istio
1apiVersion: gateway.networking.k8s.io/v1beta1
2kind: Gateway
3metadata:
4annotations:
5gateway.istio.io/controller-version: "5"
6---
7apiVersion: v1
8kind: ServiceAccount
9metadata:
10annotations:
11ambient.istio.io/redirection: disabled
12labels:
13gateway.istio.io/managed: istio.io-gateway-controller
14gateway.networking.k8s.io/gateway-name: default
15istio.io/gateway-name: default
16name: default-istio
17namespace: default
18ownerReferences:
19- apiVersion: gateway.networking.k8s.io/v1beta1
20kind: Gateway
21name: default
22uid: ""
23---
24apiVersion: apps/v1
25kind: Deployment
26metadata:
27annotations:
28ambient.istio.io/redirection: disabled
29labels:
30gateway.istio.io/managed: istio.io-gateway-controller
31gateway.networking.k8s.io/gateway-name: default
32istio.io/gateway-name: default
33name: default-istio
34namespace: default
35ownerReferences:
36- apiVersion: gateway.networking.k8s.io/v1beta1
37kind: Gateway
38name: default
39uid: ""
40spec:
41selector:
42matchLabels:
43gateway.networking.k8s.io/gateway-name: default
44template:
45metadata:
46annotations:
47ambient.istio.io/redirection: disabled
48istio.io/rev: default
49prometheus.io/path: /stats/prometheus
50prometheus.io/port: "15020"
51prometheus.io/scrape: "true"
52labels:
53gateway.networking.k8s.io/gateway-name: default
54istio.io/gateway-name: default
55service.istio.io/canonical-name: default-istio
56service.istio.io/canonical-revision: latest
57sidecar.istio.io/inject: "false"
58spec:
59containers:
60- args:
61- proxy
62- router
63- --domain
64- $(POD_NAMESPACE).svc.<no value>
65- --proxyLogLevel
66- <nil>
67- --proxyComponentLogLevel
68- <nil>
69- --log_output_level
70- <nil>
71env:
72- name: PILOT_CERT_PROVIDER
73value: <no value>
74- name: CA_ADDR
75value: istiod-<no value>.<no value>.svc:15012
76- name: POD_NAME
77valueFrom:
78fieldRef:
79fieldPath: metadata.name
80- name: POD_NAMESPACE
81valueFrom:
82fieldRef:
83fieldPath: metadata.namespace
84- name: INSTANCE_IP
85valueFrom:
86fieldRef:
87fieldPath: status.podIP
88- name: SERVICE_ACCOUNT
89valueFrom:
90fieldRef:
91fieldPath: spec.serviceAccountName
92- name: HOST_IP
93valueFrom:
94fieldRef:
95fieldPath: status.hostIP
96- name: ISTIO_CPU_LIMIT
97valueFrom:
98resourceFieldRef:
99resource: limits.cpu
100- name: PROXY_CONFIG
101value: |
102{"image":{"imageType":"distroless"}}
103- name: ISTIO_META_POD_PORTS
104value: '[]'
105- name: ISTIO_META_APP_CONTAINERS
106value: ""
107- name: GOMEMLIMIT
108valueFrom:
109resourceFieldRef:
110resource: limits.memory
111- name: GOMAXPROCS
112valueFrom:
113resourceFieldRef:
114resource: limits.cpu
115- name: ISTIO_META_CLUSTER_ID
116value: Kubernetes
117- name: ISTIO_META_NODE_NAME
118valueFrom:
119fieldRef:
120fieldPath: spec.nodeName
121- name: ISTIO_META_INTERCEPTION_MODE
122value: REDIRECT
123- name: ISTIO_META_WORKLOAD_NAME
124value: default-istio
125- name: ISTIO_META_OWNER
126value: kubernetes://apis/apps/v1/namespaces/default/deployments/default-istio
127- name: ISTIO_META_MESH_ID
128value: cluster.local
129- name: TRUST_DOMAIN
130value: cluster.local
131image: test/proxyv2:test-distroless
132name: istio-proxy
133ports:
134- containerPort: 15021
135name: status-port
136protocol: TCP
137- containerPort: 15090
138name: http-envoy-prom
139protocol: TCP
140readinessProbe:
141failureThreshold: 4
142httpGet:
143path: /healthz/ready
144port: 15021
145scheme: HTTP
146initialDelaySeconds: 0
147periodSeconds: 15
148successThreshold: 1
149timeoutSeconds: 1
150securityContext:
151allowPrivilegeEscalation: false
152capabilities:
153drop:
154- ALL
155privileged: false
156readOnlyRootFilesystem: true
157runAsGroup: 1337
158runAsNonRoot: true
159runAsUser: 1337
160startupProbe:
161failureThreshold: 30
162httpGet:
163path: /healthz/ready
164port: 15021
165scheme: HTTP
166initialDelaySeconds: 1
167periodSeconds: 1
168successThreshold: 1
169timeoutSeconds: 1
170volumeMounts:
171- mountPath: /var/run/secrets/workload-spiffe-uds
172name: workload-socket
173- mountPath: /var/run/secrets/credential-uds
174name: credential-socket
175- mountPath: /var/run/secrets/workload-spiffe-credentials
176name: workload-certs
177- mountPath: /var/lib/istio/data
178name: istio-data
179- mountPath: /etc/istio/proxy
180name: istio-envoy
181- mountPath: /var/run/secrets/tokens
182name: istio-token
183- mountPath: /etc/istio/pod
184name: istio-podinfo
185securityContext:
186sysctls:
187- name: net.ipv4.ip_unprivileged_port_start
188value: "0"
189serviceAccountName: default-istio
190volumes:
191- emptyDir: {}
192name: workload-socket
193- emptyDir: {}
194name: credential-socket
195- emptyDir: {}
196name: workload-certs
197- emptyDir:
198medium: Memory
199name: istio-envoy
200- emptyDir: {}
201name: istio-data
202- downwardAPI:
203items:
204- fieldRef:
205fieldPath: metadata.labels
206path: labels
207- fieldRef:
208fieldPath: metadata.annotations
209path: annotations
210name: istio-podinfo
211- name: istio-token
212projected:
213sources:
214- serviceAccountToken:
215audience: <no value>
216expirationSeconds: 43200
217path: istio-token
218---
219apiVersion: v1
220kind: Service
221metadata:
222annotations:
223ambient.istio.io/redirection: disabled
224labels:
225gateway.istio.io/managed: istio.io-gateway-controller
226gateway.networking.k8s.io/gateway-name: default
227istio.io/gateway-name: default
228name: default-istio
229namespace: default
230ownerReferences:
231- apiVersion: gateway.networking.k8s.io/v1beta1
232kind: Gateway
233name: default
234uid: null
235spec:
236ports:
237- appProtocol: tcp
238name: status-port
239port: 15021
240protocol: TCP
241selector:
242gateway.networking.k8s.io/gateway-name: default
243type: LoadBalancer
244---
245