkvOHF0UmRGcWxRR3NNSlpUVkpMU2FySmlSL2YKL3YvcTY1YzYwSENjM2txeTRIWDg1R3BNb0gyK0Y3NDJkaFZYU1FJREFRQUJBb0lCQUc1R21oUkx2ZENlZkZVdwp2alpzRDRKbFNLc1dKdWdaMDR3VVFlUjYwdXB6SnZUakhnY2RLYVppc0FwTFltbTNla1pCVmFWOWFJQlhsRUF3ClVBVXVNenZoWDV6bFRhQU5LYkxvL1RvalAwMDgwVk5yR3NJRkduRGRka2xQVFRDSVZQNzdmUFk2eDF3aUdpd1cKZDhUMXFkM1NZVm9OWEF6ZGtXUXZRUXlvNnBQWmtDQkdGendjZ05yNWhzZnB6c0VqZzNxUHpFU3FNaWJWWXM5UwpIbFJ0QXFOZDFhMUNhWWpaRHNBeitSclFZNDFKamJGT0RQR2p0YkxvaG1GOXdBOTV0SVYrd0cyYnM3S1hNd2FHCkUybG9ORUkwNVdPWmZYNk9ZaHZoQThIdTdzWmRBL2dTam52UDgwMUw3SVl0bG90M3VVYVY0VmtzT280V1JYZXgKbUs3MU1Ca0NnWUVBN1RoaWR2Q0ZFZ1kvY0ZHSHM4NVpGampEUE4xa2FnV3dFNzVacDg1Vlg2cVUxbzh0bTlCVApicndBb1JBbndGQW9CdDNUVTNSeW5vTkZOWFFhOVU4YzEwMFlWUWlOYmpXMU9XdU5Kem95VzRjZURJR1dlSEd0CjNjUnRhd01wY0g3UXZLY254U3RCMmllRjdETVhqaXB0MDBtV2ZDZ2x4Z1BMaXgyUnJuL2ZJWWNDZ1lFQTJyTkMKSURBNXIxaHp4TFNJcFp4dG5OZGJMYzg3aUNnVEo1VUZ6M0VFbkZGTmdBTHZjSkZ6VzFRdWFNWko5N3Uzbi9BdgpsUFVEQjZaUVhTNGk2K1JMQ3Y0bEVySWdxc3k2RGpJUFBxbVo0ZjVEK0EwUUpndytZZTdadkdDOC9Ed2svZGZVClR3cDdqa2ZGSlBiVm1YRDFCK3Ara0pQNGR0dzBvc2FOaGovU05LOENnWUFZZktLRlhveU44TUVwcWZEVkdhN08KZ1d0OTQraVNuU1d3MUF4VEt4UmEvTFBDZGlNaUcxNFJaeXkxYzRKMjhvOC9MalM3UDZENVJkbW1DK2NnZlZzZgp5bUNCbnBGaTEvNXQvL0VoSkh2QVFQRlVIeWhXSkgzckQzU3dBREtOM3psU3ovcGwrdklnUDhZdVBKUG80KzVVClNodFRrNTFhbEZlMWM0YnZPVm5pRHdLQmdDc0M0RGxtWXFIcW1uSVFNMk9tdlNRQWNxMHl1WG1Rc0J1endqM0cKODJvdXp6Z2kyNlplNUxvTWQwZ2gzMEE2aWVXSm5rSUVZY0VxWTFuQURod29mTjIvbDlqeWNWeEdBVDF6ZU80UQordk9vUndQTXhlVkZ1U3NYaDNqMTZaVU4yeFNWVXVyc205b2lvVklndldkOUFLTzY2WU5UcHFUeHIrUm5la1B4CjMweC9Bb0dBRVVrSzFjZFRuSmJnbzVya3VLWGIxci9QcHhQZERPaEplV21TZnFNMTQvMmZQWm1HbGVFV3UvWVAKZTY0UTNvSFBxNE9YZ29nekpETVp1SFBpTGp1ZWdIUGNCbmJSQ0Z4NzVOU29oeE90MjN3dFJMdTdOajh2N0t6WQo1KzRQdFdJc054MldHbE8xQXBveGNWVGtPZWozUk1Od3NIWXRNb3RscWhoRTRoZkZjUlk9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVekNDQWp1Z0F3SUJBZ0lSQU5nTTJmVHlxTkJYdHo0UDNQNURHbTB3RFFZSktvWklodmNOQVFFTEJRQXcKTFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5WkMxd2NtOTRlUzFwYm1wbFkzUnZjaTVzYVc1clpYSmtMbk4yWXpBZQpGdzB5TVRBME1UVXdOVEkyTlRGYUZ3MHlNakEwTVRVd05USTJOVEZhTUMweEt6QXBCZ05WQkFNVElteHBibXRsCmNtUXRjSEp2ZUhrdGFXNXFaV04wYjNJdWJHbHVhMlZ5WkM1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRREtxQitNZnhwOXhRYzRJUnBlSzIzekJ1WWxTb05MOTk4VUpEajVWRUhMQWp4RgpZMVFUakdjYjNwRElnWWk2MDd5OFJtOVEzY1hXZ2tCS0FBZThHM1Fld2REczNtRXRreWhickt3L3psWEZ0aHZFCnByTmJIM3o5OGoxcEZ5V29Rc1ZuY2grZ1lXRjJSTzRrSjlOSnd5V0MzYkgxVm56SFNYc25HVXFrT3MwR0ZMdG0KWmFHY0ovd2hJODYyS0N3Z28zRnNWOVljZUNQTjAyRjk0RmlrWitPNUovWjhzWVVlZ1BmZkJDSjYzeHVSSVFwYwp5a0hBNGxkZ0pIM20vNWlCY3VqK0xqY0V1RnVrZlNHckJ6NFMrT05qL3lxMUYwV3FWQWF3d2xsTlVrdEpxc21KCkg5LysvK3JybHpyUWNKemVTckxnZGZ6a2FreWdmYjRYdmpaMkZWZEpBZ01CQUFHamJqQnNNQTRHQTFVZER3RUIKL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBdEJnTlZIUkVFSmpBa2dpSnNhVzVyWlhKa0xYQnliM2g1TFdsdWFtVmpkRzl5TG14cGJtdGxjbVF1CmMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUN2bHVVbk5hRXhXb2s2QzhzTTdSQXdUR1BxdWQvU0tldk8KVmVwaGF4SEFmbTF2WEovbE5acGh6STVrT2swT1czZFdDZ09tVklKT1VuSGJkcVBPTFJXZW9jTWtFOVRXc05WNwpmemhMU2FjRWhSdEdtSmZFRVZZa2lSbDlLVzh2T3ZWaWpMcGlPUTc1V0xCY0N1SUZydm5sU3dmR0YxVnVONnM3CmNucmxZNnFCdnIrTGNzVExsRlFpN1MzQVlZRGQrdHdDdmxjZnR3YUpoemhhTTA0K01tV09nR0tBT2JkZXkxazcKdFdKL2NUMGhLdmoyY0dvcnpTanZ4NFhMOVhWZU9TTGc3VGkyVGZyZWxYYUszdHRBSVQrYUdlWmQyUXlidndwRgpyNFNXYW1jcldURnhPaE9jaWpDRUFSdGpCM3lTQ1VwY1BGUTVmbnJpVjFvWnJKcmhnelhiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods", "services"]
sideEffects: None
---
###
### Service Profile Validator RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-sp-validator
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-sp-validator
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-sp-validator-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxyYTNKOXBseXh2ZVhRRm9xeWtYL013RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNakV3TkRFMU1EVXlOalV4V2hjTk1qSXdOREUxTURVeU5qVXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtGN3B3V1QzWjlPU2VMakNITGdSYllhNEs5WGZZTEdnc1kvN3hBY1ExYjBKMit5ZWZ5dgo3WERXbXFON1AvRDNVZFVsRDRMOU13dlRnc21CWVQwRXF4d3NzY1pvUFErKzU1bmpBWFBMVGw5NFhZL3ZwV2d0ClVzZXM0bmtrd1o3RW1xVFE1ZG9UaW8xN3RCaWZxQXlJK3M1VnM3WVAyY3RSZkFXZU5weFpVNHNHSFU2YkNkMTAKMWZhckhnY3RhbTUrcS84cHI1aGZqUk5ENitBY2taYS8wbTQwNUtjbFBqV1lRY0V6MHZNdTl1aFduOWY3d0VGOQpaaVlQY3A3RDV4VVFJSUszbFdRWFpHZWc0RHhZeTdLN0VJTXdIUktRMDZBTTgraWQ5ZGo3ZWdoaU9UNVYvZXdGCnJWdFB3UmxwaU5GZjQ1VFdSQlgzelkxSCs0M0dZMm1Jam9NQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCQmQ3WWRoamxZVXlWeEpzRzgwNHZ3eDQxQlNKYzl5YlVJcEFjVWd2d28KYjBEQ3ZrNnJEVDJqcnF1d0Z6eTZKQloyeFd6aWMrYlRoU2NsTjNtRXhlZE8rRWN2clVXUUtnVzVqM1V6WWxNTwpUMHpHUWs0RWJPVFZCWE82ZVYzclNteW54MENnem84V2NKQ1U3ODFGbUJod2JSQ1ZIY3pNZ1lnYWsxZ05oV2xECi9HK3BmMWlvbHVLb2czTytPdGhLNUxYWEhqSk0yUGt1ZEtNemV4TXpncjM1Mi96akdFdlV3TlVuaytWYVE5VkwKNnNhejJWYWdsN01panA3Rk5kTUZiQXRrdmRiK2NTL1RQQWFnbGtSY2c2MnRZTTZKYWlReFZUNXhUNzZMUjI2RQpQMHJ6OEVsQ1NxcEZsbXI4NEZaREFoUWE1bWJlWlBHUGY4K1F4a041dnBNbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBb1h1bkJaUGRuMDVKNHVNSWN1QkZ0aHJncjFkOWdzYUN4ai92RUJ4RFZ2UW5iN0o1Ci9LL3RjTmFhbzNzLzhQZFIxU1VQZ3YwekM5T0N5WUZoUFFTckhDeXh4bWc5RDc3bm1lTUJjOHRPWDNoZGorK2wKYUMxU3g2emllU1RCbnNTYXBORGwyaE9Lalh1MEdKK29ESWo2emxXenRnL1p5MUY4Qlo0Mm5GbFRpd1lkVHBzSgozWFRWOXFzZUJ5MXFibjZyL3ltdm1GK05FMFByNEJ5UmxyL1NialRrcHlVK05aaEJ3VFBTOHk3MjZGYWYxL3ZBClFYMW1KZzl5bnNQbkZSQWdncmVWWkJka1o2RGdQRmpMc3JzUWd6QWRFcERUb0F6ejZKMzEyUHQ2Q0dJNVBsWDkKN0FXdFcwL0JHV21JMFYvamxOWkVGZmZOalVmN2pjWmphWWlPZ3dJREFRQUJBb0lCQUVOVmF4U0JUcFVCc1A5aApTWUdWRUp4WllyemFUMlI3WDhaSW5HZHNVWXZ0YkpBL3JHdjM4NXJzY1RpZnlNNnlZYlh0cVNVbWJPV09nV2VDCmdraE9MUWNuZjgxS1k4T3dCNlI4S252ZEYwWHB5NkdiL0syTzBJaWdCeU1hZDMyN1h2eEFlc2RQQktQd0krMXMKalVjRXl3ZkVacFlRei9EZWZrZGRiRW9QV1MyTGFuTDhWU0JYdHNhM1FzV1lia1NpZXF4Yis3Y2FjMzN4Rkh3UApvZ01vWnRVTURoOGVkeVJxaXU4clJHMEliWDNHUDlBTnNhdkRraGhYU3R0SUhtcW5SWWprc2tHNTU0QTRidUlICjRxRGVDQnZNQU53bFpBNlMvWmQ0bUJjTlBxTVhMaS9PQ3ZtT2tvNEtXdXFhRitGcWQ0N3hoRFNtcWIzTCtIak8KOFhrU0plRUNnWUVBMDlPRzZ2WG1XbDh2Y2dJRE9pTnhXaVJ0ZmVkSStXVWNUYXlyTXNYQVg4dThaMlEzdG14Ygp0RTFKZm4vRTNDRVozc1p4WDRaNVhrWTBnWWhpWExtUVp3emExZFJITVhTSDljTFFLb1B4WVMwR3lwbUZjUDliCjBqQk1YSktudjJWV21TVmRUZ1hRTjN4VDRFYmZzNE55Ukl5Y1NQK2VoeWttSkFqL2NZQUVScEVDZ1lFQXd5aUYKTHE3dHFTbkRzcmc3a1U3Tk5pTE9ldE85TEJnb2NEaXJTc3lFRzhVbThzem5hNFlidEhrclBxWU16YlNrNjgxMwp2UEh3TG1XR0laU1BKWlowYnlrNnpVWEpIOERiYzRzWGNHQ3ZZNXRvcHpsVWgyWEVRQlBTNk9ETmVwTkFySVVKCjc0bzg0UDBYOUYrMjVmUzdZOTZFODZOZDZKRHAveDZQQ0xId2xkTUNnWUFsbzNkY3RwYll4Z01MTWZwYTBVTnAKN2dFYWx3Y3JjV0RuR0dCUEpENDdoMXNSMEFmcVBUVEtROVZrU2RXeis1bTZNTzZpTjZYSEw1aFN6K1lTYmRLUAp6UVB4Yk1lOXJPUWZzaDhFL3U3Y0FvRXJiTDMrUnhHTXRwSksvTEFiM1NqWEM0R1p4SVNyNTBhTUdtdlRYTzduCjZVZzMzRnZSem1qOWpDKy9maXpFVVFLQmdRQ3cvQXhjRzlQNGQ2RzhjSXZFNlh2OVBtK1d3SE5zaTdRUW9iUG0KTDdjWElDS0VTd01NWmlDMStMVVpLYW11MjhZOCtxYytPUU1pY0h2RjlGNGxMbDhGZUpTVkdGYWZiMTBWV2V5MQp3MWtMc2lLa2xMOXQwd0s1UWNFaDVNMHovbHJHbWhnNm5sazdpUXV5V1NNYlJHaTAxMVluUmQ2aVRObUl2Z1BsClZNbmtkUUtCZ0RYcFJiSHFtZjNoVUxnMXE5QXI1S3kvczNyZ0hyNU56S3BwYkJlNzNiS2N4N09NRmJMaUs1QUUKTnNBdXpCRGdrakVUSDAzRUorR2pKby9zU2RiUXErbTF4Q0dYTXgwdk50NWlVOGZCUXZjbnBDdVFqaTRqa1FIVQpPSEVvaUFNcjBNZERtTWJucXJXSzRLa3pzQStrOG9tb0hxYUlDOFpseVVuZWQrUkwvdU1FCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxyYTNKOXBseXh2ZVhRRm9xeWtYL013RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNakV3TkRFMU1EVXlOalV4V2hjTk1qSXdOREUxTURVeU5qVXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtGN3B3V1QzWjlPU2VMakNITGdSYllhNEs5WGZZTEdnc1kvN3hBY1ExYjBKMit5ZWZ5dgo3WERXbXFON1AvRDNVZFVsRDRMOU13dlRnc21CWVQwRXF4d3NzY1pvUFErKzU1bmpBWFBMVGw5NFhZL3ZwV2d0ClVzZXM0bmtrd1o3RW1xVFE1ZG9UaW8xN3RCaWZxQXlJK3M1VnM3WVAyY3RSZkFXZU5weFpVNHNHSFU2YkNkMTAKMWZhckhnY3RhbTUrcS84cHI1aGZqUk5ENitBY2taYS8wbTQwNUtjbFBqV1lRY0V6MHZNdTl1aFduOWY3d0VGOQpaaVlQY3A3RDV4VVFJSUszbFdRWFpHZWc0RHhZeTdLN0VJTXdIUktRMDZBTTgraWQ5ZGo3ZWdoaU9UNVYvZXdGCnJWdFB3UmxwaU5GZjQ1VFdSQlgzelkxSCs0M0dZMm1Jam9NQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCQmQ3WWRoamxZVXlWeEpzRzgwNHZ3eDQxQlNKYzl5YlVJcEFjVWd2d28KYjBEQ3ZrNnJEVDJqcnF1d0Z6eTZKQloyeFd6aWMrYlRoU2NsTjNtRXhlZE8rRWN2clVXUUtnVzVqM1V6WWxNTwpUMHpHUWs0RWJPVFZCWE82ZVYzclNteW54MENnem84V2NKQ1U3ODFGbUJod2JSQ1ZIY3pNZ1lnYWsxZ05oV2xECi9HK3BmMWlvbHVLb2czTytPdGhLNUxYWEhqSk0yUGt1ZEtNemV4TXpncjM1Mi96akdFdlV3TlVuaytWYVE5VkwKNnNhejJWYWdsN01panA3Rk5kTUZiQXRrdmRiK2NTL1RQQWFnbGtSY2c2MnRZTTZKYWlReFZUNXhUNzZMUjI2RQpQMHJ6OEVsQ1NxcEZsbXI4NEZaREFoUWE1bWJlWlBHUGY4K1F4a041dnBNbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" , "UPDATE" ]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
###
### Control Plane PSP
###
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-linkerd-control-plane
labels:
linkerd.io/control-plane-ns: linkerd
spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
requiredDropCapabilities:
- ALL
hostNetwork: false
hostIPC: false
hostPID: false
seLinux:
rule: RunAsAny
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- configMap
- emptyDir
- secret
- projected
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-psp
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ['policy', 'extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- linkerd-linkerd-control-plane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-psp
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-controller
namespace: linkerd
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
- kind: ServiceAccount
name: linkerd-sp-validator
namespace: linkerd
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
data:
values: |
cliVersion: linkerd/cli edge-21.4.3
clusterDomain: cluster.local
clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16
cniEnabled: false
controlPlaneTracing: false
controlPlaneTracingNamespace: linkerd-jaeger
controllerImage: cr.l5d.io/linkerd/controller
controllerImageVersion: edge-21.4.3
controllerLogFormat: plain
controllerLogLevel: info
controllerReplicas: 1
controllerUID: 2103
debugContainer:
image:
name: cr.l5d.io/linkerd/debug
pullPolicy: ""
version: edge-21.4.3
destinationProxyResources: null
destinationResources: null
disableHeartBeat: false
enableEndpointSlices: false
enableH2Upgrade: true
enablePodAntiAffinity: false
grafanaUrl: ""
heartbeatResources: null
heartbeatSchedule: ""
highAvailability: false
identity:
issuer:
clockSkewAllowance: 20s
crtExpiry: "2022-04-15T05:27:01Z"
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
identityProxyResources: null
identityResources: null
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: IfNotPresent
imagePullSecrets: []
installNamespace: true
linkerdVersion: edge-21.4.3
namespace: linkerd
nodeSelector:
beta.kubernetes.io/os: linux
omitWebhookSideEffects: false
podAnnotations: {}
podLabels: {}
profileValidator:
caBundle: ""
crtPEM: ""
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
prometheusUrl: ""
proxy:
capabilities: null
disableIdentity: false
enableExternalProfiles: false
image:
name: cr.l5d.io/linkerd/proxy
pullPolicy: ""
version: edge-21.4.3
inboundConnectTimeout: 100ms
isGateway: false
isIngress: false
logFormat: plain
logLevel: warn,linkerd=info
opaquePorts: 25,443,587,3306,5432,11211
outboundConnectTimeout: 1000ms
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: ""
request: ""
memory:
limit: ""
request: ""
saMountPath: null
uid: 2102
waitBeforeExitSeconds: 0
proxyContainerName: linkerd-proxy
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: ""
ignoreOutboundPorts: ""
image:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v1.3.11
resources:
cpu:
limit: 100m
request: 10m
memory:
limit: 50Mi
request: 10Mi
saMountPath: null
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjector:
caBundle: ""
crtPEM: ""
externalSecret: false
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
proxyInjectorProxyResources: null
proxyInjectorResources: null
publicAPIProxyResources: null
publicAPIResources: null
spValidatorProxyResources: null
spValidatorResources: null
tolerations: null
webhookFailurePolicy: Ignore
---
###
### Identity Controller Service
###
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-issuer-expiry: 2022-04-15T05:27:01Z
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKZVM1c2FXNXJaWEprTGpBZUZ3MHlNVEEwTVRVd05USTJOREZhRncweU1qQTBNVFV3TlRJM01ERmFNQnd4R2pBWQpCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKd0IzdGh6a2lNVU1XSXlTajhiMEwzMG9CWnFOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKeHU1OGlwUENocklFOExEdFhONTEyU2lnbmhaMFR5VEJjUUlnR3NxMTVtdFRCOTlWTERKNHJHZEQ1TVVYRnNTbQplT0dkckR0NGcyM2RGYjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUo4T2JTcnU4NHNGQVdhVlE1Y3Fhd2s0SnRBd3ZvVUUwUUU0R2svbmdHWWVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFd2V1MEpHWXlyVU4wc3J3T1RxWi85emNYQUduVnIrRDF3YUVIRngrVmFZbWVtOW9EaEhGaAplUlNZajVuZndCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-mode: default
linkerd.io/proxy-version: edge-21.4.3
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- identity
- -log-level=info
- -log-format=plain
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-scheme=linkerd.io/tls
env:
- name: LINKERD2_IDENTITY_TRUST_ANCHORS
value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKZVM1c2FXNXJaWEprTGpBZUZ3MHlNVEEwTVRVd05USTJOREZhRncweU1qQTBNVFV3TlRJM01ERmFNQnd4R2pBWQpCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKd0IzdGh6a2lNVU1XSXlTajhiMEwzMG9CWnFOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKeHU1OGlwUENocklFOExEdFhONTEyU2lnbmhaMFR5VEJjUUlnR3NxMTVtdFRCOTlWTERKNHJHZEQ1TVVYRnNTbQplT0dkckR0NGcyM2RGYjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
- name: LINKERD_DISABLED
value: "linkerd-await cannot block the identity controller"
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: cr.l5d.io/linkerd/proxy:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: cr.l5d.io/linkerd/proxy-init:v1.3.11
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Controller
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-controller-api
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: controller
ports:
- name: http
port: 8085
targetPort: 8085
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
app.kubernetes.io/name: controller
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
name: linkerd-controller
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-controller
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-mode: default
linkerd.io/proxy-version: edge-21.4.3
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-controller
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- public-api
- -destination-addr=linkerd-dst.linkerd.svc.cluster.local:8086
- -controller-namespace=linkerd
- -log-level=info
- -log-format=plain
- -cluster-domain=cluster.local
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: public-api
ports:
- containerPort: 8085
name: http
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: cr.l5d.io/linkerd/proxy:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: cr.l5d.io/linkerd/proxy-init:v1.3.11
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-controller
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-mode: default
linkerd.io/proxy-version: edge-21.4.3
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=info
- -log-format=plain
- -enable-endpoint-slices=false
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
- -default-opaque-ports=25,443,587,3306,5432,11211
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
securityContext:
runAsUser: 2103
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: cr.l5d.io/linkerd/proxy:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: cr.l5d.io/linkerd/proxy-init:v1.3.11
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-destination
volumes:
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
concurrencyPolicy: Replace
schedule: "36 05 * * *"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/workload-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
nodeSelector:
beta.kubernetes.io/os: linux
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
containers:
- name: heartbeat
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
env:
- name: LINKERD_DISABLED
value: "the heartbeat controller does not use the proxy"
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=info"
- "-log-format=plain"
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
securityContext:
runAsUser: 2103
---
###
### Proxy Injector
###
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
template:
metadata:
annotations:
checksum/config: 21210c2185a216dd8028027ff17506163783c644a4acf93f5ec998ce5b7cec43
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-mode: default
linkerd.io/proxy-version: edge-21.4.3
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- proxy-injector
- -log-level=info
- -log-format=plain
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: cr.l5d.io/linkerd/proxy:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: cr.l5d.io/linkerd/proxy-init:v1.3.11
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
###
### Service Profile Validator
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: sp-validator
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-21.4.3
labels:
app.kubernetes.io/name: sp-validator
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-21.4.3
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
name: linkerd-sp-validator
namespace: linkerd
spec:
replicas: 1
selector:
matchLabels:
linkerd.io/control-plane-component: sp-validator
template:
metadata:
annotations:
checksum/config: 2fc29e224918533099d39b6322b373acd3cf75c24f6691d7da5c9930c3f253bf
linkerd.io/created-by: linkerd/cli edge-21.4.3
linkerd.io/identity-mode: default
linkerd.io/proxy-version: edge-21.4.3
labels:
linkerd.io/control-plane-component: sp-validator
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-sp-validator
spec:
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- args:
- sp-validator
- -log-level=info
- -log-format=plain
image: cr.l5d.io/linkerd/controller:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
securityContext:
runAsUser: 2103
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- env:
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: 0.0.0.0:4191
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: 127.0.0.1:4140
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:4143
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,443,587,3306,5432,11211"
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)"}
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
value: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yMTA0MTUwNTI2NDFaFw0yMjA0MTUwNTI3MDFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEweu0JGYyrUN0srwOTqZ/9zcXAGnVr+D1waEHFx+VaYmem9oDhHFheRSYj5nf
wB3thzkiMUMWIySj8b0L30oBZqNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSOfGBv5D+Wu3SuWlb4Ik4QAaSSzzAKBggqhkjOPQQDAgNHADBEAiBqpbTbtTk1
xu58ipPChrIE8LDtXN512SignhZ0TyTBcQIgGsq15mtTB99VLDJ4rGdD5MUXFsSm
eOGdrDt4g23dFb4=
-----END CERTIFICATE-----
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.$(_l5d_ns).serviceaccount.identity.$(_l5d_ns).$(_l5d_trustdomain)
image: cr.l5d.io/linkerd/proxy:edge-21.4.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
resources:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 2102
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
initContainers:
- args:
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191"
- --outbound-ports-to-ignore
- "443"
image: cr.l5d.io/linkerd/proxy-init:v1.3.11
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
limits:
cpu: "100m"
memory: "50Mi"
requests:
cpu: "10m"
memory: "10Mi"
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
serviceAccountName: linkerd-sp-validator
volumes:
- name: tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
apiVersion: v1
data:
linkerd-config-overrides: aWRlbnRpdHk6CiAgaXNzdWVyOgogICAgY3J0RXhwaXJ5OiAiMjAyMi0wNC0xNVQwNToyNzowMVoiCiAgICB0bHM6CiAgICAgIGNydFBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogICAgICAgIE1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKICAgICAgICBlUzVzYVc1clpYSmtMakFlRncweU1UQTBNVFV3TlRJMk5ERmFGdzB5TWpBME1UVXdOVEkzTURGYU1Cd3hHakFZCiAgICAgICAgQmdOVkJBTVRFV2xrWlc1MGFYUjVMbXhwYm10bGNtUXVNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRAogICAgICAgIFFnQUV3ZXUwSkdZeXJVTjBzcndPVHFaLzl6Y1hBR25WcitEMXdhRUhGeCtWYVltZW05b0RoSEZoZVJTWWo1bmYKICAgICAgICB3QjN0aHpraU1VTVdJeVNqOGIwTDMwb0JacU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUIwR0ExVWRKUVFXCiAgICAgICAgTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRVwogICAgICAgIEJCU09mR0J2NUQrV3UzU3VXbGI0SWs0UUFhU1N6ekFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJxcGJUYnRUazEKICAgICAgICB4dTU4aXBQQ2hySUU4TER0WE41MTJTaWduaFowVHlUQmNRSWdHc3ExNW10VEI5OVZMREo0ckdkRDVNVVhGc1NtCiAgICAgICAgZU9HZHJEdDRnMjNkRmI0PQogICAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KICAgICAga2V5UEVNOiB8CiAgICAgICAgLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCiAgICAgICAgTUhjQ0FRRUVJSjhPYlNydTg0c0ZBV2FWUTVjcWF3azRKdEF3dm9VRTBRRTRHay9uZ0dZZW9Bb0dDQ3FHU000OQogICAgICAgIEF3RUhvVVFEUWdBRXdldTBKR1l5clVOMHNyd09UcVovOXpjWEFHblZyK0Qxd2FFSEZ4K1ZhWW1lbTlvRGhIRmgKICAgICAgICBlUlNZajVuZndCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpnPT0KICAgICAgICAtLS0tLUVORCBFQyBQUklWQVRFIEtFWS0tLS0tCmlkZW50aXR5VHJ1c3RBbmNob3JzUEVNOiB8CiAgLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgTUlJQmh6Q0NBUzZnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBY01Sb3dHQVlEVlFRREV4RnBaR1Z1ZEdsMAogIGVTNXNhVzVyWlhKa0xqQWVGdzB5TVRBME1UVXdOVEkyTkRGYUZ3MHlNakEwTVRVd05USTNNREZhTUJ3eEdqQVkKICBCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNECiAgUWdBRXdldTBKR1l5clVOMHNyd09UcVovOXpjWEFHblZyK0Qxd2FFSEZ4K1ZhWW1lbTlvRGhIRmhlUlNZajVuZgogIHdCM3RoemtpTVVNV0l5U2o4YjBMMzBvQlpxTmhNRjh3RGdZRFZSMFBBUUgvQkFRREFnRUdNQjBHQTFVZEpRUVcKICBNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCiAgQkJTT2ZHQnY1RCtXdTNTdVdsYjRJazRRQWFTU3p6QUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQnFwYlRidFRrMQogIHh1NThpcFBDaHJJRThMRHRYTjUxMlNpZ25oWjBUeVRCY1FJZ0dzcTE1bXRUQjk5VkxESjRyR2RENU1VWEZzU20KICBlT0dkckR0NGcyM2RGYjQ9CiAgLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
kind: Secret
metadata:
creationTimestamp: null
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-config-overrides
namespace: linkerd
Reference in New Issue View Git Blame Copy Permalink