Created
May 2, 2023 17:08
-
-
Save abhinavdhasmana/11bb0ce9592e61b76b10a406257493a5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| app: server | |
| name: server | |
| spec: | |
| replicas: 4 | |
| selector: | |
| matchLabels: | |
| app: server | |
| strategy: {} | |
| template: | |
| metadata: | |
| annotations: | |
| kubectl.kubernetes.io/default-container: simple-grpc-server | |
| kubectl.kubernetes.io/default-logs-container: simple-grpc-server | |
| prometheus.io/path: /stats/prometheus | |
| prometheus.io/port: "15020" | |
| prometheus.io/scrape: "true" | |
| sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' | |
| creationTimestamp: null | |
| labels: | |
| app: server | |
| security.istio.io/tlsMode: istio | |
| service.istio.io/canonical-name: server | |
| service.istio.io/canonical-revision: latest | |
| spec: | |
| containers: | |
| - env: | |
| - name: POD_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| image: abhinavdhasmana/simple-grpc-server | |
| name: simple-grpc-server | |
| resources: {} | |
| - args: | |
| - proxy | |
| - sidecar | |
| - --domain | |
| - $(POD_NAMESPACE).svc.cluster.local | |
| - --proxyLogLevel=warning | |
| - --proxyComponentLogLevel=misc:error | |
| - --log_output_level=default:info | |
| - --concurrency | |
| - "2" | |
| env: | |
| - name: JWT_POLICY | |
| value: third-party-jwt | |
| - name: PILOT_CERT_PROVIDER | |
| value: istiod | |
| - name: CA_ADDR | |
| value: istiod.istio-system.svc:15012 | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| - name: INSTANCE_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.podIP | |
| - name: SERVICE_ACCOUNT | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.serviceAccountName | |
| - name: HOST_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.hostIP | |
| - name: PROXY_CONFIG | |
| value: | | |
| {} | |
| - name: ISTIO_META_POD_PORTS | |
| value: |- | |
| [ | |
| ] | |
| - name: ISTIO_META_APP_CONTAINERS | |
| value: simple-grpc-server | |
| - name: ISTIO_META_CLUSTER_ID | |
| value: Kubernetes | |
| - name: ISTIO_META_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: ISTIO_META_INTERCEPTION_MODE | |
| value: REDIRECT | |
| - name: ISTIO_META_MESH_ID | |
| value: cluster.local | |
| - name: TRUST_DOMAIN | |
| value: cluster.local | |
| image: docker.io/istio/proxyv2:1.17.2 | |
| name: istio-proxy | |
| ports: | |
| - containerPort: 15090 | |
| name: http-envoy-prom | |
| protocol: TCP | |
| readinessProbe: | |
| failureThreshold: 30 | |
| httpGet: | |
| path: /healthz/ready | |
| port: 15021 | |
| initialDelaySeconds: 1 | |
| periodSeconds: 2 | |
| timeoutSeconds: 3 | |
| resources: | |
| limits: | |
| cpu: "2" | |
| memory: 1Gi | |
| requests: | |
| cpu: 10m | |
| memory: 40Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsGroup: 1337 | |
| runAsNonRoot: true | |
| runAsUser: 1337 | |
| volumeMounts: | |
| - mountPath: /var/run/secrets/workload-spiffe-uds | |
| name: workload-socket | |
| - mountPath: /var/run/secrets/credential-uds | |
| name: credential-socket | |
| - mountPath: /var/run/secrets/workload-spiffe-credentials | |
| name: workload-certs | |
| - mountPath: /var/run/secrets/istio | |
| name: istiod-ca-cert | |
| - mountPath: /var/lib/istio/data | |
| name: istio-data | |
| - mountPath: /etc/istio/proxy | |
| name: istio-envoy | |
| - mountPath: /var/run/secrets/tokens | |
| name: istio-token | |
| - mountPath: /etc/istio/pod | |
| name: istio-podinfo | |
| initContainers: | |
| - args: | |
| - istio-iptables | |
| - -p | |
| - "15001" | |
| - -z | |
| - "15006" | |
| - -u | |
| - "1337" | |
| - -m | |
| - REDIRECT | |
| - -i | |
| - '*' | |
| - -x | |
| - "" | |
| - -b | |
| - '*' | |
| - -d | |
| - 15090,15021,15020 | |
| - --log_output_level=default:info | |
| image: docker.io/istio/proxyv2:1.17.2 | |
| name: istio-init | |
| resources: | |
| limits: | |
| cpu: "2" | |
| memory: 1Gi | |
| requests: | |
| cpu: 10m | |
| memory: 40Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| add: | |
| - NET_ADMIN | |
| - NET_RAW | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: false | |
| runAsGroup: 0 | |
| runAsNonRoot: false | |
| runAsUser: 0 | |
| volumes: | |
| - name: workload-socket | |
| - name: credential-socket | |
| - name: workload-certs | |
| - emptyDir: | |
| medium: Memory | |
| name: istio-envoy | |
| - emptyDir: {} | |
| name: istio-data | |
| - downwardAPI: | |
| items: | |
| - fieldRef: | |
| fieldPath: metadata.labels | |
| path: labels | |
| - fieldRef: | |
| fieldPath: metadata.annotations | |
| path: annotations | |
| name: istio-podinfo | |
| - name: istio-token | |
| projected: | |
| sources: | |
| - serviceAccountToken: | |
| audience: istio-ca | |
| expirationSeconds: 43200 | |
| path: istio-token | |
| - configMap: | |
| name: istio-ca-root-cert | |
| name: istiod-ca-cert | |
| status: {} | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| app: server | |
| name: my-grpc-service | |
| spec: | |
| ports: | |
| - port: 8090 | |
| protocol: TCP | |
| targetPort: 8090 | |
| selector: | |
| app: server | |
| status: | |
| loadBalancer: {} | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| app: client | |
| name: client | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: client | |
| strategy: {} | |
| template: | |
| metadata: | |
| annotations: | |
| kubectl.kubernetes.io/default-container: simple-grpc-client | |
| kubectl.kubernetes.io/default-logs-container: simple-grpc-client | |
| prometheus.io/path: /stats/prometheus | |
| prometheus.io/port: "15020" | |
| prometheus.io/scrape: "true" | |
| sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' | |
| creationTimestamp: null | |
| labels: | |
| app: client | |
| security.istio.io/tlsMode: istio | |
| service.istio.io/canonical-name: client | |
| service.istio.io/canonical-revision: latest | |
| spec: | |
| containers: | |
| - image: abhinavdhasmana/simple-grpc-client | |
| name: simple-grpc-client | |
| resources: {} | |
| - args: | |
| - proxy | |
| - sidecar | |
| - --domain | |
| - $(POD_NAMESPACE).svc.cluster.local | |
| - --proxyLogLevel=warning | |
| - --proxyComponentLogLevel=misc:error | |
| - --log_output_level=default:info | |
| - --concurrency | |
| - "2" | |
| env: | |
| - name: JWT_POLICY | |
| value: third-party-jwt | |
| - name: PILOT_CERT_PROVIDER | |
| value: istiod | |
| - name: CA_ADDR | |
| value: istiod.istio-system.svc:15012 | |
| - name: POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - name: POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| - name: INSTANCE_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.podIP | |
| - name: SERVICE_ACCOUNT | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.serviceAccountName | |
| - name: HOST_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.hostIP | |
| - name: PROXY_CONFIG | |
| value: | | |
| {} | |
| - name: ISTIO_META_POD_PORTS | |
| value: |- | |
| [ | |
| ] | |
| - name: ISTIO_META_APP_CONTAINERS | |
| value: simple-grpc-client | |
| - name: ISTIO_META_CLUSTER_ID | |
| value: Kubernetes | |
| - name: ISTIO_META_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: ISTIO_META_INTERCEPTION_MODE | |
| value: REDIRECT | |
| - name: ISTIO_META_MESH_ID | |
| value: cluster.local | |
| - name: TRUST_DOMAIN | |
| value: cluster.local | |
| image: docker.io/istio/proxyv2:1.17.2 | |
| name: istio-proxy | |
| ports: | |
| - containerPort: 15090 | |
| name: http-envoy-prom | |
| protocol: TCP | |
| readinessProbe: | |
| failureThreshold: 30 | |
| httpGet: | |
| path: /healthz/ready | |
| port: 15021 | |
| initialDelaySeconds: 1 | |
| periodSeconds: 2 | |
| timeoutSeconds: 3 | |
| resources: | |
| limits: | |
| cpu: "2" | |
| memory: 1Gi | |
| requests: | |
| cpu: 10m | |
| memory: 40Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: true | |
| runAsGroup: 1337 | |
| runAsNonRoot: true | |
| runAsUser: 1337 | |
| volumeMounts: | |
| - mountPath: /var/run/secrets/workload-spiffe-uds | |
| name: workload-socket | |
| - mountPath: /var/run/secrets/credential-uds | |
| name: credential-socket | |
| - mountPath: /var/run/secrets/workload-spiffe-credentials | |
| name: workload-certs | |
| - mountPath: /var/run/secrets/istio | |
| name: istiod-ca-cert | |
| - mountPath: /var/lib/istio/data | |
| name: istio-data | |
| - mountPath: /etc/istio/proxy | |
| name: istio-envoy | |
| - mountPath: /var/run/secrets/tokens | |
| name: istio-token | |
| - mountPath: /etc/istio/pod | |
| name: istio-podinfo | |
| initContainers: | |
| - args: | |
| - istio-iptables | |
| - -p | |
| - "15001" | |
| - -z | |
| - "15006" | |
| - -u | |
| - "1337" | |
| - -m | |
| - REDIRECT | |
| - -i | |
| - '*' | |
| - -x | |
| - "" | |
| - -b | |
| - '*' | |
| - -d | |
| - 15090,15021,15020 | |
| - --log_output_level=default:info | |
| image: docker.io/istio/proxyv2:1.17.2 | |
| name: istio-init | |
| resources: | |
| limits: | |
| cpu: "2" | |
| memory: 1Gi | |
| requests: | |
| cpu: 10m | |
| memory: 40Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| capabilities: | |
| add: | |
| - NET_ADMIN | |
| - NET_RAW | |
| drop: | |
| - ALL | |
| privileged: false | |
| readOnlyRootFilesystem: false | |
| runAsGroup: 0 | |
| runAsNonRoot: false | |
| runAsUser: 0 | |
| volumes: | |
| - name: workload-socket | |
| - name: credential-socket | |
| - name: workload-certs | |
| - emptyDir: | |
| medium: Memory | |
| name: istio-envoy | |
| - emptyDir: {} | |
| name: istio-data | |
| - downwardAPI: | |
| items: | |
| - fieldRef: | |
| fieldPath: metadata.labels | |
| path: labels | |
| - fieldRef: | |
| fieldPath: metadata.annotations | |
| path: annotations | |
| name: istio-podinfo | |
| - name: istio-token | |
| projected: | |
| sources: | |
| - serviceAccountToken: | |
| audience: istio-ca | |
| expirationSeconds: 43200 | |
| path: istio-token | |
| - configMap: | |
| name: istio-ca-root-cert | |
| name: istiod-ca-cert | |
| status: {} | |
| --- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment