github.com/eth-easl/loader@v0.0.0-20230908084258-8a37e1d94279/config/vhive/loader_istio_controller.yaml (about) 1 2 --- 3 # net-istio.yaml 4 # Generated when HEAD was c096fb65ac43c54ffb0cbba9c3c577032ad0b7fe 5 # 6 # Copyright 2019 The Knative Authors 7 # 8 # Licensed under the Apache License, Version 2.0 (the "License"); 9 # you may not use this file except in compliance with the License. 10 # You may obtain a copy of the License at 11 # 12 # https://www.apache.org/licenses/LICENSE-2.0 13 # 14 # Unless required by applicable law or agreed to in writing, software 15 # distributed under the License is distributed on an "AS IS" BASIS, 16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 # See the License for the specific language governing permissions and 18 # limitations under the License. 19 20 kind: ClusterRole 21 apiVersion: rbac.authorization.k8s.io/v1 22 metadata: 23 # These are the permissions needed by the Istio Ingress implementation. 24 name: knative-serving-istio 25 labels: 26 app.kubernetes.io/component: net-istio 27 app.kubernetes.io/name: knative-serving 28 app.kubernetes.io/version: "1.3.0" 29 serving.knative.dev/release: "v1.3.0" 30 serving.knative.dev/controller: "true" 31 networking.knative.dev/ingress-provider: istio 32 rules: 33 - apiGroups: ["networking.istio.io"] 34 resources: ["virtualservices", "gateways", "destinationrules"] 35 verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] 36 37 --- 38 # Copyright 2019 The Knative Authors 39 # 40 # Licensed under the Apache License, Version 2.0 (the "License"); 41 # you may not use this file except in compliance with the License. 42 # You may obtain a copy of the License at 43 # 44 # https://www.apache.org/licenses/LICENSE-2.0 45 # 46 # Unless required by applicable law or agreed to in writing, software 47 # distributed under the License is distributed on an "AS IS" BASIS, 48 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 49 # See the License for the specific language governing permissions and 50 # limitations under the License. 51 52 # This is the shared Gateway for all Knative routes to use. 53 apiVersion: networking.istio.io/v1alpha3 54 kind: Gateway 55 metadata: 56 name: knative-ingress-gateway 57 namespace: knative-serving 58 labels: 59 app.kubernetes.io/component: net-istio 60 app.kubernetes.io/name: knative-serving 61 app.kubernetes.io/version: "1.3.0" 62 serving.knative.dev/release: "v1.3.0" 63 networking.knative.dev/ingress-provider: istio 64 spec: 65 selector: 66 istio: ingressgateway 67 servers: 68 - port: 69 number: 80 70 name: http 71 protocol: HTTP 72 hosts: 73 - "*" 74 75 --- 76 # Copyright 2019 The Knative Authors 77 # 78 # Licensed under the Apache License, Version 2.0 (the "License"); 79 # you may not use this file except in compliance with the License. 80 # You may obtain a copy of the License at 81 # 82 # https://www.apache.org/licenses/LICENSE-2.0 83 # 84 # Unless required by applicable law or agreed to in writing, software 85 # distributed under the License is distributed on an "AS IS" BASIS, 86 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 87 # See the License for the specific language governing permissions and 88 # limitations under the License. 89 90 # A cluster local gateway to allow pods outside of the mesh to access 91 # Services and Routes not exposing through an ingress. If the users 92 # do have a service mesh setup, this isn't required. 93 apiVersion: networking.istio.io/v1alpha3 94 kind: Gateway 95 metadata: 96 name: knative-local-gateway 97 namespace: knative-serving 98 labels: 99 app.kubernetes.io/component: net-istio 100 app.kubernetes.io/name: knative-serving 101 app.kubernetes.io/version: "1.3.0" 102 serving.knative.dev/release: "v1.3.0" 103 networking.knative.dev/ingress-provider: istio 104 spec: 105 selector: 106 istio: ingressgateway 107 servers: 108 - port: 109 number: 8081 110 name: http 111 protocol: HTTP 112 hosts: 113 - "*" 114 --- 115 apiVersion: v1 116 kind: Service 117 metadata: 118 name: knative-local-gateway 119 namespace: istio-system 120 labels: 121 app.kubernetes.io/component: net-istio 122 app.kubernetes.io/name: knative-serving 123 app.kubernetes.io/version: "1.3.0" 124 serving.knative.dev/release: "v1.3.0" 125 networking.knative.dev/ingress-provider: istio 126 experimental.istio.io/disable-gateway-port-translation: "true" 127 spec: 128 type: ClusterIP 129 selector: 130 istio: ingressgateway 131 ports: 132 - name: http2 133 port: 80 134 targetPort: 8081 135 136 --- 137 # Copyright 2018 The Knative Authors 138 # 139 # Licensed under the Apache License, Version 2.0 (the "License"); 140 # you may not use this file except in compliance with the License. 141 # You may obtain a copy of the License at 142 # 143 # https://www.apache.org/licenses/LICENSE-2.0 144 # 145 # Unless required by applicable law or agreed to in writing, software 146 # distributed under the License is distributed on an "AS IS" BASIS, 147 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 148 # See the License for the specific language governing permissions and 149 # limitations under the License. 150 151 apiVersion: v1 152 kind: ConfigMap 153 metadata: 154 name: config-istio 155 namespace: knative-serving 156 labels: 157 app.kubernetes.io/component: net-istio 158 app.kubernetes.io/name: knative-serving 159 app.kubernetes.io/version: "1.3.0" 160 serving.knative.dev/release: "v1.3.0" 161 networking.knative.dev/ingress-provider: istio 162 data: 163 # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. 164 _example: | 165 ################################ 166 # # 167 # EXAMPLE CONFIGURATION # 168 # # 169 ################################ 170 171 # This block is not actually functional configuration, 172 # but serves to illustrate the available configuration 173 # options and document them in a way that is accessible 174 # to users that `kubectl edit` this config map. 175 # 176 # These sample configuration options may be copied out of 177 # this example block and unindented to be in the data block 178 # to actually change the configuration. 179 180 # A gateway and Istio service to serve external traffic. 181 # The configuration format should be 182 # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. 183 # The {{gateway_namespace}} is optional; when it is omitted, the system will search for 184 # the gateway in the serving system namespace `knative-serving` 185 gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" 186 187 # A cluster local gateway to allow pods outside of the mesh to access 188 # Services and Routes not exposing through an ingress. If the users 189 # do have a service mesh setup, this isn't required and can be removed. 190 # 191 # An example use case is when users want to use Istio without any 192 # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod 193 # is outside of the service mesh in that case, a cluster-local service 194 # will need to be exposed to a cluster-local gateway to be accessible. 195 # The configuration format should be `local-gateway.{{local_gateway_namespace}}. 196 # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. 197 # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The 198 # {{local_gateway_namespace}} is optional; when it is omitted, the system 199 # will search for the local gateway in the serving system namespace 200 # `knative-serving` 201 local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" 202 203 # DEPRECATED: local-gateway.mesh is deprecated. 204 # See: https://github.com/knative/serving/issues/11523 205 # 206 # To use only Istio service mesh and no knative-local-gateway, replace 207 # all local-gateway.* entries by the following entry. 208 local-gateway.mesh: "mesh" 209 210 # If true, knative will use the Istio VirtualService's status to determine 211 # endpoint readiness. Otherwise, probe as usual. 212 # NOTE: This feature is currently experimental and should not be used in production. 213 enable-virtualservice-status: "false" 214 215 --- 216 # Allows the Webhooks to be reached by kube-api with or without 217 # sidecar injection and with mTLS PERMISSIVE and STRICT. 218 apiVersion: "security.istio.io/v1beta1" 219 kind: "PeerAuthentication" 220 metadata: 221 name: "webhook" 222 namespace: "knative-serving" 223 labels: 224 app.kubernetes.io/component: net-istio 225 app.kubernetes.io/name: knative-serving 226 app.kubernetes.io/version: "1.3.0" 227 serving.knative.dev/release: "v1.3.0" 228 networking.knative.dev/ingress-provider: istio 229 spec: 230 selector: 231 matchLabels: 232 app: webhook 233 portLevelMtls: 234 "8443": 235 mode: PERMISSIVE 236 --- 237 apiVersion: "security.istio.io/v1beta1" 238 kind: "PeerAuthentication" 239 metadata: 240 name: "domainmapping-webhook" 241 namespace: "knative-serving" 242 labels: 243 app.kubernetes.io/component: net-istio 244 app.kubernetes.io/name: knative-serving 245 app.kubernetes.io/version: "1.3.0" 246 serving.knative.dev/release: "v1.3.0" 247 networking.knative.dev/ingress-provider: istio 248 spec: 249 selector: 250 matchLabels: 251 app: domainmapping-webhook 252 portLevelMtls: 253 "8443": 254 mode: PERMISSIVE 255 --- 256 apiVersion: "security.istio.io/v1beta1" 257 kind: "PeerAuthentication" 258 metadata: 259 name: "net-istio-webhook" 260 namespace: "knative-serving" 261 labels: 262 app.kubernetes.io/component: net-istio 263 app.kubernetes.io/name: knative-serving 264 app.kubernetes.io/version: "1.3.0" 265 serving.knative.dev/release: "v1.3.0" 266 networking.knative.dev/ingress-provider: istio 267 spec: 268 selector: 269 matchLabels: 270 app: net-istio-webhook 271 portLevelMtls: 272 "8443": 273 mode: PERMISSIVE 274 275 --- 276 # Copyright 2019 The Knative Authors 277 # 278 # Licensed under the Apache License, Version 2.0 (the "License"); 279 # you may not use this file except in compliance with the License. 280 # You may obtain a copy of the License at 281 # 282 # https://www.apache.org/licenses/LICENSE-2.0 283 # 284 # Unless required by applicable law or agreed to in writing, software 285 # distributed under the License is distributed on an "AS IS" BASIS, 286 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 287 # See the License for the specific language governing permissions and 288 # limitations under the License. 289 290 apiVersion: apps/v1 291 kind: Deployment 292 metadata: 293 name: net-istio-controller 294 namespace: knative-serving 295 labels: 296 app.kubernetes.io/component: net-istio 297 app.kubernetes.io/name: knative-serving 298 app.kubernetes.io/version: "1.3.0" 299 serving.knative.dev/release: "v1.3.0" 300 networking.knative.dev/ingress-provider: istio 301 spec: 302 selector: 303 matchLabels: 304 app: net-istio-controller 305 template: 306 metadata: 307 annotations: 308 cluster-autoscaler.kubernetes.io/safe-to-evict: "true" 309 # This must be outside of the mesh to probe the gateways. 310 # NOTE: this is allowed here and not elsewhere because 311 # this is the Istio controller, and so it may be Istio-aware. 312 sidecar.istio.io/inject: "false" 313 labels: 314 app: net-istio-controller 315 app.kubernetes.io/component: net-istio 316 app.kubernetes.io/name: knative-serving 317 app.kubernetes.io/version: "1.3.0" 318 serving.knative.dev/release: "v1.3.0" 319 spec: 320 serviceAccountName: controller 321 containers: 322 - name: controller 323 # This is the Go import path for the binary that is containerized 324 # and substituted here. 325 image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:7f17fb47568a74de3f82bb512422a174017b7c06643a330557bc3445c8869932 326 resources: 327 requests: 328 cpu: 30m 329 memory: 40Mi 330 limits: 331 cpu: 2 332 memory: 3Gi 333 env: 334 - name: SYSTEM_NAMESPACE 335 valueFrom: 336 fieldRef: 337 fieldPath: metadata.namespace 338 - name: CONFIG_LOGGING_NAME 339 value: config-logging 340 - name: CONFIG_OBSERVABILITY_NAME 341 value: config-observability 342 # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config 343 - name: METRICS_DOMAIN 344 value: knative.dev/net-istio 345 securityContext: 346 allowPrivilegeEscalation: false 347 readOnlyRootFilesystem: true 348 runAsNonRoot: true 349 capabilities: 350 drop: 351 - all 352 ports: 353 - name: metrics 354 containerPort: 9090 355 - name: profiling 356 containerPort: 8008 357 358 # Unlike other controllers, this doesn't need a Service defined for metrics and 359 # profiling because it opts out of the mesh (see annotation above). 360 361 --- 362 # Copyright 2020 The Knative Authors 363 # 364 # Licensed under the Apache License, Version 2.0 (the "License"); 365 # you may not use this file except in compliance with the License. 366 # You may obtain a copy of the License at 367 # 368 # https://www.apache.org/licenses/LICENSE-2.0 369 # 370 # Unless required by applicable law or agreed to in writing, software 371 # distributed under the License is distributed on an "AS IS" BASIS, 372 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 373 # See the License for the specific language governing permissions and 374 # limitations under the License. 375 376 apiVersion: apps/v1 377 kind: Deployment 378 metadata: 379 name: net-istio-webhook 380 namespace: knative-serving 381 labels: 382 app.kubernetes.io/component: net-istio 383 app.kubernetes.io/name: knative-serving 384 app.kubernetes.io/version: "1.3.0" 385 serving.knative.dev/release: "v1.3.0" 386 networking.knative.dev/ingress-provider: istio 387 spec: 388 selector: 389 matchLabels: 390 app: net-istio-webhook 391 role: net-istio-webhook 392 template: 393 metadata: 394 annotations: 395 cluster-autoscaler.kubernetes.io/safe-to-evict: "false" 396 labels: 397 app: net-istio-webhook 398 role: net-istio-webhook 399 app.kubernetes.io/component: net-istio 400 app.kubernetes.io/name: knative-serving 401 app.kubernetes.io/version: "1.3.0" 402 serving.knative.dev/release: "v1.3.0" 403 spec: 404 serviceAccountName: controller 405 containers: 406 - name: webhook 407 # This is the Go import path for the binary that is containerized 408 # and substituted here. 409 image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:75d502bdff93e9c0e4611c2747d868b8d471f8d3a0402394de76ec2d98b89ce3 410 resources: 411 requests: 412 cpu: 20m 413 memory: 20Mi 414 limits: 415 cpu: 2 416 memory: 3Gi 417 env: 418 - name: SYSTEM_NAMESPACE 419 valueFrom: 420 fieldRef: 421 fieldPath: metadata.namespace 422 - name: CONFIG_LOGGING_NAME 423 value: config-logging 424 - name: CONFIG_OBSERVABILITY_NAME 425 value: config-observability 426 # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config 427 - name: METRICS_DOMAIN 428 value: knative.dev/net-istio 429 - name: WEBHOOK_NAME 430 value: net-istio-webhook 431 securityContext: 432 allowPrivilegeEscalation: false 433 ports: 434 - name: metrics 435 containerPort: 9090 436 - name: profiling 437 containerPort: 8008 438 - name: https-webhook 439 containerPort: 8443 440 441 --- 442 # Copyright 2020 The Knative Authors 443 # 444 # Licensed under the Apache License, Version 2.0 (the "License"); 445 # you may not use this file except in compliance with the License. 446 # You may obtain a copy of the License at 447 # 448 # https://www.apache.org/licenses/LICENSE-2.0 449 # 450 # Unless required by applicable law or agreed to in writing, software 451 # distributed under the License is distributed on an "AS IS" BASIS, 452 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 453 # See the License for the specific language governing permissions and 454 # limitations under the License. 455 456 apiVersion: v1 457 kind: Secret 458 metadata: 459 name: net-istio-webhook-certs 460 namespace: knative-serving 461 labels: 462 app.kubernetes.io/component: net-istio 463 app.kubernetes.io/name: knative-serving 464 app.kubernetes.io/version: "1.3.0" 465 serving.knative.dev/release: "v1.3.0" 466 networking.knative.dev/ingress-provider: istio 467 468 --- 469 # Copyright 2020 The Knative Authors 470 # 471 # Licensed under the Apache License, Version 2.0 (the "License"); 472 # you may not use this file except in compliance with the License. 473 # You may obtain a copy of the License at 474 # 475 # https://www.apache.org/licenses/LICENSE-2.0 476 # 477 # Unless required by applicable law or agreed to in writing, software 478 # distributed under the License is distributed on an "AS IS" BASIS, 479 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 480 # See the License for the specific language governing permissions and 481 # limitations under the License. 482 483 apiVersion: v1 484 kind: Service 485 metadata: 486 name: net-istio-webhook 487 namespace: knative-serving 488 labels: 489 role: net-istio-webhook 490 app.kubernetes.io/component: net-istio 491 app.kubernetes.io/name: knative-serving 492 app.kubernetes.io/version: "1.3.0" 493 serving.knative.dev/release: "v1.3.0" 494 networking.knative.dev/ingress-provider: istio 495 spec: 496 ports: 497 # Define metrics and profiling for them to be accessible within service meshes. 498 - name: http-metrics 499 port: 9090 500 targetPort: 9090 501 - name: http-profiling 502 port: 8008 503 targetPort: 8008 504 - name: https-webhook 505 port: 443 506 targetPort: 8443 507 selector: 508 app: net-istio-webhook 509 510 --- 511 # Copyright 2020 The Knative Authors 512 # 513 # Licensed under the Apache License, Version 2.0 (the "License"); 514 # you may not use this file except in compliance with the License. 515 # You may obtain a copy of the License at 516 # 517 # https://www.apache.org/licenses/LICENSE-2.0 518 # 519 # Unless required by applicable law or agreed to in writing, software 520 # distributed under the License is distributed on an "AS IS" BASIS, 521 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 522 # See the License for the specific language governing permissions and 523 # limitations under the License. 524 525 apiVersion: admissionregistration.k8s.io/v1 526 kind: MutatingWebhookConfiguration 527 metadata: 528 name: webhook.istio.networking.internal.knative.dev 529 labels: 530 app.kubernetes.io/component: net-istio 531 app.kubernetes.io/name: knative-serving 532 app.kubernetes.io/version: "1.3.0" 533 serving.knative.dev/release: "v1.3.0" 534 networking.knative.dev/ingress-provider: istio 535 webhooks: 536 - admissionReviewVersions: 537 - v1 538 - v1beta1 539 clientConfig: 540 service: 541 name: net-istio-webhook 542 namespace: knative-serving 543 failurePolicy: Fail 544 sideEffects: None 545 objectSelector: 546 matchExpressions: 547 - {key: "serving.knative.dev/configuration", operator: Exists} 548 name: webhook.istio.networking.internal.knative.dev 549 550 --- 551 # Copyright 2020 The Knative Authors 552 # 553 # Licensed under the Apache License, Version 2.0 (the "License"); 554 # you may not use this file except in compliance with the License. 555 # You may obtain a copy of the License at 556 # 557 # https://www.apache.org/licenses/LICENSE-2.0 558 # 559 # Unless required by applicable law or agreed to in writing, software 560 # distributed under the License is distributed on an "AS IS" BASIS, 561 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 562 # See the License for the specific language governing permissions and 563 # limitations under the License. 564 565 apiVersion: admissionregistration.k8s.io/v1 566 kind: ValidatingWebhookConfiguration 567 metadata: 568 name: config.webhook.istio.networking.internal.knative.dev 569 labels: 570 app.kubernetes.io/component: net-istio 571 app.kubernetes.io/name: knative-serving 572 app.kubernetes.io/version: "1.3.0" 573 serving.knative.dev/release: "v1.3.0" 574 networking.knative.dev/ingress-provider: istio 575 webhooks: 576 - admissionReviewVersions: 577 - v1 578 - v1beta1 579 clientConfig: 580 service: 581 name: net-istio-webhook 582 namespace: knative-serving 583 failurePolicy: Fail 584 sideEffects: None 585 name: config.webhook.istio.networking.internal.knative.dev 586 objectSelector: 587 matchLabels: 588 app.kubernetes.io/name: knative-serving 589 app.kubernetes.io/component: net-istio 590 591 ---