linkerd install --set proxyInit.runAsRoot=true
linkerd install --set proxyInit.runAsRoot=true
.../...
fieldRef: fieldPath: metadata.name - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS value: "8080" - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info,trust_dns=error" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_POLICY_SVC_ADDR value: linkerd-policy.linkerd.svc.cluster.local.:8090 - name: LINKERD2_PROXY_POLICY_WORKLOAD value: "$(_pod_ns):$(_pod_name)" - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY value: all-unauthenticated - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT value: "5s" - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT value: "90s" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_INBOUND_IPS valueFrom: fieldRef: fieldPath: status.podIPs - name: LINKERD2_PROXY_INBOUND_PORTS value: "8080,9990" - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,587,3306,4444,5432,6379,9300,11211" - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS valueFrom: configMapKeyRef: name: linkerd-identity-trust-roots key: ca-bundle.crt - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/tokens/linkerd-identity-token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: localhost.:8080 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_POLICY_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local image: cr.l5d.io/linkerd/proxy:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2102 seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - mountPath: /var/run/secrets/tokens name: linkerd-identity-token initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191,4567,4568" - --outbound-ports-to-ignore - "443,8443" image: cr.l5d.io/linkerd/proxy-init:v2.2.3 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "20Mi" requests: cpu: "100m" memory: "20Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false runAsNonRoot: false runAsUser: 0 readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: linkerd-identity volumes: - name: identity-issuer secret: secretName: linkerd-identity-issuer - configMap: name: linkerd-identity-trust-roots name: trust-roots - emptyDir: {} name: linkerd-proxy-init-xtables-lock - name: linkerd-identity-token projected: sources: - serviceAccountToken: path: linkerd-identity-token expirationSeconds: 86400 audience: identity.l5d.io - emptyDir: medium: Memory name: linkerd-identity-end-entity --- ### ### Destination Controller Service ### kind: Service apiVersion: v1 metadata: name: linkerd-dst namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- kind: Service apiVersion: v1 metadata: name: linkerd-dst-headless namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: clusterIP: None selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8086 targetPort: 8086 --- kind: Service apiVersion: v1 metadata: name: linkerd-sp-validator namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: sp-validator port: 443 targetPort: sp-validator --- kind: Service apiVersion: v1 metadata: name: linkerd-policy namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: clusterIP: None selector: linkerd.io/control-plane-component: destination ports: - name: grpc port: 8090 targetPort: 8090 --- kind: Service apiVersion: v1 metadata: name: linkerd-policy-validator namespace: linkerd labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: type: ClusterIP selector: linkerd.io/control-plane-component: destination ports: - name: policy-https port: 443 targetPort: policy-https --- apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 labels: app.kubernetes.io/name: destination app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: stable-2.14.10 linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd name: linkerd-destination namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd linkerd.io/proxy-deployment: linkerd-destination strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% template: metadata: annotations: checksum/config: 7f947d76f7001a12f2ae9ad3e469b7580111643aabaffa606b9babf32349a5ba linkerd.io/created-by: linkerd/cli stable-2.14.10 linkerd.io/proxy-version: stable-2.14.10 cluster-autoscaler.kubernetes.io/safe-to-evict: "true" linkerd.io/trust-root-sha256: 3f7f0380be563a3f9025b1f59963880eb9b4bfbaa0640a449eb9a3c031d8faf4 config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: destination linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-destination spec: nodeSelector: kubernetes.io/os: linux containers: - env: - name: _pod_name valueFrom: fieldRef: fieldPath: metadata.name - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info,trust_dns=error" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: localhost.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_POLICY_SVC_ADDR value: localhost.:8090 - name: LINKERD2_PROXY_POLICY_WORKLOAD value: "$(_pod_ns):$(_pod_name)" - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY value: all-unauthenticated - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT value: "5s" - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT value: "90s" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_INBOUND_IPS valueFrom: fieldRef: fieldPath: status.podIPs - name: LINKERD2_PROXY_INBOUND_PORTS value: "8086,8090,8443,9443,9990,9996,9997" - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,587,3306,4444,5432,6379,9300,11211" - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS valueFrom: configMapKeyRef: name: linkerd-identity-trust-roots key: ca-bundle.crt - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/tokens/linkerd-identity-token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_POLICY_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local image: cr.l5d.io/linkerd/proxy:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2102 seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError lifecycle: postStart: exec: command: - /usr/lib/linkerd/linkerd-await - --timeout=2m - --port=4191 volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - mountPath: /var/run/secrets/tokens name: linkerd-identity-token - args: - destination - -addr=:8086 - -controller-namespace=linkerd - -enable-h2-upgrade=true - -log-level=info - -log-format=plain - -enable-endpoint-slices=true - -cluster-domain=cluster.local - -identity-trust-domain=cluster.local - -default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211 - -enable-pprof=false image: cr.l5d.io/linkerd/controller:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9996 initialDelaySeconds: 10 name: destination ports: - containerPort: 8086 name: grpc - containerPort: 9996 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9996 securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2103 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault - args: - sp-validator - -log-level=info - -log-format=plain - -enable-pprof=false image: cr.l5d.io/linkerd/controller:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9997 initialDelaySeconds: 10 name: sp-validator ports: - containerPort: 8443 name: sp-validator - containerPort: 9997 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9997 securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2103 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: sp-tls readOnly: true - args: - --admin-addr=0.0.0.0:9990 - --control-plane-namespace=linkerd - --grpc-addr=0.0.0.0:8090 - --server-addr=0.0.0.0:9443 - --server-tls-key=/var/run/linkerd/tls/tls.key - --server-tls-certs=/var/run/linkerd/tls/tls.crt - --cluster-networks=10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16 - --identity-domain=cluster.local - --cluster-domain=cluster.local - --default-policy=all-unauthenticated - --log-level=info - --log-format=plain - --default-opaque-ports=25,587,3306,4444,5432,6379,9300,11211 - --probe-networks=0.0.0.0/0 image: cr.l5d.io/linkerd/policy-controller:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: admin-http name: policy ports: - containerPort: 8090 name: grpc - containerPort: 9990 name: admin-http - containerPort: 9443 name: policy-https readinessProbe: failureThreshold: 7 httpGet: path: /ready port: admin-http initialDelaySeconds: 10 resources: securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2103 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/tls name: policy-tls readOnly: true initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191,4567,4568" - --outbound-ports-to-ignore - "443,8443" image: cr.l5d.io/linkerd/proxy-init:v2.2.3 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "20Mi" requests: cpu: "100m" memory: "20Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false runAsNonRoot: false runAsUser: 0 readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: linkerd-destination volumes: - name: sp-tls secret: secretName: linkerd-sp-validator-k8s-tls - name: policy-tls secret: secretName: linkerd-policy-validator-k8s-tls - emptyDir: {} name: linkerd-proxy-init-xtables-lock - name: linkerd-identity-token projected: sources: - serviceAccountToken: path: linkerd-identity-token expirationSeconds: 86400 audience: identity.l5d.io - emptyDir: medium: Memory name: linkerd-identity-end-entity --- ### ### Heartbeat ### apiVersion: batch/v1 kind: CronJob metadata: name: linkerd-heartbeat namespace: linkerd labels: app.kubernetes.io/name: heartbeat app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: stable-2.14.10 linkerd.io/control-plane-component: heartbeat linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: concurrencyPolicy: Replace schedule: "59 12 * * *" successfulJobsHistoryLimit: 0 jobTemplate: spec: template: metadata: labels: linkerd.io/control-plane-component: heartbeat linkerd.io/workload-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 spec: nodeSelector: kubernetes.io/os: linux securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: linkerd-heartbeat restartPolicy: Never containers: - name: heartbeat image: cr.l5d.io/linkerd/controller:stable-2.14.10 imagePullPolicy: IfNotPresent env: - name: LINKERD_DISABLED value: "the heartbeat controller does not use the proxy" args: - "heartbeat" - "-controller-namespace=linkerd" - "-log-level=info" - "-log-format=plain" - "-prometheus-url=http://prometheus.linkerd-viz.svc.cluster.local:9090" securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2103 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault --- ### ### Proxy Injector ### apiVersion: apps/v1 kind: Deployment metadata: annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 labels: app.kubernetes.io/name: proxy-injector app.kubernetes.io/part-of: Linkerd app.kubernetes.io/version: stable-2.14.10 linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd name: linkerd-proxy-injector namespace: linkerd spec: replicas: 1 selector: matchLabels: linkerd.io/control-plane-component: proxy-injector strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% template: metadata: annotations: checksum/config: d099ac74d938d632c98d9c10fb4a8e407bd32004c89d2f712a0af21e8f592ae0 linkerd.io/created-by: linkerd/cli stable-2.14.10 linkerd.io/proxy-version: stable-2.14.10 cluster-autoscaler.kubernetes.io/safe-to-evict: "true" linkerd.io/trust-root-sha256: 3f7f0380be563a3f9025b1f59963880eb9b4bfbaa0640a449eb9a3c031d8faf4 config.linkerd.io/opaque-ports: "8443" config.linkerd.io/default-inbound-policy: "all-unauthenticated" labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd linkerd.io/workload-ns: linkerd linkerd.io/proxy-deployment: linkerd-proxy-injector spec: nodeSelector: kubernetes.io/os: linux containers: - env: - name: _pod_name valueFrom: fieldRef: fieldPath: metadata.name - name: _pod_ns valueFrom: fieldRef: fieldPath: metadata.namespace - name: _pod_nodeName valueFrom: fieldRef: fieldPath: spec.nodeName - name: LINKERD2_PROXY_LOG value: "warn,linkerd=info,trust_dns=error" - name: LINKERD2_PROXY_LOG_FORMAT value: "plain" - name: LINKERD2_PROXY_DESTINATION_SVC_ADDR value: linkerd-dst-headless.linkerd.svc.cluster.local.:8086 - name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_POLICY_SVC_ADDR value: linkerd-policy.linkerd.svc.cluster.local.:8090 - name: LINKERD2_PROXY_POLICY_WORKLOAD value: "$(_pod_ns):$(_pod_name)" - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY value: all-unauthenticated - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT value: "100ms" - name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT value: "1000ms" - name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT value: "5s" - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT value: "90s" - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:4190 - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR value: 0.0.0.0:4191 - name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR value: 127.0.0.1:4140 - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:4143 - name: LINKERD2_PROXY_INBOUND_IPS valueFrom: fieldRef: fieldPath: status.podIPs - name: LINKERD2_PROXY_INBOUND_PORTS value: "8443,9995" - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: svc.cluster.local. - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION value: "25,587,3306,4444,5432,6379,9300,11211" - name: LINKERD2_PROXY_DESTINATION_CONTEXT value: | {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} - name: _pod_sa valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: _l5d_ns value: linkerd - name: _l5d_trustdomain value: cluster.local - name: LINKERD2_PROXY_IDENTITY_DIR value: /var/run/linkerd/identity/end-entity - name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS valueFrom: configMapKeyRef: name: linkerd-identity-trust-roots key: ca-bundle.crt - name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE value: /var/run/secrets/tokens/linkerd-identity-token - name: LINKERD2_PROXY_IDENTITY_SVC_ADDR value: linkerd-identity-headless.linkerd.svc.cluster.local.:8080 - name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_IDENTITY_SVC_NAME value: linkerd-identity.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_DESTINATION_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local - name: LINKERD2_PROXY_POLICY_SVC_NAME value: linkerd-destination.linkerd.serviceaccount.identity.linkerd.cluster.local image: cr.l5d.io/linkerd/proxy:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /live port: 4191 initialDelaySeconds: 10 name: linkerd-proxy ports: - containerPort: 4143 name: linkerd-proxy - containerPort: 4191 name: linkerd-admin readinessProbe: httpGet: path: /ready port: 4191 initialDelaySeconds: 2 resources: securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2102 seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError lifecycle: postStart: exec: command: - /usr/lib/linkerd/linkerd-await - --timeout=2m - --port=4191 volumeMounts: - mountPath: /var/run/linkerd/identity/end-entity name: linkerd-identity-end-entity - mountPath: /var/run/secrets/tokens name: linkerd-identity-token - args: - proxy-injector - -log-level=info - -log-format=plain - -linkerd-namespace=linkerd - -enable-pprof=false image: cr.l5d.io/linkerd/controller:stable-2.14.10 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /ping port: 9995 initialDelaySeconds: 10 name: proxy-injector ports: - containerPort: 8443 name: proxy-injector - containerPort: 9995 name: admin-http readinessProbe: failureThreshold: 7 httpGet: path: /ready port: 9995 securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 2103 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /var/run/linkerd/config name: config - mountPath: /var/run/linkerd/identity/trust-roots name: trust-roots - mountPath: /var/run/linkerd/tls name: tls readOnly: true initContainers: - args: - --incoming-proxy-port - "4143" - --outgoing-proxy-port - "4140" - --proxy-uid - "2102" - --inbound-ports-to-ignore - "4190,4191,4567,4568" - --outbound-ports-to-ignore - "443,8443" image: cr.l5d.io/linkerd/proxy-init:v2.2.3 imagePullPolicy: IfNotPresent name: linkerd-init resources: limits: cpu: "100m" memory: "20Mi" requests: cpu: "100m" memory: "20Mi" securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN - NET_RAW privileged: false runAsNonRoot: false runAsUser: 0 readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /run name: linkerd-proxy-init-xtables-lock securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: linkerd-proxy-injector volumes: - configMap: name: linkerd-config name: config - configMap: name: linkerd-identity-trust-roots name: trust-roots - name: tls secret: secretName: linkerd-proxy-injector-k8s-tls - emptyDir: {} name: linkerd-proxy-init-xtables-lock - name: linkerd-identity-token projected: sources: - serviceAccountToken: path: linkerd-identity-token expirationSeconds: 86400 audience: identity.l5d.io - emptyDir: medium: Memory name: linkerd-identity-end-entity --- kind: Service apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: linkerd labels: linkerd.io/control-plane-component: proxy-injector linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.14.10 config.linkerd.io/opaque-ports: "443" spec: type: ClusterIP selector: linkerd.io/control-plane-component: proxy-injector ports: - name: proxy-injector port: 443 targetPort: proxy-injector --- apiVersion: v1 data: linkerd-config-overrides: aWRlbnRpdHk6CiAgaXNzdWVyOgogICAgdGxzOgogICAgICBjcnRQRU06IHwKICAgICAgICAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KICAgICAgICBNSUlCaURDQ0FTNmdBd0lCQWdJQkFUQUtCZ2dxaGtqT1BRUURBakFjTVJvd0dBWURWUVFERXhGcFpHVnVkR2wwCiAgICAgICAgZVM1c2FXNXJaWEprTGpBZUZ3MHlOREF6TVRreE1qUTVNVGxhRncweU5UQXpNVGt4TWpRNU16bGFNQnd4R2pBWQogICAgICAgIEJnTlZCQU1URVdsa1pXNTBhWFI1TG14cGJtdGxjbVF1TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0QKICAgICAgICBRZ0FFU3FhMjNLbEN0Sit3RS91clkzVm8raHVuNEF0TFFKblVvaVdqR1BLbUI4b1VFTFhWUkl3REFLTElmU2luCiAgICAgICAgK01Xem1PM3didElVaDNFM21hV0ZHOHV5ZzZOaE1GOHdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkSlFRVwogICAgICAgIE1CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVcKICAgICAgICBCQlQrVERHSlZnTWszY3ZuTStTc2crSWZmSVgyS0RBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlBcTJkaFlpSmxPCiAgICAgICAgaTZZdjg4OTlURXJQTldNQ0FHVEtqeG93WWhYcko0WWhUZ0loQU5YNTkrMG4yNzhMUlNYazZJbVJwUTdtR2Z0dQogICAgICAgIFpNd1Q0TnhRM0hYRnZQcysKICAgICAgICAtLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIGtleVBFTTogfAogICAgICAgIC0tLS0tQkVHSU4gRUMgUFJJVkFURSBLRVktLS0tLQogICAgICAgIE1IY0NBUUVFSU9TeWsyYVJ0OXNSZWV0azNIc0NqdElEMm96bWFvdjJaTnhtd2d2d2NXa2hvQW9HQ0NxR1NNNDkKICAgICAgICBBd0VIb1VRRFFnQUVTcWEyM0tsQ3RKK3dFL3VyWTNWbytodW40QXRMUUpuVW9pV2pHUEttQjhvVUVMWFZSSXdECiAgICAgICAgQUtMSWZTaW4rTVd6bU8zd2J0SVVoM0UzbWFXRkc4dXlndz09CiAgICAgICAgLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQppZGVudGl0eVRydXN0QW5jaG9yc1BFTTogfAogIC0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQogIE1JSUJpRENDQVM2Z0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREFqQWNNUm93R0FZRFZRUURFeEZwWkdWdWRHbDAKICBlUzVzYVc1clpYSmtMakFlRncweU5EQXpNVGt4TWpRNU1UbGFGdzB5TlRBek1Ua3hNalE1TXpsYU1Cd3hHakFZCiAgQmdOVkJBTVRFV2xrWlc1MGFYUjVMbXhwYm10bGNtUXVNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRAogIFFnQUVTcWEyM0tsQ3RKK3dFL3VyWTNWbytodW40QXRMUUpuVW9pV2pHUEttQjhvVUVMWFZSSXdEQUtMSWZTaW4KICArTVd6bU8zd2J0SVVoM0UzbWFXRkc4dXlnNk5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0VHTUIwR0ExVWRKUVFXCiAgTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRVwogIEJCVCtUREdKVmdNazNjdm5NK1NzZytJZmZJWDJLREFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUFxMmRoWWlKbE8KICBpNll2ODg5OVRFclBOV01DQUdUS2p4b3dZaFhySjRZaFRnSWhBTlg1OSswbjI3OExSU1hrNkltUnBRN21HZnR1CiAgWk13VDROeFEzSFhGdlBzKwogIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KcHJveHlJbml0OgogIGt1YmVBUElTZXJ2ZXJQb3J0czogNDQzLDg0NDMKICBydW5Bc1Jvb3Q6IHRydWUK kind: Secret metadata: creationTimestamp: null labels: linkerd.io/control-plane-ns: linkerd name: linkerd-config-overrides namespace: linkerd
Related[edit]
kubectl api-resources | grep -i linkerd
See also[edit]
linkerd [ install | check | --help ], linkerd.io, policy.linkerd.io
Advertising: