istio

1
apiVersion: gateway.networking.k8s.io/v1beta1
2
kind: Gateway
3
metadata:
4
  annotations:
5
    gateway.istio.io/controller-version: "5"
6
---
7
apiVersion: v1
8
kind: ServiceAccount
9
metadata:
10
  annotations:
11
    ambient.istio.io/redirection: disabled
12
  labels:
13
    gateway.istio.io/managed: istio.io-gateway-controller
14
    gateway.networking.k8s.io/gateway-name: default
15
    istio.io/gateway-name: default
16
  name: custom-sa
17
  namespace: default
18
  ownerReferences:
19
  - apiVersion: gateway.networking.k8s.io/v1beta1
20
    kind: Gateway
21
    name: default
22
    uid: ""
23
---
24
apiVersion: apps/v1
25
kind: Deployment
26
metadata:
27
  annotations:
28
    ambient.istio.io/redirection: disabled
29
  labels:
30
    gateway.istio.io/managed: istio.io-gateway-controller
31
    gateway.networking.k8s.io/gateway-name: default
32
    istio.io/gateway-name: default
33
  name: default-istio
34
  namespace: default
35
  ownerReferences:
36
  - apiVersion: gateway.networking.k8s.io/v1beta1
37
    kind: Gateway
38
    name: default
39
    uid: ""
40
spec:
41
  selector:
42
    matchLabels:
43
      gateway.networking.k8s.io/gateway-name: default
44
  template:
45
    metadata:
46
      annotations:
47
        ambient.istio.io/redirection: disabled
48
        istio.io/rev: default
49
        prometheus.io/path: /stats/prometheus
50
        prometheus.io/port: "15020"
51
        prometheus.io/scrape: "true"
52
      labels:
53
        gateway.networking.k8s.io/gateway-name: default
54
        istio.io/gateway-name: default
55
        service.istio.io/canonical-name: default-istio
56
        service.istio.io/canonical-revision: latest
57
        sidecar.istio.io/inject: "false"
58
    spec:
59
      containers:
60
      - args:
61
        - proxy
62
        - router
63
        - --domain
64
        - $(POD_NAMESPACE).svc.<no value>
65
        - --proxyLogLevel
66
        - <nil>
67
        - --proxyComponentLogLevel
68
        - <nil>
69
        - --log_output_level
70
        - <nil>
71
        env:
72
        - name: PILOT_CERT_PROVIDER
73
          value: <no value>
74
        - name: CA_ADDR
75
          value: istiod-<no value>.<no value>.svc:15012
76
        - name: POD_NAME
77
          valueFrom:
78
            fieldRef:
79
              fieldPath: metadata.name
80
        - name: POD_NAMESPACE
81
          valueFrom:
82
            fieldRef:
83
              fieldPath: metadata.namespace
84
        - name: INSTANCE_IP
85
          valueFrom:
86
            fieldRef:
87
              fieldPath: status.podIP
88
        - name: SERVICE_ACCOUNT
89
          valueFrom:
90
            fieldRef:
91
              fieldPath: spec.serviceAccountName
92
        - name: HOST_IP
93
          valueFrom:
94
            fieldRef:
95
              fieldPath: status.hostIP
96
        - name: ISTIO_CPU_LIMIT
97
          valueFrom:
98
            resourceFieldRef:
99
              resource: limits.cpu
100
        - name: PROXY_CONFIG
101
          value: |
102
            {}
103
        - name: ISTIO_META_POD_PORTS
104
          value: '[]'
105
        - name: ISTIO_META_APP_CONTAINERS
106
          value: ""
107
        - name: GOMEMLIMIT
108
          valueFrom:
109
            resourceFieldRef:
110
              resource: limits.memory
111
        - name: GOMAXPROCS
112
          valueFrom:
113
            resourceFieldRef:
114
              resource: limits.cpu
115
        - name: ISTIO_META_CLUSTER_ID
116
          value: Kubernetes
117
        - name: ISTIO_META_NODE_NAME
118
          valueFrom:
119
            fieldRef:
120
              fieldPath: spec.nodeName
121
        - name: ISTIO_META_INTERCEPTION_MODE
122
          value: REDIRECT
123
        - name: ISTIO_META_WORKLOAD_NAME
124
          value: default-istio
125
        - name: ISTIO_META_OWNER
126
          value: kubernetes://apis/apps/v1/namespaces/default/deployments/default-istio
127
        - name: ISTIO_META_MESH_ID
128
          value: cluster.local
129
        - name: TRUST_DOMAIN
130
          value: cluster.local
131
        image: test/proxyv2:test
132
        name: istio-proxy
133
        ports:
134
        - containerPort: 15021
135
          name: status-port
136
          protocol: TCP
137
        - containerPort: 15090
138
          name: http-envoy-prom
139
          protocol: TCP
140
        readinessProbe:
141
          failureThreshold: 4
142
          httpGet:
143
            path: /healthz/ready
144
            port: 15021
145
            scheme: HTTP
146
          initialDelaySeconds: 0
147
          periodSeconds: 15
148
          successThreshold: 1
149
          timeoutSeconds: 1
150
        securityContext:
151
          allowPrivilegeEscalation: false
152
          capabilities:
153
            drop:
154
            - ALL
155
          privileged: false
156
          readOnlyRootFilesystem: true
157
          runAsGroup: 1337
158
          runAsNonRoot: true
159
          runAsUser: 1337
160
        startupProbe:
161
          failureThreshold: 30
162
          httpGet:
163
            path: /healthz/ready
164
            port: 15021
165
            scheme: HTTP
166
          initialDelaySeconds: 1
167
          periodSeconds: 1
168
          successThreshold: 1
169
          timeoutSeconds: 1
170
        volumeMounts:
171
        - mountPath: /var/run/secrets/workload-spiffe-uds
172
          name: workload-socket
173
        - mountPath: /var/run/secrets/credential-uds
174
          name: credential-socket
175
        - mountPath: /var/run/secrets/workload-spiffe-credentials
176
          name: workload-certs
177
        - mountPath: /var/lib/istio/data
178
          name: istio-data
179
        - mountPath: /etc/istio/proxy
180
          name: istio-envoy
181
        - mountPath: /var/run/secrets/tokens
182
          name: istio-token
183
        - mountPath: /etc/istio/pod
184
          name: istio-podinfo
185
      securityContext:
186
        sysctls:
187
        - name: net.ipv4.ip_unprivileged_port_start
188
          value: "0"
189
      serviceAccountName: custom-sa
190
      volumes:
191
      - emptyDir: {}
192
        name: workload-socket
193
      - emptyDir: {}
194
        name: credential-socket
195
      - emptyDir: {}
196
        name: workload-certs
197
      - emptyDir:
198
          medium: Memory
199
        name: istio-envoy
200
      - emptyDir: {}
201
        name: istio-data
202
      - downwardAPI:
203
          items:
204
          - fieldRef:
205
              fieldPath: metadata.labels
206
            path: labels
207
          - fieldRef:
208
              fieldPath: metadata.annotations
209
            path: annotations
210
        name: istio-podinfo
211
      - name: istio-token
212
        projected:
213
          sources:
214
          - serviceAccountToken:
215
              audience: <no value>
216
              expirationSeconds: 43200
217
              path: istio-token
218
---
219
apiVersion: v1
220
kind: Service
221
metadata:
222
  annotations:
223
    ambient.istio.io/redirection: disabled
224
  labels:
225
    gateway.istio.io/managed: istio.io-gateway-controller
226
    gateway.networking.k8s.io/gateway-name: default
227
    istio.io/gateway-name: default
228
  name: default-istio
229
  namespace: default
230
  ownerReferences:
231
  - apiVersion: gateway.networking.k8s.io/v1beta1
232
    kind: Gateway
233
    name: default
234
    uid: null
235
spec:
236
  ports:
237
  - appProtocol: tcp
238
    name: status-port
239
    port: 15021
240
    protocol: TCP
241
  selector:
242
    gateway.networking.k8s.io/gateway-name: default
243
  type: LoadBalancer
244
---
245