| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| labels: |
| app: istio-reader |
| release: istio |
| name: istio-reader-dubbo-system |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: istio-reader-dubbo-system |
| subjects: |
| - kind: ServiceAccount |
| name: my-service-role |
| namespace: dubbo-system |
| --- |
| |
| |
| apiVersion: admissionregistration.k8s.io/v1 |
| kind: MutatingWebhookConfiguration |
| metadata: |
| labels: |
| app: sidecar-injector |
| install.operator.istio.io/owning-resource: unknown |
| istio.io/rev: default |
| operator.istio.io/component: Pilot |
| release: istio |
| name: istio-sidecar-injector-istio-control |
| webhooks: |
| - admissionReviewVersions: |
| - v1beta1 |
| - v1 |
| clientConfig: |
| service: |
| name: istiod |
| namespace: istio-control |
| path: /inject |
| port: 443 |
| failurePolicy: Fail |
| name: rev.namespace.sidecar-injector.istio.io |
| namespaceSelector: |
| matchExpressions: |
| - key: istio.io/rev |
| operator: In |
| values: |
| - default |
| - key: istio-injection |
| operator: DoesNotExist |
| objectSelector: |
| matchExpressions: |
| - key: sidecar.istio.io/inject |
| operator: NotIn |
| values: |
| - "false" |
| rules: |
| - apiGroups: |
| - "" |
| apiVersions: |
| - v1 |
| operations: |
| - CREATE |
| resources: |
| - pods |
| sideEffects: None |
| - admissionReviewVersions: |
| - v1beta1 |
| - v1 |
| clientConfig: |
| service: |
| name: istiod |
| namespace: istio-control |
| path: /inject |
| port: 443 |
| failurePolicy: Fail |
| name: rev.object.sidecar-injector.istio.io |
| namespaceSelector: |
| matchExpressions: |
| - key: istio.io/rev |
| operator: DoesNotExist |
| - key: istio-injection |
| operator: DoesNotExist |
| objectSelector: |
| matchExpressions: |
| - key: sidecar.istio.io/inject |
| operator: NotIn |
| values: |
| - "false" |
| - key: istio.io/rev |
| operator: In |
| values: |
| - default |
| rules: |
| - apiGroups: |
| - "" |
| apiVersions: |
| - v1 |
| operations: |
| - CREATE |
| resources: |
| - pods |
| sideEffects: None |
| - admissionReviewVersions: |
| - v1beta1 |
| - v1 |
| clientConfig: |
| service: |
| name: foo |
| namespace: istio-control |
| path: /inject |
| port: 443 |
| failurePolicy: Fail |
| name: namespace.sidecar-injector.istio.io |
| namespaceSelector: |
| matchExpressions: |
| - key: istio-injection |
| operator: In |
| values: |
| - enabled |
| objectSelector: |
| matchExpressions: |
| - key: sidecar.istio.io/inject |
| operator: NotIn |
| values: |
| - "false" |
| rules: |
| - apiGroups: |
| - "" |
| apiVersions: |
| - v1 |
| operations: |
| - CREATE |
| resources: |
| - pods |
| sideEffects: None |
| - admissionReviewVersions: |
| - v1beta1 |
| - v1 |
| clientConfig: |
| service: |
| name: istiod |
| namespace: istio-control |
| path: /inject |
| port: 443 |
| failurePolicy: Fail |
| name: object.sidecar-injector.istio.io |
| namespaceSelector: |
| matchExpressions: |
| - key: istio-injection |
| operator: DoesNotExist |
| - key: istio.io/rev |
| operator: DoesNotExist |
| objectSelector: |
| matchExpressions: |
| - key: sidecar.istio.io/inject |
| operator: In |
| values: |
| - "true" |
| - key: istio.io/rev |
| operator: DoesNotExist |
| rules: |
| - apiGroups: |
| - "" |
| apiVersions: |
| - v1 |
| operations: |
| - CREATE |
| resources: |
| - pods |
| sideEffects: None |
| --- |
| |
| |
| apiVersion: apps/v1 |
| kind: Deployment |
| metadata: |
| labels: |
| app: istiod |
| install.operator.istio.io/owning-resource: unknown |
| istio: pilot |
| istio.io/rev: default |
| operator.istio.io/component: Pilot |
| release: istio |
| name: istiod |
| namespace: istio-control |
| spec: |
| selector: |
| matchLabels: |
| istio: pilot |
| strategy: |
| rollingUpdate: |
| maxSurge: 100% |
| maxUnavailable: 25% |
| template: |
| metadata: |
| annotations: |
| prometheus.io/port: "15014" |
| prometheus.io/scrape: "true" |
| sidecar.istio.io/inject: "false" |
| labels: |
| app: istiod |
| install.operator.istio.io/owning-resource: unknown |
| istio: pilot |
| istio.io/rev: default |
| operator.istio.io/component: Pilot |
| sidecar.istio.io/inject: "false" |
| spec: |
| containers: |
| - args: |
| - discovery |
| - --monitoringAddr=:15014 |
| - --log_output_level=default:info |
| - --domain |
| - cluster.local |
| - --keepaliveMaxServerConnectionAge |
| - 60m |
| env: |
| - name: JWT_POLICY |
| value: third-party-jwt |
| - name: PILOT_CERT_PROVIDER |
| value: istiod |
| - name: POD_NAME |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: metadata.name |
| - name: POD_NAMESPACE |
| valueFrom: |
| fieldRef: |
| apiVersion: v2 |
| fieldPath: metadata.myPath |
| - name: SERVICE_ACCOUNT |
| valueFrom: |
| fieldRef: |
| apiVersion: v1 |
| fieldPath: spec.serviceAccountName |
| - name: KUBECONFIG |
| value: /var/run/secrets/remote/config |
| - name: PILOT_TRACE_SAMPLING |
| value: "1" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND |
| value: "true" |
| - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND |
| value: "true" |
| - name: ISTIOD_ADDR |
| value: istiod.istio-control.svc:15012 |
| - name: PILOT_ENABLE_ANALYSIS |
| value: "false" |
| - name: CLUSTER_ID |
| value: Kubernetes |
| image: docker.io/istio/dubbo-pilot:1.1.4 |
| name: discovery |
| ports: |
| - containerPort: 1234 |
| protocol: TCP |
| - containerPort: 15010 |
| protocol: TCP |
| - containerPort: 15017 |
| protocol: TCP |
| readinessProbe: |
| httpGet: |
| path: /ready |
| port: 8080 |
| initialDelaySeconds: 1 |
| periodSeconds: 3 |
| timeoutSeconds: 5 |
| resources: |
| requests: |
| cpu: 123m |
| memory: 2048Mi |
| volumeMounts: |
| - mountPath: /var/run/secrets/tokens |
| name: istio-token |
| readOnly: true |
| - mountPath: /var/run/secrets/istio-dns |
| name: local-certs |
| - mountPath: /etc/cacerts |
| name: cacerts |
| readOnly: true |
| - mountPath: /var/run/secrets/remote |
| name: istio-kubeconfig |
| readOnly: true |
| securityContext: |
| fsGroup: 1337 |
| serviceAccountName: istiod |
| volumes: |
| - emptyDir: |
| medium: Memory |
| name: local-certs |
| - name: istio-token |
| projected: |
| sources: |
| - serviceAccountToken: |
| audience: istio-ca |
| expirationSeconds: 43200 |
| path: istio-token |
| - name: cacerts |
| secret: |
| optional: true |
| secretName: cacerts |
| - name: istio-kubeconfig |
| secret: |
| optional: true |
| secretName: istio-kubeconfig |
| --- |
| |
| |
| apiVersion: v1 |
| kind: Service |
| metadata: |
| labels: |
| app: istiod |
| install.operator.istio.io/owning-resource: unknown |
| istio: pilot |
| istio.io/rev: default |
| operator.istio.io/component: Pilot |
| release: istio |
| name: istiod |
| namespace: istio-control |
| spec: |
| ports: |
| - name: grpc-xds |
| port: 15010 |
| protocol: TCP |
| - name: https-dns |
| port: 11111 |
| protocol: TCP |
| - name: https-webhook |
| port: 443 |
| protocol: TCP |
| targetPort: 15017 |
| - name: http-monitoring |
| port: 15014 |
| protocol: TCP |
| selector: |
| app: istiod |
| istio: pilot |
| --- |