Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



8 Commits

Repository files navigation

Transparent proxy injection

We can do transparent proxying of requests to linkerd via iptables rules.

This script injects an initContainer into the user's k8s config. This initContainer sets up iptables rules for tranparent proxying of requests to a Daemonset linkerd.

It injects the following initContainer (which you could add to your config manually if you would rather not use the script). The script uses the annotation, which you would need to use if you are running a version of the Kubernetes Apiserver before 1.6.

- name: init-linkerd
  image: linkerd/istio-init:v1
  - name: NODE_NAME
        fieldPath: spec.nodeName
    - -p
    - "4140" # port of the Daemonset linkerd's incoming router
    - -s
    - "L5D" # linkerd Daemonset service name, uppercased
    - -m
    - "false" # set to true if running in minikube
  imagePullPolicy: IfNotPresent
      - NET_ADMIN
    privileged: false # set to true for SELinux

It is based on Istio's method of injecting sidecars. Ideally this code would go somewhere with the istioctl code, and reuse that code more directly, but this seems to be in transit right now. This sets up iptables rules for transparently proxying requests to a Daemonset linkerd (rather than a sidecar proxy, which Istio currently uses).


Install linkerd-inject

go get

Inject init container into your yaml and apply. If you're using minikube, see example/ for minikube instructions. If you're running in OpenShift (SELinux), you'll need to use -privileged.

kubectl apply -f <(linkerd-inject -f example/hello-world.yml -linkerdPort 4140)

To see output of script before applying:

linkerd-inject -f example/hello-world.yml -o result.yml -linkerdPort 4140