/
ztunnel.golden.yaml
119 lines (118 loc) · 3.04 KB
/
ztunnel.golden.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations: {}
labels: {}
name: ztunnel
namespace: istio-system
spec:
selector:
matchLabels:
app: ztunnel
template:
metadata:
annotations:
ambient.istio.io/redirection: disabled
cni.projectcalico.org/allowedSourcePrefixes: '["0.0.0.0/0"]'
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
sidecar.istio.io/inject: "false"
labels:
app: ztunnel
sidecar.istio.io/inject: "false"
spec:
containers:
- args:
- proxy
- ztunnel
env:
- name: CA_ADDRESS
value: istiod.istio-system.svc:15012
- name: XDS_ADDRESS
value: istiod.istio-system.svc:15012
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_ENABLE_HBONE
value: "true"
image: gcr.io/istio-testing/ztunnel:latest-distroless
name: istio-proxy
ports:
- containerPort: 15020
name: ztunnel-stats
protocol: TCP
readinessProbe:
httpGet:
path: /healthz/ready
port: 15021
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/run/secrets/tokens
name: istio-token
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-node-critical
serviceAccountName: ztunnel
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
volumes:
- name: istio-token
projected:
sources:
- serviceAccountToken:
audience: istio-ca
expirationSeconds: 43200
path: istio-token
- configMap:
name: istio-ca-root-cert
name: istiod-ca-cert
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
---