Created
May 2, 2023 17:08
-
-
Save abhinavdhasmana/11bb0ce9592e61b76b10a406257493a5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: server | |
name: server | |
spec: | |
replicas: 4 | |
selector: | |
matchLabels: | |
app: server | |
strategy: {} | |
template: | |
metadata: | |
annotations: | |
kubectl.kubernetes.io/default-container: simple-grpc-server | |
kubectl.kubernetes.io/default-logs-container: simple-grpc-server | |
prometheus.io/path: /stats/prometheus | |
prometheus.io/port: "15020" | |
prometheus.io/scrape: "true" | |
sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' | |
creationTimestamp: null | |
labels: | |
app: server | |
security.istio.io/tlsMode: istio | |
service.istio.io/canonical-name: server | |
service.istio.io/canonical-revision: latest | |
spec: | |
containers: | |
- env: | |
- name: POD_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
image: abhinavdhasmana/simple-grpc-server | |
name: simple-grpc-server | |
resources: {} | |
- args: | |
- proxy | |
- sidecar | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --proxyLogLevel=warning | |
- --proxyComponentLogLevel=misc:error | |
- --log_output_level=default:info | |
- --concurrency | |
- "2" | |
env: | |
- name: JWT_POLICY | |
value: third-party-jwt | |
- name: PILOT_CERT_PROVIDER | |
value: istiod | |
- name: CA_ADDR | |
value: istiod.istio-system.svc:15012 | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
- name: SERVICE_ACCOUNT | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.serviceAccountName | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.hostIP | |
- name: PROXY_CONFIG | |
value: | | |
{} | |
- name: ISTIO_META_POD_PORTS | |
value: |- | |
[ | |
] | |
- name: ISTIO_META_APP_CONTAINERS | |
value: simple-grpc-server | |
- name: ISTIO_META_CLUSTER_ID | |
value: Kubernetes | |
- name: ISTIO_META_NODE_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.nodeName | |
- name: ISTIO_META_INTERCEPTION_MODE | |
value: REDIRECT | |
- name: ISTIO_META_MESH_ID | |
value: cluster.local | |
- name: TRUST_DOMAIN | |
value: cluster.local | |
image: docker.io/istio/proxyv2:1.17.2 | |
name: istio-proxy | |
ports: | |
- containerPort: 15090 | |
name: http-envoy-prom | |
protocol: TCP | |
readinessProbe: | |
failureThreshold: 30 | |
httpGet: | |
path: /healthz/ready | |
port: 15021 | |
initialDelaySeconds: 1 | |
periodSeconds: 2 | |
timeoutSeconds: 3 | |
resources: | |
limits: | |
cpu: "2" | |
memory: 1Gi | |
requests: | |
cpu: 10m | |
memory: 40Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- ALL | |
privileged: false | |
readOnlyRootFilesystem: true | |
runAsGroup: 1337 | |
runAsNonRoot: true | |
runAsUser: 1337 | |
volumeMounts: | |
- mountPath: /var/run/secrets/workload-spiffe-uds | |
name: workload-socket | |
- mountPath: /var/run/secrets/credential-uds | |
name: credential-socket | |
- mountPath: /var/run/secrets/workload-spiffe-credentials | |
name: workload-certs | |
- mountPath: /var/run/secrets/istio | |
name: istiod-ca-cert | |
- mountPath: /var/lib/istio/data | |
name: istio-data | |
- mountPath: /etc/istio/proxy | |
name: istio-envoy | |
- mountPath: /var/run/secrets/tokens | |
name: istio-token | |
- mountPath: /etc/istio/pod | |
name: istio-podinfo | |
initContainers: | |
- args: | |
- istio-iptables | |
- -p | |
- "15001" | |
- -z | |
- "15006" | |
- -u | |
- "1337" | |
- -m | |
- REDIRECT | |
- -i | |
- '*' | |
- -x | |
- "" | |
- -b | |
- '*' | |
- -d | |
- 15090,15021,15020 | |
- --log_output_level=default:info | |
image: docker.io/istio/proxyv2:1.17.2 | |
name: istio-init | |
resources: | |
limits: | |
cpu: "2" | |
memory: 1Gi | |
requests: | |
cpu: 10m | |
memory: 40Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
add: | |
- NET_ADMIN | |
- NET_RAW | |
drop: | |
- ALL | |
privileged: false | |
readOnlyRootFilesystem: false | |
runAsGroup: 0 | |
runAsNonRoot: false | |
runAsUser: 0 | |
volumes: | |
- name: workload-socket | |
- name: credential-socket | |
- name: workload-certs | |
- emptyDir: | |
medium: Memory | |
name: istio-envoy | |
- emptyDir: {} | |
name: istio-data | |
- downwardAPI: | |
items: | |
- fieldRef: | |
fieldPath: metadata.labels | |
path: labels | |
- fieldRef: | |
fieldPath: metadata.annotations | |
path: annotations | |
name: istio-podinfo | |
- name: istio-token | |
projected: | |
sources: | |
- serviceAccountToken: | |
audience: istio-ca | |
expirationSeconds: 43200 | |
path: istio-token | |
- configMap: | |
name: istio-ca-root-cert | |
name: istiod-ca-cert | |
status: {} | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: server | |
name: my-grpc-service | |
spec: | |
ports: | |
- port: 8090 | |
protocol: TCP | |
targetPort: 8090 | |
selector: | |
app: server | |
status: | |
loadBalancer: {} | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: client | |
name: client | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: client | |
strategy: {} | |
template: | |
metadata: | |
annotations: | |
kubectl.kubernetes.io/default-container: simple-grpc-client | |
kubectl.kubernetes.io/default-logs-container: simple-grpc-client | |
prometheus.io/path: /stats/prometheus | |
prometheus.io/port: "15020" | |
prometheus.io/scrape: "true" | |
sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' | |
creationTimestamp: null | |
labels: | |
app: client | |
security.istio.io/tlsMode: istio | |
service.istio.io/canonical-name: client | |
service.istio.io/canonical-revision: latest | |
spec: | |
containers: | |
- image: abhinavdhasmana/simple-grpc-client | |
name: simple-grpc-client | |
resources: {} | |
- args: | |
- proxy | |
- sidecar | |
- --domain | |
- $(POD_NAMESPACE).svc.cluster.local | |
- --proxyLogLevel=warning | |
- --proxyComponentLogLevel=misc:error | |
- --log_output_level=default:info | |
- --concurrency | |
- "2" | |
env: | |
- name: JWT_POLICY | |
value: third-party-jwt | |
- name: PILOT_CERT_PROVIDER | |
value: istiod | |
- name: CA_ADDR | |
value: istiod.istio-system.svc:15012 | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: INSTANCE_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.podIP | |
- name: SERVICE_ACCOUNT | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.serviceAccountName | |
- name: HOST_IP | |
valueFrom: | |
fieldRef: | |
fieldPath: status.hostIP | |
- name: PROXY_CONFIG | |
value: | | |
{} | |
- name: ISTIO_META_POD_PORTS | |
value: |- | |
[ | |
] | |
- name: ISTIO_META_APP_CONTAINERS | |
value: simple-grpc-client | |
- name: ISTIO_META_CLUSTER_ID | |
value: Kubernetes | |
- name: ISTIO_META_NODE_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: spec.nodeName | |
- name: ISTIO_META_INTERCEPTION_MODE | |
value: REDIRECT | |
- name: ISTIO_META_MESH_ID | |
value: cluster.local | |
- name: TRUST_DOMAIN | |
value: cluster.local | |
image: docker.io/istio/proxyv2:1.17.2 | |
name: istio-proxy | |
ports: | |
- containerPort: 15090 | |
name: http-envoy-prom | |
protocol: TCP | |
readinessProbe: | |
failureThreshold: 30 | |
httpGet: | |
path: /healthz/ready | |
port: 15021 | |
initialDelaySeconds: 1 | |
periodSeconds: 2 | |
timeoutSeconds: 3 | |
resources: | |
limits: | |
cpu: "2" | |
memory: 1Gi | |
requests: | |
cpu: 10m | |
memory: 40Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- ALL | |
privileged: false | |
readOnlyRootFilesystem: true | |
runAsGroup: 1337 | |
runAsNonRoot: true | |
runAsUser: 1337 | |
volumeMounts: | |
- mountPath: /var/run/secrets/workload-spiffe-uds | |
name: workload-socket | |
- mountPath: /var/run/secrets/credential-uds | |
name: credential-socket | |
- mountPath: /var/run/secrets/workload-spiffe-credentials | |
name: workload-certs | |
- mountPath: /var/run/secrets/istio | |
name: istiod-ca-cert | |
- mountPath: /var/lib/istio/data | |
name: istio-data | |
- mountPath: /etc/istio/proxy | |
name: istio-envoy | |
- mountPath: /var/run/secrets/tokens | |
name: istio-token | |
- mountPath: /etc/istio/pod | |
name: istio-podinfo | |
initContainers: | |
- args: | |
- istio-iptables | |
- -p | |
- "15001" | |
- -z | |
- "15006" | |
- -u | |
- "1337" | |
- -m | |
- REDIRECT | |
- -i | |
- '*' | |
- -x | |
- "" | |
- -b | |
- '*' | |
- -d | |
- 15090,15021,15020 | |
- --log_output_level=default:info | |
image: docker.io/istio/proxyv2:1.17.2 | |
name: istio-init | |
resources: | |
limits: | |
cpu: "2" | |
memory: 1Gi | |
requests: | |
cpu: 10m | |
memory: 40Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
add: | |
- NET_ADMIN | |
- NET_RAW | |
drop: | |
- ALL | |
privileged: false | |
readOnlyRootFilesystem: false | |
runAsGroup: 0 | |
runAsNonRoot: false | |
runAsUser: 0 | |
volumes: | |
- name: workload-socket | |
- name: credential-socket | |
- name: workload-certs | |
- emptyDir: | |
medium: Memory | |
name: istio-envoy | |
- emptyDir: {} | |
name: istio-data | |
- downwardAPI: | |
items: | |
- fieldRef: | |
fieldPath: metadata.labels | |
path: labels | |
- fieldRef: | |
fieldPath: metadata.annotations | |
path: annotations | |
name: istio-podinfo | |
- name: istio-token | |
projected: | |
sources: | |
- serviceAccountToken: | |
audience: istio-ca | |
expirationSeconds: 43200 | |
path: istio-token | |
- configMap: | |
name: istio-ca-root-cert | |
name: istiod-ca-cert | |
status: {} | |
--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment