marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-06 17:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
docker-development-youtube-.../kubernetes/servicemesh/linkerd/manifest/linkerd-edge-24.11.3.yaml
marcel-dempers 5694ff69f1 upgrade linkerd
2024-11-17 19:44:04 +11:00

2227 lines
84 KiB
YAML
Raw Blame History

---
###
### Linkerd Namespace
###
kind: Namespace
apiVersion: v1
metadata:
name: linkerd
annotations:
linkerd.io/inject: disabled
labels:
linkerd.io/is-control-plane: "true"
config.linkerd.io/admission-webhooks: disabled
linkerd.io/control-plane-ns: linkerd
pod-security.kubernetes.io/enforce: privileged
---
###
### Identity Controller Service RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
# TODO(ver) Restrict this to the Linkerd namespace. See
# https://github.com/linkerd/linkerd2/issues/9367
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-identity
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-identity
subjects:
- kind: ServiceAccount
name: linkerd-identity
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
---
###
### Destination Controller Service
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "nodes"]
verbs: ["list", "get", "watch"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list", "get", "watch"]
- apiGroups: ["workload.linkerd.io"]
resources: ["externalworkloads"]
verbs: ["list", "get", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "get", "update", "patch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-destination
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-linkerd-destination
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-destination
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-sp-validator-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxCY3podFBRZzhxbTVYWU4rZGVyRUV3RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNalF4TVRFM01EZ3dPREF4V2hjTk1qVXhNVEUzTURnd09EQXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtSSUlDRWEwbGRpWnpPVzU2YjFuSyt0d1hFS2lCSnhsUW9jWlpFV0J5ek1jSHVwaUdhcApOY2N0VCt2YnpiR3JVM3dzNHRqL2pFeG41bDdVK0lwWkpIMmx1WG5pUjl0a0J6dDRPVjBQdGR4L293dDZldFh3Cm44cUxwTGptUDdEVmRZVkpqUXZabnFJL1pJNy9Bd0tCMngvMWlsRTdTVmlsanRRUGZtV3hhbW9tSDJSY1ZkZUwKL3o4SVZGSVE3cm5IMzhJVFFWd1ZBYitrOEVWbm5iV2t2dlhWWUdpcXhIRTdQdWc4TkM2UnZ0YXJ6KzdPTFoyQgpoZjNlR1RFeDVsUmMzSnI5bDVwMDQ4eVFTZDJ4MXFGdHN1VUlwMnZsR0ViVG1pUm43UStUaS8rTkJpVTIzc01BCjl0TTdCeURXeVhDd3N1ZnlZUXBoa2hwQ0k1SU43LzgweWtrQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCcXZBWnNaUEY2NEk4enh5TFVXVGdxOW8wMFZCU0hrcUN3VVpCK0JwQWwKQk1wTG5vOXc5MXVuN0U0QUppNms3b1JJblhWeWVwYWtUWkhPY3dxU2dGLzI1eEVZd0taeFRQTlFKRXUrN0hhVQplY3FnNWRuRTEwNG1HblpDaERTRXM4N21DaW5qUmVpT1lFcnpjYXVMdlc3bjJSenVmOFY1TUN6T3RpblRRa3FXClVrREZaNkN3NEI3VTFJNHV1c3g3SEUvU2ZGRGMzN3RrU3NvcjJueWNLSEVIT296dU04UjU1clhxUFY5NVZ4cjQKeTRSUm5jSllFcXJnakNvRlZFWm50UzVzSWhlckw3aTIwTlZ2cXFOODZ6elZXcWxIbGhCcVZZMmVOUkZNSmI4Two4dVFTQjloeFNEYzdDbG8vekJxbmhXWlJ1dGd6M0Y5M2NMOFp1SGFLVXdybAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcEVnZ0lSclNWMkpuTTVibnB2V2NyNjNCY1FxSUVuR1ZDaHhsa1JZSExNeHdlNm1JClpxazF4eTFQNjl2TnNhdFRmQ3ppMlArTVRHZm1YdFQ0aWxra2ZhVzVlZUpIMjJRSE8zZzVYUSsxM0grakMzcDYKMWZDZnlvdWt1T1kvc05WMWhVbU5DOW1lb2o5a2p2OERBb0hiSC9XS1VUdEpXS1dPMUE5K1piRnFhaVlmWkZ4VgoxNHYvUHdoVVVoRHV1Y2Zmd2hOQlhCVUJ2NlR3UldlZHRhUys5ZFZnYUtyRWNUcys2RHcwTHBHKzFxdlA3czR0Cm5ZR0YvZDRaTVRIbVZGemNtdjJYbW5UanpKQkozYkhXb1cyeTVRaW5hK1VZUnRPYUpHZnRENU9MLzQwR0pUYmUKd3dEMjB6c0hJTmJKY0xDeTUvSmhDbUdTR2tJamtnM3YvelRLU1FJREFRQUJBb0lCQVFDYkF3K0dEVGZ5aW9DVQp0a3lwUnRKdEZrZ1VNUHJLWkhCY1ZRVWxUS0xDaTdtTGhpR1Z0UTV3ZlhvUE5KMDNpMURBTjk1cElXQ3g2OHY5CktYbkhtV3VNUDZidXNpeFpnRjR1cURlQWIwV0w1TWZsR2RIME14T2oyL1kzSGROMU9VV2wyZ3dENVhrQTRVNHkKZTcvTVN0bUhvM203UW5UbjkzZjQ4eEd5UlNFRFBLaEhoRmZ5eFJPTWg3WXhjN0Q3SWZQYlpsaHhLSjZWRE9IegoxMGE2VDJsaXpjVmlCRWdMVC92cjJvSVVxV2kxQUl2WVRVYVdkQ2ZNc2QxUDRKTnlFRTdHS0NudytTUmYwem8xCitkRUJjQXAvK0x4YUlZZTVLcWdlOE13emdPQzljS256cThUa3V6SDdSeVBqemFxakQ4SGVmNXo3K0NZY1lJTGMKb3ZBRGxJQXRBb0dCQU5XTHREK3pMSUVaT1VYZE15WTE5QmNGcGlGM3dMQ0Nnb3Q2WS9DOGdTWnpTc3BRNy81cApMS1N5bmNKY01WTkR4YnBzNERjUWcrdERuWUtFbjNVRDk5UFNMZ29tOFdwMWxWR3lQV3BRNDNtTU5OckYreE9TCklSR2l0ZGo1a1BIVG5lMlBXcWY0YUhrYWN6QjJ1NHR0RmlsYVluNXZYTVVmT2NreExoVlRkWU92QW9HQkFNVHgKS0VvYnVaUEdpZmJ6UE9GcnJSSzBSMEVuS1dqWmJ4M0ZwZlBxQ21vcUJ5d2FURElScllMWFR3czZuMk9QeDh4SgpyNXNqSHZRVXkzeU1qQkgydytnSVhXMDIxQUlEeXdiRkdUcFlyS2FVU0N2bW9jQTB4SzA4aDBvQllaMEZ5ZERRCkJucVhObHJIc3l3TEtEdzEwMndmU05jaXpJWXdLZ1pwSFFtWDJuZUhBb0dCQUpaOU9veDlqMHAzWlNZNENYalAKSXZJcWQvWXo5Mllzd3lUYUhwNGpxZnhYMllnVVc5ejFiNUd0a29ITENMTytHaFVUN3pxKzk4aVBRT3dlM0dUUgpaQkF4bVdKc0tVdTJDNEdrVTZXZDFZRHQ3cjJTTWl1TG1xUmIvejBtT3lCQTJwWDBwWldqK0xRSGtNL0JqTTlvCkUrc1dtRHl6N0RPNm1yV1BaQU9CYWxwZkFvR0FjQXZjSmoyYjJXMXRkT2h5VExYY0kvWVpUQUloMXh0TjBweHUKakZVdFU3VlJtMC9pNWVHVTNBbnZXSzRqbkp0aXl1RnBYVlFmK2pJU2kydlREUzFkekJkbVFBcWZsLzNjZHArUQplTmVXY3JlT1VCdkpEdmQycGpEM3I2MFZnaWFXNll4UkExSWdoSWwxY0t0d1dzRXM1aWp1WWlmVVFNd0tQTmQwCnc4NTNadVVDZ1lFQXY5Nk9NK0NwZmJuak5RbUpYamh3VTVtZ3BJK0xVWXdncVJURU5Ramx4aXpaNGNsdVN2Y3oKdi9XSmlxQkkzZ3ZGMVprQ1AvRFJSYzBZdVFoeXM5Tkt6NkhSNFRJUXFPZ0cxTjQyQk84b0FmTU1RMFJtcVJTbQorN3ByeWtBM1QyZUE3cFNGWGdPZ0ljNFQyL0ZKWmVpNUJoOVM0K2R4aWlTcTk4R2J0ZkFUemk4PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-sp-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-sp-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-sp-validator
namespace: linkerd
path: "/"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxCY3podFBRZzhxbTVYWU4rZGVyRUV3RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNalF4TVRFM01EZ3dPREF4V2hjTk1qVXhNVEUzTURnd09EQXhXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUtSSUlDRWEwbGRpWnpPVzU2YjFuSyt0d1hFS2lCSnhsUW9jWlpFV0J5ek1jSHVwaUdhcApOY2N0VCt2YnpiR3JVM3dzNHRqL2pFeG41bDdVK0lwWkpIMmx1WG5pUjl0a0J6dDRPVjBQdGR4L293dDZldFh3Cm44cUxwTGptUDdEVmRZVkpqUXZabnFJL1pJNy9Bd0tCMngvMWlsRTdTVmlsanRRUGZtV3hhbW9tSDJSY1ZkZUwKL3o4SVZGSVE3cm5IMzhJVFFWd1ZBYitrOEVWbm5iV2t2dlhWWUdpcXhIRTdQdWc4TkM2UnZ0YXJ6KzdPTFoyQgpoZjNlR1RFeDVsUmMzSnI5bDVwMDQ4eVFTZDJ4MXFGdHN1VUlwMnZsR0ViVG1pUm43UStUaS8rTkJpVTIzc01BCjl0TTdCeURXeVhDd3N1ZnlZUXBoa2hwQ0k1SU43LzgweWtrQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCcXZBWnNaUEY2NEk4enh5TFVXVGdxOW8wMFZCU0hrcUN3VVpCK0JwQWwKQk1wTG5vOXc5MXVuN0U0QUppNms3b1JJblhWeWVwYWtUWkhPY3dxU2dGLzI1eEVZd0taeFRQTlFKRXUrN0hhVQplY3FnNWRuRTEwNG1HblpDaERTRXM4N21DaW5qUmVpT1lFcnpjYXVMdlc3bjJSenVmOFY1TUN6T3RpblRRa3FXClVrREZaNkN3NEI3VTFJNHV1c3g3SEUvU2ZGRGMzN3RrU3NvcjJueWNLSEVIT296dU04UjU1clhxUFY5NVZ4cjQKeTRSUm5jSllFcXJnakNvRlZFWm50UzVzSWhlckw3aTIwTlZ2cXFOODZ6elZXcWxIbGhCcVZZMmVOUkZNSmI4Two4dVFTQjloeFNEYzdDbG8vekJxbmhXWlJ1dGd6M0Y5M2NMOFp1SGFLVXdybAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["linkerd.io"]
apiVersions: ["v1alpha1", "v1alpha2"]
resources: ["serviceprofiles"]
sideEffects: None
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-policy-validator-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXVENDQWtHZ0F3SUJBZ0lSQUxHRm5UT1ZpOGJWMG54dW4rK2tWL1F3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa2JHbHVhMlZ5WkMxd2IyeHBZM2t0ZG1Gc2FXUmhkRzl5TG14cGJtdGxjbVF1YzNaagpNQjRYRFRJME1URXhOekE0TURnd01Wb1hEVEkxTVRFeE56QTRNRGd3TVZvd0x6RXRNQ3NHQTFVRUF4TWtiR2x1CmEyVnlaQzF3YjJ4cFkza3RkbUZzYVdSaGRHOXlMbXhwYm10bGNtUXVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEIKQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNUNUaWVvTlppSWZsZUNtajVGblFIbDFxWFhzYm44ejBMeDQySWxBKwo5N2p1ZFAxQU5tWlhwRjAxZkNuSFlZcnU3UDRCY280L1FscCt4bDNRbzVmNXc5cWExaUE0amtRWTdCZ2U4ZGV4CnFDMXhic3EzemlVeUtwRkJyWUdnMFF6WFdyODJOZVBsbkhCTWFlZWF1cktMbkpVQ0pDSjNOaGE2d2ViWEJiZXAKL0hSTGFGclFNUjZrRlZYZjJHOW15S1k0dG1ZYWVzM0o5N2VhVWxDSU5xakkwcU8zdzB4Z0ZPRXltWlNKN2prMQo3Q2M1cFM3clROMlkwYmc5RzV3U2VVZm5iZ29mZUFUaVpheXpwNDZyc0lxRHZtWkh1N2pqTkNPWktpak93VEZ4CkJPMHRSN0g3djJFUnFrWHgwWWRoZ2swbW90WTM0ZFRIdXpEQ2ZzdGVxcVcxMVFJREFRQUJvM0F3YmpBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZApFd0VCL3dRQ01BQXdMd1lEVlIwUkJDZ3dKb0lrYkdsdWEyVnlaQzF3YjJ4cFkza3RkbUZzYVdSaGRHOXlMbXhwCmJtdGxjbVF1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRGRNU1lPSk9BZ0hXd2RJZm1xdGFMOGRuenAKK0YwWk1SeStyV21EVndzLzhWQkpmeCthQVd4NHkxRW9YdnlId2JOSXlna2d4YjZ1RVRpV2VnRlhWQUNoM0VtbAp5ODhONHltNkpNeXBmcWZNa0NEdXdKOVVyTUtWbmgyRklCcWhLUWdUcnl6N0pCREQ5citHZXg5NC9rc2Q3cE9iCnFSbHR6VnJuZGRRdFpQQmdZbGFSN0J3UmxjTGFLdko5Mmx6MXBZMGZJSlB2amtITlMwazVPa2w3cStjKy9sem8KUkFSb3ByT2VmRE9GN1lxRTRXNnZoeDJaQ2VaNWl0alhxNHc2QUlKejMvc3FQa3hnRXZpN0luYkZ3ZzBrQjRCaQovZWdKcHlBQjR2UTI1RGF3SnVFQytOWkhLVGQzVzRWMEdaMnl1T050L1JrK3Z2ckpEM1dXclRpSmNrdFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNUNUaWVvTlppSWZsZUNtajVGblFIbDFxWFhzYm44ejBMeDQySWxBKzk3anVkUDFBCk5tWlhwRjAxZkNuSFlZcnU3UDRCY280L1FscCt4bDNRbzVmNXc5cWExaUE0amtRWTdCZ2U4ZGV4cUMxeGJzcTMKemlVeUtwRkJyWUdnMFF6WFdyODJOZVBsbkhCTWFlZWF1cktMbkpVQ0pDSjNOaGE2d2ViWEJiZXAvSFJMYUZyUQpNUjZrRlZYZjJHOW15S1k0dG1ZYWVzM0o5N2VhVWxDSU5xakkwcU8zdzB4Z0ZPRXltWlNKN2prMTdDYzVwUzdyClROMlkwYmc5RzV3U2VVZm5iZ29mZUFUaVpheXpwNDZyc0lxRHZtWkh1N2pqTkNPWktpak93VEZ4Qk8wdFI3SDcKdjJFUnFrWHgwWWRoZ2swbW90WTM0ZFRIdXpEQ2ZzdGVxcVcxMVFJREFRQUJBb0lCQVFEWTJDSVhsazc4VVVhUApMdXppOTJhejVkQmFaOCs2MUtCblJJenBrbUkzTEtRaHVEQlhSSEVhL2FqL2llcERVVDJGTG15THlKNWg0QWZOClhaQVlYalA4cndRcWI5ZXhpUkl6SFQ0VVdoSTNLbkk5ZnhxektuR0RPaXMxMGhiYmZCd1kyZE9aNXpIdnZtRXkKNi9zS1p2Z0I3VE5xeXdPSitwS3FDRkhwMGtjVWRselp1SlAyb0c3MFAvWlhYRks5MXY3TXpMR2dId1JGT083TwpHdGhreTBnMGxuditUd01BQk92SlZoZ2o0Tmx1M0pIdzRmN29WYmJ2TTVSS09hV3VyZHlOd0JuTWVDN2RBNHI2CkVST3dPOER4UGJFemdjM0ZackJWK3ZYblhDQjR1eW1McWhJdjFHNmEzby8rWStiVHRQOG9Ec0ZoU3VOK2tCQW8KVVkzdThXY2xBb0dCQU9ZRktyRGRlQVRrdnRmLzQ4WDBtbHJ3eGZFYU96Sm5VRXI3M0hiZ3JCYnNhL2VpeVJIOQpXd2tSR0Z2amIra3JtYlpaRTFEckQ1cWJhdW41ZHU0U3AyczB5cU5sbjR4bW5sQlhvdExzRVBEemY1N3dGbnVvCnYzcmRidW1OeCtLcU9JbWFXS3lqU3VFMmVja3czQjRQT3VxczFRR3NCd3ZFdmlhay93TTc0TVhYQW9HQkFQM3AKZU5tRWtEckZBRmd3cGJtRTIxY0Z4dFVpOExZMnE2dllBSXlNSnBYbFlvQnpsVWVnakI0NDJlQThrVlAwSUQxZgpUUE1aQTdLeUtNeW51VzBiN3ljcWRtbkpCMTZRZHloY0NtcUFkZ0JXZWtSbDBNUHRNM245UzhKQUVPd0VGUHVoClpqanlQemdhZXRHNUluMkdvRWl3U0lhOWlnVFVwN1FtYmdJOXNwUXpBb0dBTVFIS3piSHgzMEVKTkNZTjFtQTkKL3NBcnZDbTFrUkNYOTlIZmIraUFZY1h2WHV4czRJdFZPUUpPYVUxMHkzNEJtdXN4aFZ6L2p4WXIyanZQVGZ2bApkWjdpeVp0ZU9lQ25QRURmclFha3VXRjN3Rm93d0JuODZlV0J1dnI5S2xyUC91bEdtVW1WSzVTYXIvWGIvLytJCnN2VXQwTlJoRCszVUFaSEh6MTJUanpNQ2dZRUE0emZGM0tsRFJFUTh2YTZ5N3lTVC8vajhhSWorN2FCWTJjdlAKR2ZibEpLaUVFRHplcnAxZUprRnJ2NzJUczVRNE1aT1IwYzFsd01pcnVCQ3ozNDdxNFpxZklxVXlBZzYzZ3hkeQpmc0g4VnVzTU9SNy94Z1VEVnJ3enlsMzRocXhVZHFXRlM1cUV0bGtENVorTjNOVFhwSlNVSW5lRkJqT2k2NVNrClJ6OGRDbjhDZ1lFQXFSYkZFTVhlTEc2L3NGdk5NcE9uRjlJVUtBbFZVeTcxK0JtdVhpa3JDNlZ4MHdvV0taOWMKM1A0b0srMkJzTHJ0L2tqVktQNFNrcjdDbXN1d2JGeDV4TFJsdW0vSzNFK3pwdzI0aFlBY2o5UzVPTGpZYVJYSQpNbkVpVm5RTFNvZVZybTV5Z25ieUdMZjZ0YjVUK2FMRlo0UDVjTzN2TnVsN2xPbTlpWElLOGdVPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: linkerd-policy-validator-webhook-config
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-policy-validator.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
clientConfig:
service:
name: linkerd-policy-validator
namespace: linkerd
path: "/"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXVENDQWtHZ0F3SUJBZ0lSQUxHRm5UT1ZpOGJWMG54dW4rK2tWL1F3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa2JHbHVhMlZ5WkMxd2IyeHBZM2t0ZG1Gc2FXUmhkRzl5TG14cGJtdGxjbVF1YzNaagpNQjRYRFRJME1URXhOekE0TURnd01Wb1hEVEkxTVRFeE56QTRNRGd3TVZvd0x6RXRNQ3NHQTFVRUF4TWtiR2x1CmEyVnlaQzF3YjJ4cFkza3RkbUZzYVdSaGRHOXlMbXhwYm10bGNtUXVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEIKQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNUNUaWVvTlppSWZsZUNtajVGblFIbDFxWFhzYm44ejBMeDQySWxBKwo5N2p1ZFAxQU5tWlhwRjAxZkNuSFlZcnU3UDRCY280L1FscCt4bDNRbzVmNXc5cWExaUE0amtRWTdCZ2U4ZGV4CnFDMXhic3EzemlVeUtwRkJyWUdnMFF6WFdyODJOZVBsbkhCTWFlZWF1cktMbkpVQ0pDSjNOaGE2d2ViWEJiZXAKL0hSTGFGclFNUjZrRlZYZjJHOW15S1k0dG1ZYWVzM0o5N2VhVWxDSU5xakkwcU8zdzB4Z0ZPRXltWlNKN2prMQo3Q2M1cFM3clROMlkwYmc5RzV3U2VVZm5iZ29mZUFUaVpheXpwNDZyc0lxRHZtWkh1N2pqTkNPWktpak93VEZ4CkJPMHRSN0g3djJFUnFrWHgwWWRoZ2swbW90WTM0ZFRIdXpEQ2ZzdGVxcVcxMVFJREFRQUJvM0F3YmpBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZApFd0VCL3dRQ01BQXdMd1lEVlIwUkJDZ3dKb0lrYkdsdWEyVnlaQzF3YjJ4cFkza3RkbUZzYVdSaGRHOXlMbXhwCmJtdGxjbVF1YzNaak1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRRGRNU1lPSk9BZ0hXd2RJZm1xdGFMOGRuenAKK0YwWk1SeStyV21EVndzLzhWQkpmeCthQVd4NHkxRW9YdnlId2JOSXlna2d4YjZ1RVRpV2VnRlhWQUNoM0VtbAp5ODhONHltNkpNeXBmcWZNa0NEdXdKOVVyTUtWbmgyRklCcWhLUWdUcnl6N0pCREQ5citHZXg5NC9rc2Q3cE9iCnFSbHR6VnJuZGRRdFpQQmdZbGFSN0J3UmxjTGFLdko5Mmx6MXBZMGZJSlB2amtITlMwazVPa2w3cStjKy9sem8KUkFSb3ByT2VmRE9GN1lxRTRXNnZoeDJaQ2VaNWl0alhxNHc2QUlKejMvc3FQa3hnRXZpN0luYkZ3ZzBrQjRCaQovZWdKcHlBQjR2UTI1RGF3SnVFQytOWkhLVGQzVzRWMEdaMnl1T050L1JrK3Z2ckpEM1dXclRpSmNrdFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["policy.linkerd.io"]
apiVersions: ["*"]
resources:
- authorizationpolicies
- httplocalratelimitpolicies
- httproutes
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
- egressnetworks
- operations: ["CREATE", "UPDATE"]
apiGroups: ["gateway.networking.k8s.io"]
apiVersions: ["*"]
resources:
- httproutes
- grpcroutes
- tlsroutes
- tcproutes
sideEffects: None
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- httplocalratelimitpolicies
- httproutes
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
- egressnetworks
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes
- grpcroutes
- tlsroutes
- tcproutes
verbs:
- get
- list
- watch
- apiGroups:
- policy.linkerd.io
resources:
- httproutes/status
- httplocalratelimitpolicies/status
- egressnetworks/status
verbs:
- patch
- apiGroups:
- gateway.networking.k8s.io
resources:
- httproutes/status
- grpcroutes/status
- tlsroutes/status
- tcproutes/status
verbs:
- patch
- apiGroups:
- workload.linkerd.io
resources:
- externalworkloads
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-destination-policy
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linkerd-policy
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-destination-remote-discovery
namespace: linkerd
labels:
app.kubernetes.io/part-of: Linkerd
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: remote-discovery
subjects:
- kind: ServiceAccount
name: linkerd-destination
namespace: linkerd
---
###
### Heartbeat RBAC
###
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: Role
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: ["linkerd.io"]
resources: ["serviceprofiles"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: linkerd-heartbeat
labels:
linkerd.io/control-plane-ns: linkerd
roleRef:
kind: ClusterRole
name: linkerd-heartbeat
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: linkerd-heartbeat
namespace: linkerd
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
---
###
### Proxy Injector RBAC
###
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: [""]
resources: ["namespaces", "replicationcontrollers"]
verbs: ["list", "get", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: linkerd-linkerd-proxy-injector
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
subjects:
- kind: ServiceAccount
name: linkerd-proxy-injector
namespace: linkerd
apiGroup: ""
roleRef:
kind: ClusterRole
name: linkerd-linkerd-proxy-injector
apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
---
kind: Secret
apiVersion: v1
metadata:
name: linkerd-proxy-injector-k8s-tls
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lRVHZvZFU1L29naFRtS213OUxFSzREVEFOQmdrcWhraUc5dzBCQVFzRkFEQXQKTVNzd0tRWURWUVFERXlKc2FXNXJaWEprTFhCeWIzaDVMV2x1YW1WamRHOXlMbXhwYm10bGNtUXVjM1pqTUI0WApEVEkwTVRFeE56QTRNRGd3TVZvWERUSTFNVEV4TnpBNE1EZ3dNVm93TFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5ClpDMXdjbTk0ZVMxcGJtcGxZM1J2Y2k1c2FXNXJaWEprTG5OMll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFPV3lJWFF1SFpuR2FDNGlRUUhFT3F5WjdYMWxhTldKZnp0c2FpeDhISEQya29CVgptTlNsZWFKRnB6RkxwSko5alV4Qk1CL1UwUml3SnR5bDB4ODh2M1FUbWIrYk1tNWtRbEhxQjc4UzIvekdMR3QrCjRra0VjbC9yRmtlWTB2VzV5QkMrNndXc1kvbFhSNXl4MHlJME82eHkrQ29rN1p3Q3I5TWZXcmsxVWRkY0NCQ2UKY1c0R2dZN1R6TzFjK2ZjRFVscXQ4VERYREtlWkM1V3Uva2NLL2d2SW1uTXBxcVV4UmhSRWwrdE9YTGE2ZFV3SgpyY1Yza3BqVnpPV3pKeEZ2WnpYNno5N3BIYTh6R3o0SDFnZmFreDhQNDJrOFN5U3RCbjljMVVoME14ZFAxSUhKClZRUkJ3a1RBZVZDR1gxZW9yMDMvMnZKdkZYeVpTaDVCMk5Tb3BkMENBd0VBQWFOdU1Hd3dEZ1lEVlIwUEFRSC8KQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RQpBakFBTUMwR0ExVWRFUVFtTUNTQ0lteHBibXRsY21RdGNISnZlSGt0YVc1cVpXTjBiM0l1YkdsdWEyVnlaQzV6CmRtTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDRicXMxZTdwaFozRlVUaUZmWnlGNFN6clQ2ckVDRWZzYUUKQW5haGZPK0ZqeGMzRGhnNURtdHB0MjBtSWdQTVBMY09PNy9rTXZiVnFlb3d5MnUvdGxnY2l6NkxtNlVzNG1nYQpNRVdUdDdsQ2c0dVZBZlhvQVlaOExZYzJVZ292UGZ3STR3Q2RaeXgydjRycUpwZm9UN200Q29pRDI3TFp2VEVrCno4bGxVZ0ZTQnp0RDFXbEo0blVqdXNrWVJqeGxzVjFIeVdDL3RJN1FWUi9KQUZaQWNMUnZXaWRLZy9YR244TEIKRDAyTmoyWE1xaXFORHpNSFMyNnpPbkZEZFcyR3pPckZNOEFZRWNsZHVvS3J5TVZUN1NhdTRwZktUV1JhamlvSQpGdmkvZE9YVE5XZFRnUzdRMnBwVXFMRjhqVTZYNVVVZDV5Tk5OcE83SnFUMkl4bzVyLzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNWJJaGRDNGRtY1pvTGlKQkFjUTZySm50ZldWbzFZbC9PMnhxTEh3Y2NQYVNnRldZCjFLVjVva1duTVV1a2tuMk5URUV3SDlUUkdMQW0zS1hUSHp5L2RCT1p2NXN5Ym1SQ1Vlb0h2eExiL01Zc2EzN2kKU1FSeVgrc1dSNWpTOWJuSUVMN3JCYXhqK1ZkSG5MSFRJalE3ckhMNEtpVHRuQUt2MHg5YXVUVlIxMXdJRUo1eApiZ2FCanRQTTdWejU5d05TV3EzeE1OY01wNWtMbGE3K1J3citDOGlhY3ltcXBURkdGRVNYNjA1Y3RycDFUQW10CnhYZVNtTlhNNWJNbkVXOW5OZnJQM3VrZHJ6TWJQZ2ZXQjlxVEh3L2phVHhMSkswR2YxelZTSFF6RjAvVWdjbFYKQkVIQ1JNQjVVSVpmVjZpdlRmL2E4bThWZkpsS0hrSFkxS2lsM1FJREFRQUJBb0lCQUN5TnFMK0lVbVdKZnB1MApPVGZHZ0RzS2dHNWFSVU5tTUMrdWo4bWhLVU1nRUxxajM4a2ZiOEJ5RWtRVmtBNTZHL1kyanNjZDJKRVpXZkJpCm1kanRSNVdVVjdZNnZFVjlYUC9XalRvYXhtRDViNVJLUUVvNWVwWHdXNW4zb3JQWEhWOWlLT1FvMUJ1Qk9uckMKWTFtM0Yvd1RNTis3MmZydzZubmhFdy9wcjc0OTFaQnl2VTg3WTNWZXMra2tkYTFKTW0xVUFrVk9VcU1KNm5QWAoxT3ZSTXdaSU5uSnpKSHUreWp5cStyNDNZZGhNWVNFdGhBdTJLbG41T1lXcUZweUxJYzNJaCtyZkZvUTdka0VSCkVMTXpWNU5ncVhaMFZjcHIrWnNkUWRJYmFFS0diYndsamhyRjVsUldwd21GbnVqT2NKNmJuNjZQSHR0VWIwUmMKMjA5MDFHRUNnWUVBNmVDeGxnUGlGSmhFc0hQSVVSc2tHNEpwYXpJNThZeTZvSG9pcm5UZVpaRCswVldFczBzMQpJM3RZY25OQVNGU3FJQTlMcEt1OS9tYytTYXFLZTAyQlA4d1p3TFdQUjZ4c2JkT0tSVmwwQzdmTmMwOVp4T2JjCjBadHAzQ2pnWjh6VXArT1IzQ1ZUbEEwaERaV2tjWElhRXoxdnFVYTBtQ29YNllzV1hiSjY0SWNDZ1lFQSsyd3MKWU83aGd3VUQ0M0lwaS94RytTdVhnSDJOOW9HUVZPdDk5VFI4MmIwWmNFcTQ5dzA3VkhpWWl4cVIzVXBxcjRHNQpRaHVkR2hKRDA4NnBKaExXZ1NIUkorZFJHN1Fkb0Iwc0s1U3o5enppS0wrTVB3NlN2bFZrU3lQU2F0UkJLNWw2CmNwUzlnUHRFcGpWa1FiUlB2N3FiZ1lsR2kwb1B2bndNWk5CVlUzc0NnWUVBa2JmV3pkSXpqWU5sNE03eTgxM0cKdklFZnI1T0d1TEpuSVUrWHhqeTR5RzF6NXZleWk0ZURYMDBkeVlsM2R0bVJlaEl0bmpjSFZMZjgvaWNNeTFCNgpCRWJsa01WT3RXaC8wbG5vSDlkaFQxL0EyV1NLV1AxQ2ZqS24zVzEyakJYNk5YUzd6MzlPT01PSllZNW4rK3NNCnhnb1VSVkx4ZUpGWmZzQ1RPZVBYWFljQ2dZRUE0UGFaZnVJL3hndm12c3lYZ0RuckIyaUoxdDZBOStCV1ZLV2gKdnBXSVlRdGloNmRVZVRuTnJIZDdobnZ2cUNHOTgrd081NmZ0bWpaZG1sZC80aUZZN1pKa28xL0dveE0ycnQxcgplRk5GOUNMMStaL3F6VUVzN0VGYnpCL3hWc1UweXQ0NVFlejA0MFB3MlFkTS9iMW8zaFVLcjQwMUljelM2WTMxClNQOWdXYUVDZ1lCN1NIQ0ZWay82Q2ZUYXl3N0hla2NBYlhVdzUyZVlwTzhuVWNhTzd0UUhyVWZxWFBxeEFwQzQKUktabmFYSmtXV0xDaWdoZk9TeWhwblJxS2wyVUF6MkZFN2xsMWhpejVPTjhWbHhPVFJmeXhySXBrTnZkMHVMUApJMHRVMExlVWhMRmliYlhuK2Z4M3duU1kxbmxrdW5YRXFXYVJaVC9NTE5XcXF2WTZGQVZCQlE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: linkerd-proxy-injector-webhook-config
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
webhooks:
- name: linkerd-proxy-injector.linkerd.io
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
objectSelector:
null
clientConfig:
service:
name: linkerd-proxy-injector
namespace: linkerd
path: "/"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lRVHZvZFU1L29naFRtS213OUxFSzREVEFOQmdrcWhraUc5dzBCQVFzRkFEQXQKTVNzd0tRWURWUVFERXlKc2FXNXJaWEprTFhCeWIzaDVMV2x1YW1WamRHOXlMbXhwYm10bGNtUXVjM1pqTUI0WApEVEkwTVRFeE56QTRNRGd3TVZvWERUSTFNVEV4TnpBNE1EZ3dNVm93TFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5ClpDMXdjbTk0ZVMxcGJtcGxZM1J2Y2k1c2FXNXJaWEprTG5OMll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFPV3lJWFF1SFpuR2FDNGlRUUhFT3F5WjdYMWxhTldKZnp0c2FpeDhISEQya29CVgptTlNsZWFKRnB6RkxwSko5alV4Qk1CL1UwUml3SnR5bDB4ODh2M1FUbWIrYk1tNWtRbEhxQjc4UzIvekdMR3QrCjRra0VjbC9yRmtlWTB2VzV5QkMrNndXc1kvbFhSNXl4MHlJME82eHkrQ29rN1p3Q3I5TWZXcmsxVWRkY0NCQ2UKY1c0R2dZN1R6TzFjK2ZjRFVscXQ4VERYREtlWkM1V3Uva2NLL2d2SW1uTXBxcVV4UmhSRWwrdE9YTGE2ZFV3SgpyY1Yza3BqVnpPV3pKeEZ2WnpYNno5N3BIYTh6R3o0SDFnZmFreDhQNDJrOFN5U3RCbjljMVVoME14ZFAxSUhKClZRUkJ3a1RBZVZDR1gxZW9yMDMvMnZKdkZYeVpTaDVCMk5Tb3BkMENBd0VBQWFOdU1Hd3dEZ1lEVlIwUEFRSC8KQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RQpBakFBTUMwR0ExVWRFUVFtTUNTQ0lteHBibXRsY21RdGNISnZlSGt0YVc1cVpXTjBiM0l1YkdsdWEyVnlaQzV6CmRtTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDRicXMxZTdwaFozRlVUaUZmWnlGNFN6clQ2ckVDRWZzYUUKQW5haGZPK0ZqeGMzRGhnNURtdHB0MjBtSWdQTVBMY09PNy9rTXZiVnFlb3d5MnUvdGxnY2l6NkxtNlVzNG1nYQpNRVdUdDdsQ2c0dVZBZlhvQVlaOExZYzJVZ292UGZ3STR3Q2RaeXgydjRycUpwZm9UN200Q29pRDI3TFp2VEVrCno4bGxVZ0ZTQnp0RDFXbEo0blVqdXNrWVJqeGxzVjFIeVdDL3RJN1FWUi9KQUZaQWNMUnZXaWRLZy9YR244TEIKRDAyTmoyWE1xaXFORHpNSFMyNnpPbkZEZFcyR3pPckZNOEFZRWNsZHVvS3J5TVZUN1NhdTRwZktUV1JhamlvSQpGdmkvZE9YVE5XZFRnUzdRMnBwVXFMRjhqVTZYNVVVZDV5Tk5OcE83SnFUMkl4bzVyLzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
failurePolicy: Ignore
admissionReviewVersions: ["v1", "v1beta1"]
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods", "services"]
scope: "Namespaced"
sideEffects: None
timeoutSeconds: 10
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-config
namespace: linkerd
labels:
linkerd.io/control-plane-component: controller
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
data:
linkerd-crds-chart-version: linkerd-crds-1.0.0-edge
values: |
cliVersion: linkerd/cli edge-24.11.3
clusterDomain: cluster.local
clusterNetworks: 10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
cniEnabled: false
controlPlaneTracing: false
controlPlaneTracingNamespace: linkerd-jaeger
controller:
podDisruptionBudget:
maxUnavailable: 1
controllerGID: -1
controllerImage: cr.l5d.io/linkerd/controller
controllerLogFormat: plain
controllerLogLevel: info
controllerReplicas: 1
controllerUID: 2103
debugContainer:
image:
name: cr.l5d.io/linkerd/debug
pullPolicy: ""
version: edge-24.11.3
deploymentStrategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
destinationController:
livenessProbe:
timeoutSeconds: 1
meshedHttp2ClientProtobuf:
keep_alive:
interval:
seconds: 10
timeout:
seconds: 3
while_idle: true
readinessProbe:
timeoutSeconds: 1
destinationProxyResources: null
destinationResources: null
disableHeartBeat: false
disableIPv6: true
egress:
globalEgressNetworkNamespace: linkerd-egress
enableEndpointSlices: true
enableH2Upgrade: true
enablePodAntiAffinity: false
enablePodDisruptionBudget: false
heartbeat: null
heartbeatResources: null
heartbeatSchedule: ""
highAvailability: false
identity:
additionalEnv: null
experimentalEnv: null
externalCA: false
issuer:
clockSkewAllowance: 20s
issuanceLifetime: 24h0m0s
scheme: linkerd.io/tls
tls:
crtPEM: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yNDExMTcwODA3NTFaFw0yNTExMTcwODA4MTFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEnsuvC9erYZvC2oW8jZqZPFyKcqcyALWbZV2IWvCuXKtv3CNd1jpYaLhfDzoG
WMmY5e/gdkGVpmD8344fmO32JKNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTjNkyUznZ18g/HwiunnHOquogyQDAKBggqhkjOPQQDAgNHADBEAiBUO1jdJY0C
A16G8ryBwBeFrKmZey81Pk6tOqxK/0QVTwIgIZ2BCUmVPM3Ue5nIF/7tdDup05cw
jHsp6B4/lrA7mrI=
-----END CERTIFICATE-----
kubeAPI:
clientBurst: 200
clientQPS: 100
serviceAccountTokenProjection: true
identityProxyResources: null
identityResources: null
identityTrustAnchorsPEM: |
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yNDExMTcwODA3NTFaFw0yNTExMTcwODA4MTFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEnsuvC9erYZvC2oW8jZqZPFyKcqcyALWbZV2IWvCuXKtv3CNd1jpYaLhfDzoG
WMmY5e/gdkGVpmD8344fmO32JKNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTjNkyUznZ18g/HwiunnHOquogyQDAKBggqhkjOPQQDAgNHADBEAiBUO1jdJY0C
A16G8ryBwBeFrKmZey81Pk6tOqxK/0QVTwIgIZ2BCUmVPM3Ue5nIF/7tdDup05cw
jHsp6B4/lrA7mrI=
-----END CERTIFICATE-----
identityTrustDomain: cluster.local
imagePullPolicy: IfNotPresent
imagePullSecrets: []
linkerdVersion: edge-24.11.3
networkValidator:
connectAddr: ""
enableSecurityContext: true
listenAddr: ""
logFormat: plain
logLevel: debug
timeout: 10s
nodeAffinity: null
nodeSelector:
kubernetes.io/os: linux
podAnnotations: {}
podLabels: {}
podMonitor:
controller:
enabled: true
namespaceSelector: |
matchNames:
- {{ .Release.Namespace }}
- linkerd-viz
- linkerd-jaeger
enabled: false
proxy:
enabled: true
scrapeInterval: 10s
scrapeTimeout: 10s
serviceMirror:
enabled: true
policyController:
image:
name: cr.l5d.io/linkerd/policy-controller
pullPolicy: ""
version: ""
logLevel: info
probeNetworks:
- 0.0.0.0/0
- ::/0
resources:
cpu:
limit: ""
request: ""
ephemeral-storage:
limit: ""
request: ""
memory:
limit: ""
request: ""
policyValidator:
caBundle: ""
crtPEM: ""
externalSecret: false
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
priorityClassName: ""
profileValidator:
caBundle: ""
crtPEM: ""
externalSecret: false
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
prometheusUrl: ""
proxy:
accessLog: ""
additionalEnv: null
await: true
capabilities: null
control:
streams:
idleTimeout: 5m
initialTimeout: 3s
lifetime: 1h
defaultInboundPolicy: all-unauthenticated
disableInboundProtocolDetectTimeout: false
disableOutboundProtocolDetectTimeout: false
enableExternalProfiles: false
enableShutdownEndpoint: false
experimentalEnv: null
gid: -1
image:
name: cr.l5d.io/linkerd/proxy
pullPolicy: ""
version: ""
inbound:
server:
http2:
keepAliveInterval: 10s
keepAliveTimeout: 3s
inboundConnectTimeout: 100ms
inboundDiscoveryCacheUnusedTimeout: 90s
isGateway: false
isIngress: false
livenessProbe:
initialDelaySeconds: 10
timeoutSeconds: 1
logFormat: plain
logHTTPHeaders: "off"
logLevel: warn,linkerd=info,hickory=error
nativeSidecar: false
opaquePorts: 25,587,3306,4444,5432,6379,9300,11211
outbound:
server:
http2:
keepAliveInterval: 10s
keepAliveTimeout: 3s
outboundConnectTimeout: 1000ms
outboundDiscoveryCacheUnusedTimeout: 5s
podInboundPorts: ""
ports:
admin: 4191
control: 4190
inbound: 4143
outbound: 4140
readinessProbe:
initialDelaySeconds: 2
timeoutSeconds: 1
requireIdentityOnInboundPorts: ""
resources:
cpu:
limit: ""
request: ""
ephemeral-storage:
limit: ""
request: ""
memory:
limit: ""
request: ""
saMountPath: null
shutdownGracePeriod: ""
startupProbe:
failureThreshold: 120
initialDelaySeconds: 0
periodSeconds: 1
uid: 2102
waitBeforeExitSeconds: 0
proxyContainerName: linkerd-proxy
proxyInit:
capabilities: null
closeWaitTimeoutSecs: 0
ignoreInboundPorts: 4567,4568
ignoreOutboundPorts: 4567,4568
image:
name: cr.l5d.io/linkerd/proxy-init
pullPolicy: ""
version: v2.4.1
iptablesMode: legacy
kubeAPIServerPorts: 443,6443
logFormat: ""
logLevel: ""
privileged: false
resources: null
runAsGroup: 65534
runAsRoot: false
runAsUser: 65534
saMountPath: null
skipSubnets: ""
xtMountPath:
mountPath: /run
name: linkerd-proxy-init-xtables-lock
readOnly: false
proxyInjector:
additionalEnv: null
caBundle: ""
crtPEM: ""
experimentalEnv: null
externalSecret: false
injectCaFrom: ""
injectCaFromSecret: ""
namespaceSelector:
matchExpressions:
- key: config.linkerd.io/admission-webhooks
operator: NotIn
values:
- disabled
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- kube-system
- cert-manager
proxyInjectorProxyResources: null
proxyInjectorResources: null
revisionHistoryLimit: 10
spValidator:
livenessProbe:
timeoutSeconds: 1
readinessProbe:
timeoutSeconds: 1
tolerations: null
webhookFailurePolicy: Ignore
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
name: ext-namespace-metadata-linkerd-config
namespace: linkerd
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
resourceNames: ["linkerd-config"]
---
###
### Identity Controller Service
###
kind: Secret
apiVersion: v1
metadata:
name: linkerd-identity-issuer
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
data:
crt.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKZVM1c2FXNXJaWEprTGpBZUZ3MHlOREV4TVRjd09EQTNOVEZhRncweU5URXhNVGN3T0RBNE1URmFNQnd4R2pBWQpCZ05WQkFNVEVXbGtaVzUwYVhSNUxteHBibXRsY21RdU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUVuc3V2QzllclladkMyb1c4alpxWlBGeUtjcWN5QUxXYlpWMklXdkN1WEt0djNDTmQxanBZYUxoZkR6b0cKV01tWTVlL2dka0dWcG1EODM0NGZtTzMySktOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXCkJCVGpOa3lVem5aMThnL0h3aXVubkhPcXVvZ3lRREFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJVTzFqZEpZMEMKQTE2RzhyeUJ3QmVGckttWmV5ODFQazZ0T3F4Sy8wUVZUd0lnSVoyQkNVbVZQTTNVZTVuSUYvN3RkRHVwMDVjdwpqSHNwNkI0L2xyQTdtckk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
key.pem: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFPeUorNXJWYnFsbjI2S29hL2Y2UHFIR2hwMXoxc0VJN080OEZYSlNxTnZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbnN1dkM5ZXJZWnZDMm9XOGpacVpQRnlLY3FjeUFMV2JaVjJJV3ZDdVhLdHYzQ05kMWpwWQphTGhmRHpvR1dNbVk1ZS9nZGtHVnBtRDgzNDRmbU8zMkpBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQ==
---
kind: ConfigMap
apiVersion: v1
metadata:
name: linkerd-identity-trust-roots
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
data:
ca-bundle.crt: |-
-----BEGIN CERTIFICATE-----
MIIBhzCCAS6gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDExFpZGVudGl0
eS5saW5rZXJkLjAeFw0yNDExMTcwODA3NTFaFw0yNTExMTcwODA4MTFaMBwxGjAY
BgNVBAMTEWlkZW50aXR5LmxpbmtlcmQuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
QgAEnsuvC9erYZvC2oW8jZqZPFyKcqcyALWbZV2IWvCuXKtv3CNd1jpYaLhfDzoG
WMmY5e/gdkGVpmD8344fmO32JKNhMF8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBTjNkyUznZ18g/HwiunnHOquogyQDAKBggqhkjOPQQDAgNHADBEAiBUO1jdJY0C
A16G8ryBwBeFrKmZey81Pk6tOqxK/0QVTwIgIZ2BCUmVPM3Ue5nIF/7tdDup05cw
jHsp6B4/lrA7mrI=
-----END CERTIFICATE-----
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-identity-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: identity
ports:
- name: grpc
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
labels:
app.kubernetes.io/name: identity
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-24.11.3
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
name: linkerd-identity
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
linkerd.io/proxy-version: edge-24.11.3
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 6c06d533f290349057c93fac96a55ff814f179d2467c2fd47f961594c840a6f3
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: identity
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-identity
spec:
nodeSelector:
kubernetes.io/os: linux
automountServiceAccountToken: false
containers:
- args:
- identity
- -log-level=info
- -log-format=plain
- -controller-namespace=linkerd
- -identity-trust-domain=cluster.local
- -identity-issuance-lifetime=24h0m0s
- -identity-clock-skew-allowance=20s
- -identity-scheme=linkerd.io/tls
- -enable-pprof=false
- -kube-apiclient-qps=100
- -kube-apiclient-burst=200
env:
- name: LINKERD_DISABLED
value: "linkerd-await cannot block the identity controller"
image: cr.l5d.io/linkerd/controller:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9990
initialDelaySeconds: 10
name: identity
ports:
- containerPort: 8080
name: grpc
- containerPort: 9990
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9990
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/identity/issuer
name: identity-issuer
- mountPath: /var/run/linkerd/identity/trust-roots/
name: trust-roots
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS
value: "8080"
- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED
value: "false"
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,hickory=error,[{headers}]=off,[{request}]=off"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "0.0.0.0:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "0.0.0.0:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "0.0.0.0:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8080,9990"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: localhost.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.1
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-identity
volumes:
- name: identity-issuer
secret:
secretName: linkerd-identity-issuer
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- name: kube-api-access
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Destination Controller Service
###
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-dst-headless
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8086
targetPort: 8086
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-sp-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: sp-validator
port: 443
targetPort: sp-validator
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
clusterIP: None
selector:
linkerd.io/control-plane-component: destination
ports:
- name: grpc
port: 8090
targetPort: 8090
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-policy-validator
namespace: linkerd
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: destination
ports:
- name: policy-https
port: 443
targetPort: policy-https
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
labels:
app.kubernetes.io/name: destination
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-24.11.3
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
name: linkerd-destination
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
checksum/config: 74140f376f90d8b7b71d88c9ccfb0a9f8aab5cc53847f21f1557d71c434acf7c
linkerd.io/created-by: linkerd/cli edge-24.11.3
linkerd.io/proxy-version: edge-24.11.3
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 6c06d533f290349057c93fac96a55ff814f179d2467c2fd47f961594c840a6f3
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: destination
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-destination
spec:
nodeSelector:
kubernetes.io/os: linux
automountServiceAccountToken: false
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED
value: "false"
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,hickory=error,[{headers}]=off,[{request}]=off"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: localhost.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: localhost.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "0.0.0.0:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "0.0.0.0:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "0.0.0.0:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8086,8090,8443,9443,9990,9996,9997"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- destination
- -addr=:8086
- -controller-namespace=linkerd
- -enable-h2-upgrade=true
- -log-level=info
- -log-format=plain
- -enable-endpoint-slices=true
- -cluster-domain=cluster.local
- -identity-trust-domain=cluster.local
- -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
- -enable-ipv6=false
- -enable-pprof=false
- --meshed-http2-client-params={"keep_alive":{"interval":{"seconds":10},"timeout":{"seconds":3},"while_idle":true}}
image: cr.l5d.io/linkerd/controller:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9996
initialDelaySeconds: 10
timeoutSeconds: 1
name: destination
ports:
- containerPort: 8086
name: grpc
- containerPort: 9996
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9996
timeoutSeconds: 1
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
- args:
- sp-validator
- -log-level=info
- -log-format=plain
- -enable-pprof=false
image: cr.l5d.io/linkerd/controller:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9997
initialDelaySeconds: 10
timeoutSeconds: 1
name: sp-validator
ports:
- containerPort: 8443
name: sp-validator
- containerPort: 9997
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9997
timeoutSeconds: 1
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: sp-tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
- args:
- --admin-addr=0.0.0.0:9990
- --control-plane-namespace=linkerd
- --grpc-addr=0.0.0.0:8090
- --server-addr=0.0.0.0:9443
- --server-tls-key=/var/run/linkerd/tls/tls.key
- --server-tls-certs=/var/run/linkerd/tls/tls.crt
- --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8
- --identity-domain=cluster.local
- --cluster-domain=cluster.local
- --default-policy=all-unauthenticated
- --log-level=info
- --log-format=plain
- --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211
- --global-egress-network-namespace=linkerd-egress
- --probe-networks=0.0.0.0/0,::/0
image: cr.l5d.io/linkerd/policy-controller:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: admin-http
name: policy
ports:
- containerPort: 8090
name: grpc
- containerPort: 9990
name: admin-http
- containerPort: 9443
name: policy-https
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: admin-http
initialDelaySeconds: 10
resources:
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/tls
name: policy-tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.1
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-destination
volumes:
- name: sp-tls
secret:
secretName: linkerd-sp-validator-k8s-tls
- name: policy-tls
secret:
secretName: linkerd-policy-validator-k8s-tls
- name: kube-api-access
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
###
### Heartbeat
###
apiVersion: batch/v1
kind: CronJob
metadata:
name: linkerd-heartbeat
namespace: linkerd
labels:
app.kubernetes.io/name: heartbeat
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-24.11.3
linkerd.io/control-plane-component: heartbeat
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
concurrencyPolicy: Replace
schedule: "18 08 * * *"
successfulJobsHistoryLimit: 0
jobTemplate:
spec:
template:
metadata:
labels:
linkerd.io/control-plane-component: heartbeat
linkerd.io/workload-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
spec:
nodeSelector:
kubernetes.io/os: linux
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
automountServiceAccountToken: false
containers:
- name: heartbeat
image: cr.l5d.io/linkerd/controller:edge-24.11.3
imagePullPolicy: IfNotPresent
env:
- name: LINKERD_DISABLED
value: "the heartbeat controller does not use the proxy"
args:
- "heartbeat"
- "-controller-namespace=linkerd"
- "-log-level=info"
- "-log-format=plain"
- "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090"
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
volumes:
- name: kube-api-access
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
---
###
### Proxy Injector
###
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
labels:
app.kubernetes.io/name: proxy-injector
app.kubernetes.io/part-of: Linkerd
app.kubernetes.io/version: edge-24.11.3
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
name: linkerd-proxy-injector
namespace: linkerd
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
linkerd.io/control-plane-component: proxy-injector
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
annotations:
checksum/config: 084574c39045c91ffa250b942b150b6e93dd6048810722526346ca60482321fd
linkerd.io/created-by: linkerd/cli edge-24.11.3
linkerd.io/proxy-version: edge-24.11.3
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
linkerd.io/trust-root-sha256: 6c06d533f290349057c93fac96a55ff814f179d2467c2fd47f961594c840a6f3
config.linkerd.io/opaque-ports: "8443"
config.linkerd.io/default-inbound-policy: "all-unauthenticated"
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
linkerd.io/workload-ns: linkerd
linkerd.io/proxy-deployment: linkerd-proxy-injector
spec:
nodeSelector:
kubernetes.io/os: linux
automountServiceAccountToken: false
containers:
- env:
- name: _pod_name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: _pod_ns
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: _pod_nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED
value: "false"
- name: LINKERD2_PROXY_LOG
value: "warn,linkerd=info,hickory=error,[{headers}]=off,[{request}]=off"
- name: LINKERD2_PROXY_LOG_FORMAT
value: "plain"
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086
- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_POLICY_SVC_ADDR
value: linkerd-policy.linkerd.svc.cluster.local.:8090
- name: LINKERD2_PROXY_POLICY_WORKLOAD
value: |
{"ns":"$(_pod_ns)", "pod":"$(_pod_name)"}
- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
value: all-unauthenticated
- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"
- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
value: "5m"
- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
value: "1h"
- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
value: "100ms"
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT
value: "1000ms"
- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT
value: "5s"
- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT
value: "90s"
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: "0.0.0.0:4190"
- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR
value: "0.0.0.0:4191"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS
value: "127.0.0.1:4140"
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: "0.0.0.0:4143"
- name: LINKERD2_PROXY_INBOUND_IPS
valueFrom:
fieldRef:
fieldPath: status.podIPs
- name: LINKERD2_PROXY_INBOUND_PORTS
value: "8443,9995"
- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
value: svc.cluster.local.
- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
value: 10000ms
- name: LINKERD2_PROXY_INBOUND_ACCEPT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_OUTBOUND_CONNECT_USER_TIMEOUT
value: 30s
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_INBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_INTERVAL
value: "10s"
- name: LINKERD2_PROXY_OUTBOUND_SERVER_HTTP2_KEEP_ALIVE_TIMEOUT
value: "3s"
- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION
value: "25,587,3306,4444,5432,6379,9300,11211"
- name: LINKERD2_PROXY_DESTINATION_CONTEXT
value: |
{"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"}
- name: _pod_sa
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: _l5d_ns
value: linkerd
- name: _l5d_trustdomain
value: cluster.local
- name: LINKERD2_PROXY_IDENTITY_DIR
value: /var/run/linkerd/identity/end-entity
- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS
valueFrom:
configMapKeyRef:
name: linkerd-identity-trust-roots
key: ca-bundle.crt
- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE
value: /var/run/secrets/tokens/linkerd-identity-token
- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR
value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080
- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME
value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_IDENTITY_SVC_NAME
value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_DESTINATION_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
- name: LINKERD2_PROXY_POLICY_SVC_NAME
value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local
image: cr.l5d.io/linkerd/proxy:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: 4191
initialDelaySeconds: 10
timeoutSeconds: 1
name: linkerd-proxy
ports:
- containerPort: 4143
name: linkerd-proxy
- containerPort: 4191
name: linkerd-admin
readinessProbe:
httpGet:
path: /ready
port: 4191
initialDelaySeconds: 2
timeoutSeconds: 1
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2102
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
lifecycle:
postStart:
exec:
command:
- /usr/lib/linkerd/linkerd-await
- --timeout=2m
- --port=4191
volumeMounts:
- mountPath: /var/run/linkerd/identity/end-entity
name: linkerd-identity-end-entity
- mountPath: /var/run/secrets/tokens
name: linkerd-identity-token
- args:
- proxy-injector
- -log-level=info
- -log-format=plain
- -linkerd-namespace=linkerd
- -enable-pprof=false
image: cr.l5d.io/linkerd/controller:edge-24.11.3
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /ping
port: 9995
initialDelaySeconds: 10
name: proxy-injector
ports:
- containerPort: 8443
name: proxy-injector
- containerPort: 9995
name: admin-http
readinessProbe:
failureThreshold: 7
httpGet:
path: /ready
port: 9995
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 2103
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/linkerd/config
name: config
- mountPath: /var/run/linkerd/identity/trust-roots
name: trust-roots
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
initContainers:
- args:
- --ipv6=false
- --incoming-proxy-port
- "4143"
- --outgoing-proxy-port
- "4140"
- --proxy-uid
- "2102"
- --inbound-ports-to-ignore
- "4190,4191,4567,4568"
- --outbound-ports-to-ignore
- "443,6443"
image: cr.l5d.io/linkerd/proxy-init:v2.4.1
imagePullPolicy: IfNotPresent
name: linkerd-init
resources:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
privileged: false
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /run
name: linkerd-proxy-init-xtables-lock
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: linkerd-proxy-injector
volumes:
- configMap:
name: linkerd-config
name: config
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- name: kube-api-access
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- emptyDir: {}
name: linkerd-proxy-init-xtables-lock
- name: linkerd-identity-token
projected:
sources:
- serviceAccountToken:
path: linkerd-identity-token
expirationSeconds: 86400
audience: identity.l5d.io
- emptyDir:
medium: Memory
name: linkerd-identity-end-entity
---
kind: Service
apiVersion: v1
metadata:
name: linkerd-proxy-injector
namespace: linkerd
labels:
linkerd.io/control-plane-component: proxy-injector
linkerd.io/control-plane-ns: linkerd
annotations:
linkerd.io/created-by: linkerd/cli edge-24.11.3
config.linkerd.io/opaque-ports: "443"
spec:
type: ClusterIP
selector:
linkerd.io/control-plane-component: proxy-injector
ports:
- name: proxy-injector
port: 443
targetPort: proxy-injector
---
apiVersion: v1
data:
linkerd-config-overrides: aWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCaHpDQ0FTNmdBd0lCQWdJQkFUQUtCZ2dxaGtqT1BRUURBakFjTVJvd0dBWURWUVFERXhGcFpHVnVkR2wwCiAgICAgICAgZVM1c2FXNXJaWEprTGpBZUZ3MHlOREV4TVRjd09EQTNOVEZhRncweU5URXhNVGN3T0RBNE1URmFNQnd4R2pBWQogICAgICAgIEJnTlZCQU1URVdsa1pXNTBhWFI1TG14cGJtdGxjbVF1TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0QKICAgICAgICBRZ0FFbnN1dkM5ZXJZWnZDMm9XOGpacVpQRnlLY3FjeUFMV2JaVjJJV3ZDdVhLdHYzQ05kMWpwWWFMaGZEem9HCiAgICAgICAgV01tWTVlL2dka0dWcG1EODM0NGZtTzMySktOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwogICAgICAgIE1CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVcKICAgICAgICBCQlRqTmt5VXpuWjE4Zy9Id2l1bm5IT3F1b2d5UURBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlCVU8xamRKWTBDCiAgICAgICAgQTE2RzhyeUJ3QmVGckttWmV5ODFQazZ0T3F4Sy8wUVZUd0lnSVoyQkNVbVZQTTNVZTVuSUYvN3RkRHVwMDVjdwogICAgICAgIGpIc3A2QjQvbHJBN21yST0KICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSUFPeUorNXJWYnFsbjI2S29hL2Y2UHFIR2hwMXoxc0VJN080OEZYSlNxTnZvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUVuc3V2QzllclladkMyb1c4alpxWlBGeUtjcWN5QUxXYlpWMklXdkN1WEt0djNDTmQxanBZCiAgICAgICAgYUxoZkR6b0dXTW1ZNWUvZ2RrR1ZwbUQ4MzQ0Zm1PMzJKQT09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJoekNDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKICBlUzVzYVc1clpYSmtMakFlRncweU5ERXhNVGN3T0RBM05URmFGdzB5TlRFeE1UY3dPREE0TVRGYU1Cd3hHakFZCiAgQmdOVkJBTVRFV2xrWlc1MGFYUjVMbXhwYm10bGNtUXVNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRAogIFFnQUVuc3V2QzllclladkMyb1c4alpxWlBGeUtjcWN5QUxXYlpWMklXdkN1WEt0djNDTmQxanBZYUxoZkR6b0cKICBXTW1ZNWUvZ2RrR1ZwbUQ4MzQ0Zm1PMzJKS05oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUIwR0ExVWRKUVFXCiAgTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRVwogIEJCVGpOa3lVem5aMThnL0h3aXVubkhPcXVvZ3lRREFLQmdncWhrak9QUVFEQWdOSEFEQkVBaUJVTzFqZEpZMEMKICBBMTZHOHJ5QndCZUZyS21aZXk4MVBrNnRPcXhLLzBRVlR3SWdJWjJCQ1VtVlBNM1VlNW5JRi83dGREdXAwNWN3CiAgakhzcDZCNC9sckE3bXJJPQogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
kind: Secret
metadata:
creationTimestamp: null
labels:
linkerd.io/control-plane-ns: linkerd
name: linkerd-config-overrides
namespace: linkerd
Reference in New Issue View Git Blame Copy Permalink