github.com/eth-easl/loader@v0.0.0-20230908084258-8a37e1d94279/config/vhive/loader_istio_controller.yaml (about)

     1  
     2  ---
     3  # net-istio.yaml
     4  # Generated when HEAD was c096fb65ac43c54ffb0cbba9c3c577032ad0b7fe
     5  #
     6  # Copyright 2019 The Knative Authors
     7  #
     8  # Licensed under the Apache License, Version 2.0 (the "License");
     9  # you may not use this file except in compliance with the License.
    10  # You may obtain a copy of the License at
    11  #
    12  #     https://www.apache.org/licenses/LICENSE-2.0
    13  #
    14  # Unless required by applicable law or agreed to in writing, software
    15  # distributed under the License is distributed on an "AS IS" BASIS,
    16  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    17  # See the License for the specific language governing permissions and
    18  # limitations under the License.
    19  
    20  kind: ClusterRole
    21  apiVersion: rbac.authorization.k8s.io/v1
    22  metadata:
    23    # These are the permissions needed by the Istio Ingress implementation.
    24    name: knative-serving-istio
    25    labels:
    26      app.kubernetes.io/component: net-istio
    27      app.kubernetes.io/name: knative-serving
    28      app.kubernetes.io/version: "1.3.0"
    29      serving.knative.dev/release: "v1.3.0"
    30      serving.knative.dev/controller: "true"
    31      networking.knative.dev/ingress-provider: istio
    32  rules:
    33    - apiGroups: ["networking.istio.io"]
    34      resources: ["virtualservices", "gateways", "destinationrules"]
    35      verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
    36  
    37  ---
    38  # Copyright 2019 The Knative Authors
    39  #
    40  # Licensed under the Apache License, Version 2.0 (the "License");
    41  # you may not use this file except in compliance with the License.
    42  # You may obtain a copy of the License at
    43  #
    44  #     https://www.apache.org/licenses/LICENSE-2.0
    45  #
    46  # Unless required by applicable law or agreed to in writing, software
    47  # distributed under the License is distributed on an "AS IS" BASIS,
    48  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    49  # See the License for the specific language governing permissions and
    50  # limitations under the License.
    51  
    52  # This is the shared Gateway for all Knative routes to use.
    53  apiVersion: networking.istio.io/v1alpha3
    54  kind: Gateway
    55  metadata:
    56    name: knative-ingress-gateway
    57    namespace: knative-serving
    58    labels:
    59      app.kubernetes.io/component: net-istio
    60      app.kubernetes.io/name: knative-serving
    61      app.kubernetes.io/version: "1.3.0"
    62      serving.knative.dev/release: "v1.3.0"
    63      networking.knative.dev/ingress-provider: istio
    64  spec:
    65    selector:
    66      istio: ingressgateway
    67    servers:
    68      - port:
    69          number: 80
    70          name: http
    71          protocol: HTTP
    72        hosts:
    73          - "*"
    74  
    75  ---
    76  # Copyright 2019 The Knative Authors
    77  #
    78  # Licensed under the Apache License, Version 2.0 (the "License");
    79  # you may not use this file except in compliance with the License.
    80  # You may obtain a copy of the License at
    81  #
    82  #     https://www.apache.org/licenses/LICENSE-2.0
    83  #
    84  # Unless required by applicable law or agreed to in writing, software
    85  # distributed under the License is distributed on an "AS IS" BASIS,
    86  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    87  # See the License for the specific language governing permissions and
    88  # limitations under the License.
    89  
    90  # A cluster local gateway to allow pods outside of the mesh to access
    91  # Services and Routes not exposing through an ingress.  If the users
    92  # do have a service mesh setup, this isn't required.
    93  apiVersion: networking.istio.io/v1alpha3
    94  kind: Gateway
    95  metadata:
    96    name: knative-local-gateway
    97    namespace: knative-serving
    98    labels:
    99      app.kubernetes.io/component: net-istio
   100      app.kubernetes.io/name: knative-serving
   101      app.kubernetes.io/version: "1.3.0"
   102      serving.knative.dev/release: "v1.3.0"
   103      networking.knative.dev/ingress-provider: istio
   104  spec:
   105    selector:
   106      istio: ingressgateway
   107    servers:
   108      - port:
   109          number: 8081
   110          name: http
   111          protocol: HTTP
   112        hosts:
   113          - "*"
   114  ---
   115  apiVersion: v1
   116  kind: Service
   117  metadata:
   118    name: knative-local-gateway
   119    namespace: istio-system
   120    labels:
   121      app.kubernetes.io/component: net-istio
   122      app.kubernetes.io/name: knative-serving
   123      app.kubernetes.io/version: "1.3.0"
   124      serving.knative.dev/release: "v1.3.0"
   125      networking.knative.dev/ingress-provider: istio
   126      experimental.istio.io/disable-gateway-port-translation: "true"
   127  spec:
   128    type: ClusterIP
   129    selector:
   130      istio: ingressgateway
   131    ports:
   132      - name: http2
   133        port: 80
   134        targetPort: 8081
   135  
   136  ---
   137  # Copyright 2018 The Knative Authors
   138  #
   139  # Licensed under the Apache License, Version 2.0 (the "License");
   140  # you may not use this file except in compliance with the License.
   141  # You may obtain a copy of the License at
   142  #
   143  #     https://www.apache.org/licenses/LICENSE-2.0
   144  #
   145  # Unless required by applicable law or agreed to in writing, software
   146  # distributed under the License is distributed on an "AS IS" BASIS,
   147  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   148  # See the License for the specific language governing permissions and
   149  # limitations under the License.
   150  
   151  apiVersion: v1
   152  kind: ConfigMap
   153  metadata:
   154    name: config-istio
   155    namespace: knative-serving
   156    labels:
   157      app.kubernetes.io/component: net-istio
   158      app.kubernetes.io/name: knative-serving
   159      app.kubernetes.io/version: "1.3.0"
   160      serving.knative.dev/release: "v1.3.0"
   161      networking.knative.dev/ingress-provider: istio
   162  data:
   163    # TODO(nghia): Extract the .svc.cluster.local suffix into its own config.
   164    _example: |
   165      ################################
   166      #                              #
   167      #    EXAMPLE CONFIGURATION     #
   168      #                              #
   169      ################################
   170  
   171      # This block is not actually functional configuration,
   172      # but serves to illustrate the available configuration
   173      # options and document them in a way that is accessible
   174      # to users that `kubectl edit` this config map.
   175      #
   176      # These sample configuration options may be copied out of
   177      # this example block and unindented to be in the data block
   178      # to actually change the configuration.
   179  
   180      # A gateway and Istio service to serve external traffic.
   181      # The configuration format should be
   182      # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`.
   183      # The {{gateway_namespace}} is optional; when it is omitted, the system will search for
   184      # the gateway in the serving system namespace `knative-serving`
   185      gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
   186  
   187      # A cluster local gateway to allow pods outside of the mesh to access
   188      # Services and Routes not exposing through an ingress.  If the users
   189      # do have a service mesh setup, this isn't required and can be removed.
   190      #
   191      # An example use case is when users want to use Istio without any
   192      # sidecar injection (like Knative's istio-ci-no-mesh.yaml).  Since every pod
   193      # is outside of the service mesh in that case, a cluster-local  service
   194      # will need to be exposed to a cluster-local gateway to be accessible.
   195      # The configuration format should be `local-gateway.{{local_gateway_namespace}}.
   196      # {{local_gateway_name}}: "{{cluster_local_gateway_name}}.
   197      # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The
   198      # {{local_gateway_namespace}} is optional; when it is omitted, the system
   199      # will search for the local gateway in the serving system namespace
   200      # `knative-serving`
   201      local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local"
   202  
   203      # DEPRECATED: local-gateway.mesh is deprecated.
   204      # See: https://github.com/knative/serving/issues/11523
   205      #
   206      # To use only Istio service mesh and no knative-local-gateway, replace
   207      # all local-gateway.* entries by the following entry.
   208      local-gateway.mesh: "mesh"
   209  
   210      # If true, knative will use the Istio VirtualService's status to determine
   211      # endpoint readiness. Otherwise, probe as usual.
   212      # NOTE: This feature is currently experimental and should not be used in production.
   213      enable-virtualservice-status: "false"
   214  
   215  ---
   216  # Allows the Webhooks to be reached by kube-api with or without
   217  # sidecar injection and with mTLS PERMISSIVE and STRICT.
   218  apiVersion: "security.istio.io/v1beta1"
   219  kind: "PeerAuthentication"
   220  metadata:
   221    name: "webhook"
   222    namespace: "knative-serving"
   223    labels:
   224      app.kubernetes.io/component: net-istio
   225      app.kubernetes.io/name: knative-serving
   226      app.kubernetes.io/version: "1.3.0"
   227      serving.knative.dev/release: "v1.3.0"
   228      networking.knative.dev/ingress-provider: istio
   229  spec:
   230    selector:
   231      matchLabels:
   232        app: webhook
   233    portLevelMtls:
   234      "8443":
   235        mode: PERMISSIVE
   236  ---
   237  apiVersion: "security.istio.io/v1beta1"
   238  kind: "PeerAuthentication"
   239  metadata:
   240    name: "domainmapping-webhook"
   241    namespace: "knative-serving"
   242    labels:
   243      app.kubernetes.io/component: net-istio
   244      app.kubernetes.io/name: knative-serving
   245      app.kubernetes.io/version: "1.3.0"
   246      serving.knative.dev/release: "v1.3.0"
   247      networking.knative.dev/ingress-provider: istio
   248  spec:
   249    selector:
   250      matchLabels:
   251        app: domainmapping-webhook
   252    portLevelMtls:
   253      "8443":
   254        mode: PERMISSIVE
   255  ---
   256  apiVersion: "security.istio.io/v1beta1"
   257  kind: "PeerAuthentication"
   258  metadata:
   259    name: "net-istio-webhook"
   260    namespace: "knative-serving"
   261    labels:
   262      app.kubernetes.io/component: net-istio
   263      app.kubernetes.io/name: knative-serving
   264      app.kubernetes.io/version: "1.3.0"
   265      serving.knative.dev/release: "v1.3.0"
   266      networking.knative.dev/ingress-provider: istio
   267  spec:
   268    selector:
   269      matchLabels:
   270        app: net-istio-webhook
   271    portLevelMtls:
   272      "8443":
   273        mode: PERMISSIVE
   274  
   275  ---
   276  # Copyright 2019 The Knative Authors
   277  #
   278  # Licensed under the Apache License, Version 2.0 (the "License");
   279  # you may not use this file except in compliance with the License.
   280  # You may obtain a copy of the License at
   281  #
   282  #     https://www.apache.org/licenses/LICENSE-2.0
   283  #
   284  # Unless required by applicable law or agreed to in writing, software
   285  # distributed under the License is distributed on an "AS IS" BASIS,
   286  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   287  # See the License for the specific language governing permissions and
   288  # limitations under the License.
   289  
   290  apiVersion: apps/v1
   291  kind: Deployment
   292  metadata:
   293    name: net-istio-controller
   294    namespace: knative-serving
   295    labels:
   296      app.kubernetes.io/component: net-istio
   297      app.kubernetes.io/name: knative-serving
   298      app.kubernetes.io/version: "1.3.0"
   299      serving.knative.dev/release: "v1.3.0"
   300      networking.knative.dev/ingress-provider: istio
   301  spec:
   302    selector:
   303      matchLabels:
   304        app: net-istio-controller
   305    template:
   306      metadata:
   307        annotations:
   308          cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
   309          # This must be outside of the mesh to probe the gateways.
   310          # NOTE: this is allowed here and not elsewhere because
   311          # this is the Istio controller, and so it may be Istio-aware.
   312          sidecar.istio.io/inject: "false"
   313        labels:
   314          app: net-istio-controller
   315          app.kubernetes.io/component: net-istio
   316          app.kubernetes.io/name: knative-serving
   317          app.kubernetes.io/version: "1.3.0"
   318          serving.knative.dev/release: "v1.3.0"
   319      spec:
   320        serviceAccountName: controller
   321        containers:
   322          - name: controller
   323            # This is the Go import path for the binary that is containerized
   324            # and substituted here.
   325            image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:7f17fb47568a74de3f82bb512422a174017b7c06643a330557bc3445c8869932
   326            resources:
   327              requests:
   328                cpu: 30m
   329                memory: 40Mi
   330              limits:
   331                cpu: 2
   332                memory: 3Gi
   333            env:
   334              - name: SYSTEM_NAMESPACE
   335                valueFrom:
   336                  fieldRef:
   337                    fieldPath: metadata.namespace
   338              - name: CONFIG_LOGGING_NAME
   339                value: config-logging
   340              - name: CONFIG_OBSERVABILITY_NAME
   341                value: config-observability
   342              # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
   343              - name: METRICS_DOMAIN
   344                value: knative.dev/net-istio
   345            securityContext:
   346              allowPrivilegeEscalation: false
   347              readOnlyRootFilesystem: true
   348              runAsNonRoot: true
   349              capabilities:
   350                drop:
   351                  - all
   352            ports:
   353              - name: metrics
   354                containerPort: 9090
   355              - name: profiling
   356                containerPort: 8008
   357  
   358  # Unlike other controllers, this doesn't need a Service defined for metrics and
   359  # profiling because it opts out of the mesh (see annotation above).
   360  
   361  ---
   362  # Copyright 2020 The Knative Authors
   363  #
   364  # Licensed under the Apache License, Version 2.0 (the "License");
   365  # you may not use this file except in compliance with the License.
   366  # You may obtain a copy of the License at
   367  #
   368  #     https://www.apache.org/licenses/LICENSE-2.0
   369  #
   370  # Unless required by applicable law or agreed to in writing, software
   371  # distributed under the License is distributed on an "AS IS" BASIS,
   372  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   373  # See the License for the specific language governing permissions and
   374  # limitations under the License.
   375  
   376  apiVersion: apps/v1
   377  kind: Deployment
   378  metadata:
   379    name: net-istio-webhook
   380    namespace: knative-serving
   381    labels:
   382      app.kubernetes.io/component: net-istio
   383      app.kubernetes.io/name: knative-serving
   384      app.kubernetes.io/version: "1.3.0"
   385      serving.knative.dev/release: "v1.3.0"
   386      networking.knative.dev/ingress-provider: istio
   387  spec:
   388    selector:
   389      matchLabels:
   390        app: net-istio-webhook
   391        role: net-istio-webhook
   392    template:
   393      metadata:
   394        annotations:
   395          cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
   396        labels:
   397          app: net-istio-webhook
   398          role: net-istio-webhook
   399          app.kubernetes.io/component: net-istio
   400          app.kubernetes.io/name: knative-serving
   401          app.kubernetes.io/version: "1.3.0"
   402          serving.knative.dev/release: "v1.3.0"
   403      spec:
   404        serviceAccountName: controller
   405        containers:
   406          - name: webhook
   407            # This is the Go import path for the binary that is containerized
   408            # and substituted here.
   409            image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:75d502bdff93e9c0e4611c2747d868b8d471f8d3a0402394de76ec2d98b89ce3
   410            resources:
   411              requests:
   412                cpu: 20m
   413                memory: 20Mi
   414              limits:
   415                cpu: 2
   416                memory: 3Gi
   417            env:
   418              - name: SYSTEM_NAMESPACE
   419                valueFrom:
   420                  fieldRef:
   421                    fieldPath: metadata.namespace
   422              - name: CONFIG_LOGGING_NAME
   423                value: config-logging
   424              - name: CONFIG_OBSERVABILITY_NAME
   425                value: config-observability
   426              # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
   427              - name: METRICS_DOMAIN
   428                value: knative.dev/net-istio
   429              - name: WEBHOOK_NAME
   430                value: net-istio-webhook
   431            securityContext:
   432              allowPrivilegeEscalation: false
   433            ports:
   434              - name: metrics
   435                containerPort: 9090
   436              - name: profiling
   437                containerPort: 8008
   438              - name: https-webhook
   439                containerPort: 8443
   440  
   441  ---
   442  # Copyright 2020 The Knative Authors
   443  #
   444  # Licensed under the Apache License, Version 2.0 (the "License");
   445  # you may not use this file except in compliance with the License.
   446  # You may obtain a copy of the License at
   447  #
   448  #     https://www.apache.org/licenses/LICENSE-2.0
   449  #
   450  # Unless required by applicable law or agreed to in writing, software
   451  # distributed under the License is distributed on an "AS IS" BASIS,
   452  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   453  # See the License for the specific language governing permissions and
   454  # limitations under the License.
   455  
   456  apiVersion: v1
   457  kind: Secret
   458  metadata:
   459    name: net-istio-webhook-certs
   460    namespace: knative-serving
   461    labels:
   462      app.kubernetes.io/component: net-istio
   463      app.kubernetes.io/name: knative-serving
   464      app.kubernetes.io/version: "1.3.0"
   465      serving.knative.dev/release: "v1.3.0"
   466      networking.knative.dev/ingress-provider: istio
   467  
   468  ---
   469  # Copyright 2020 The Knative Authors
   470  #
   471  # Licensed under the Apache License, Version 2.0 (the "License");
   472  # you may not use this file except in compliance with the License.
   473  # You may obtain a copy of the License at
   474  #
   475  #     https://www.apache.org/licenses/LICENSE-2.0
   476  #
   477  # Unless required by applicable law or agreed to in writing, software
   478  # distributed under the License is distributed on an "AS IS" BASIS,
   479  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   480  # See the License for the specific language governing permissions and
   481  # limitations under the License.
   482  
   483  apiVersion: v1
   484  kind: Service
   485  metadata:
   486    name: net-istio-webhook
   487    namespace: knative-serving
   488    labels:
   489      role: net-istio-webhook
   490      app.kubernetes.io/component: net-istio
   491      app.kubernetes.io/name: knative-serving
   492      app.kubernetes.io/version: "1.3.0"
   493      serving.knative.dev/release: "v1.3.0"
   494      networking.knative.dev/ingress-provider: istio
   495  spec:
   496    ports:
   497      # Define metrics and profiling for them to be accessible within service meshes.
   498      - name: http-metrics
   499        port: 9090
   500        targetPort: 9090
   501      - name: http-profiling
   502        port: 8008
   503        targetPort: 8008
   504      - name: https-webhook
   505        port: 443
   506        targetPort: 8443
   507    selector:
   508      app: net-istio-webhook
   509  
   510  ---
   511  # Copyright 2020 The Knative Authors
   512  #
   513  # Licensed under the Apache License, Version 2.0 (the "License");
   514  # you may not use this file except in compliance with the License.
   515  # You may obtain a copy of the License at
   516  #
   517  #     https://www.apache.org/licenses/LICENSE-2.0
   518  #
   519  # Unless required by applicable law or agreed to in writing, software
   520  # distributed under the License is distributed on an "AS IS" BASIS,
   521  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   522  # See the License for the specific language governing permissions and
   523  # limitations under the License.
   524  
   525  apiVersion: admissionregistration.k8s.io/v1
   526  kind: MutatingWebhookConfiguration
   527  metadata:
   528    name: webhook.istio.networking.internal.knative.dev
   529    labels:
   530      app.kubernetes.io/component: net-istio
   531      app.kubernetes.io/name: knative-serving
   532      app.kubernetes.io/version: "1.3.0"
   533      serving.knative.dev/release: "v1.3.0"
   534      networking.knative.dev/ingress-provider: istio
   535  webhooks:
   536    - admissionReviewVersions:
   537        - v1
   538        - v1beta1
   539      clientConfig:
   540        service:
   541          name: net-istio-webhook
   542          namespace: knative-serving
   543      failurePolicy: Fail
   544      sideEffects: None
   545      objectSelector:
   546        matchExpressions:
   547          - {key: "serving.knative.dev/configuration", operator: Exists}
   548      name: webhook.istio.networking.internal.knative.dev
   549  
   550  ---
   551  # Copyright 2020 The Knative Authors
   552  #
   553  # Licensed under the Apache License, Version 2.0 (the "License");
   554  # you may not use this file except in compliance with the License.
   555  # You may obtain a copy of the License at
   556  #
   557  #     https://www.apache.org/licenses/LICENSE-2.0
   558  #
   559  # Unless required by applicable law or agreed to in writing, software
   560  # distributed under the License is distributed on an "AS IS" BASIS,
   561  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   562  # See the License for the specific language governing permissions and
   563  # limitations under the License.
   564  
   565  apiVersion: admissionregistration.k8s.io/v1
   566  kind: ValidatingWebhookConfiguration
   567  metadata:
   568    name: config.webhook.istio.networking.internal.knative.dev
   569    labels:
   570      app.kubernetes.io/component: net-istio
   571      app.kubernetes.io/name: knative-serving
   572      app.kubernetes.io/version: "1.3.0"
   573      serving.knative.dev/release: "v1.3.0"
   574      networking.knative.dev/ingress-provider: istio
   575  webhooks:
   576    - admissionReviewVersions:
   577        - v1
   578        - v1beta1
   579      clientConfig:
   580        service:
   581          name: net-istio-webhook
   582          namespace: knative-serving
   583      failurePolicy: Fail
   584      sideEffects: None
   585      name: config.webhook.istio.networking.internal.knative.dev
   586      objectSelector:
   587        matchLabels:
   588          app.kubernetes.io/name: knative-serving
   589          app.kubernetes.io/component: net-istio
   590  
   591  ---