|
- ---
- # net-istio.yaml
- # Copyright 2019 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- kind: ClusterRole
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- # These are the permissions needed by the Istio Ingress implementation.
- name: knative-serving-istio
- labels:
- serving.knative.dev/release: "v0.15.0"
- serving.knative.dev/controller: "true"
- networking.knative.dev/ingress-provider: istio
- rules:
- - apiGroups: ["networking.istio.io"]
- resources: ["virtualservices", "gateways"]
- verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
-
- ---
- # Copyright 2019 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- # This is the shared Gateway for all Knative routes to use.
- apiVersion: networking.istio.io/v1alpha3
- kind: Gateway
- metadata:
- name: knative-ingress-gateway
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- spec:
- selector:
- istio: ingressgateway
- servers:
- - port:
- number: 80
- name: http
- protocol: HTTP
- hosts:
- - "*"
-
- ---
- # Copyright 2019 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- # A cluster local gateway to allow pods outside of the mesh to access
- # Services and Routes not exposing through an ingress. If the users
- # do have a service mesh setup, this isn't required.
- apiVersion: networking.istio.io/v1alpha3
- kind: Gateway
- metadata:
- name: cluster-local-gateway
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- spec:
- selector:
- istio: cluster-local-gateway
- servers:
- - port:
- number: 80
- name: http
- protocol: HTTP
- hosts:
- - "*"
-
- ---
- # Copyright 2020 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: admissionregistration.k8s.io/v1beta1
- kind: MutatingWebhookConfiguration
- metadata:
- name: webhook.istio.networking.internal.knative.dev
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- webhooks:
- - admissionReviewVersions:
- - v1beta1
- clientConfig:
- service:
- name: istio-webhook
- namespace: knative-serving
- failurePolicy: Fail
- sideEffects: None
- objectSelector:
- matchExpressions:
- - {key: "serving.knative.dev/configuration", operator: Exists}
- name: webhook.istio.networking.internal.knative.dev
-
- ---
- # Copyright 2020 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: admissionregistration.k8s.io/v1beta1
- kind: ValidatingWebhookConfiguration
- metadata:
- name: config.webhook.istio.networking.internal.knative.dev
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- webhooks:
- - admissionReviewVersions:
- - v1beta1
- clientConfig:
- service:
- name: istio-webhook
- namespace: knative-serving
- failurePolicy: Fail
- sideEffects: None
- name: config.webhook.istio.networking.internal.knative.dev
- namespaceSelector:
- matchExpressions:
- - key: serving.knative.dev/release
- operator: Exists
-
- ---
- # Copyright 2020 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: v1
- kind: Secret
- metadata:
- name: istio-webhook-certs
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
-
- ---
- # Copyright 2018 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: config-istio
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- data:
- _example: |
- ################################
- # #
- # EXAMPLE CONFIGURATION #
- # #
- ################################
-
- # This block is not actually functional configuration,
- # but serves to illustrate the available configuration
- # options and document them in a way that is accessible
- # to users that `kubectl edit` this config map.
- #
- # These sample configuration options may be copied out of
- # this example block and unindented to be in the data block
- # to actually change the configuration.
-
- # Default Knative Gateway after v0.3. It points to the Istio
- # standard istio-ingressgateway, instead of a custom one that we
- # used pre-0.3. The configuration format should be `gateway.
- # is optional; when it is omitted, the system will search for
- # the gateway in the serving system namespace `knative-serving`
- gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
-
- # A cluster local gateway to allow pods outside of the mesh to access
- # Services and Routes not exposing through an ingress. If the users
- # do have a service mesh setup, this isn't required and can be removed.
- #
- # An example use case is when users want to use Istio without any
- # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod
- # is outside of the service mesh in that case, a cluster-local service
- # will need to be exposed to a cluster-local gateway to be accessible.
- # The configuration format should be `local-gateway.local_gateway_namespace.
- # will search for the local gateway in the serving system namespace
- # `knative-serving`
- local-gateway.knative-serving.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local"
-
- # To use only Istio service mesh and no cluster-local-gateway, replace
- # all local-gateway.* entries by the following entry.
- local-gateway.mesh: "mesh"
- # TODO(nghia): Extract the .svc.cluster.local suffix into its own config.
-
- ---
- # Copyright 2019 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: networking-istio-amd64
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- spec:
- selector:
- matchLabels:
- app: networking-istio
- template:
- metadata:
- annotations:
- cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
- # This must be outside of the mesh to probe the gateways.
- # NOTE: this is allowed here and not elsewhere because
- # this is the Istio controller, and so it may be Istio-aware.
- sidecar.istio.io/inject: "false"
- labels:
- app: networking-istio
- serving.knative.dev/release: "v0.15.0"
- spec:
- serviceAccountName: controller
- nodeSelector:
- restfulapi: active
- archType: amd64
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- containers:
- - name: networking-istio
- # This is the Go import path for the binary that is containerized
- # and substituted here.
- image: harbor.apulis.cn:8443/aiarts_v1.6.0_rc4_single/apulistech/knative-net-istio-controller:latest
-
- imagePullPolicy: IfNotPresent
- resources:
- requests:
- cpu: 30m
- memory: 40Mi
- limits:
- cpu: 300m
- memory: 400Mi
- env:
- - name: SYSTEM_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: CONFIG_LOGGING_NAME
- value: config-logging
- - name: CONFIG_OBSERVABILITY_NAME
- value: config-observability
- - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
- name: METRICS_DOMAIN
- value: knative.dev/net-istio
- securityContext:
- allowPrivilegeEscalation: false
- ports:
- - name: metrics
- containerPort: 9090
- - name: profiling
- containerPort: 8008
-
- # Unlike other controllers, this doesn't need a Service defined for metrics and
- # profiling because it opts out of the mesh (see annotation above).
-
- ---
- # Copyright 2020 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: istio-webhook-amd64
- namespace: knative-serving
- labels:
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- spec:
- selector:
- matchLabels:
- app: istio-webhook
- role: istio-webhook
- template:
- metadata:
- annotations:
- cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
- labels:
- app: istio-webhook
- role: istio-webhook
- serving.knative.dev/release: "v0.15.0"
- spec:
- serviceAccountName: controller
- nodeSelector:
- restfulapi: active
- archType: amd64
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- containers:
- - name: webhook
- # This is the Go import path for the binary that is containerized
- # and substituted here.
- image: harbor.apulis.cn:8443/aiarts_v1.6.0_rc4_single/apulistech/knative-net-istio-webhook:latest
-
- imagePullPolicy: IfNotPresent
- resources:
- requests:
- cpu: 20m
- memory: 20Mi
- limits:
- cpu: 200m
- memory: 200Mi
- env:
- - name: SYSTEM_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: CONFIG_LOGGING_NAME
- value: config-logging
- - name: CONFIG_OBSERVABILITY_NAME
- value: config-observability
- - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
- name: METRICS_DOMAIN
- value: knative.dev/net-istio
- - name: WEBHOOK_NAME
- value: istio-webhook
- securityContext:
- allowPrivilegeEscalation: false
- ports:
- - name: metrics
- containerPort: 9090
- - name: profiling
- containerPort: 8008
- - name: https-webhook
- containerPort: 8443
-
- ---
- # Copyright 2020 The Knative Authors
- #
- # Licensed under the Apache License, Version 2.0 (the "License");
- # you may not use this file except in compliance with the License.
- # You may obtain a copy of the License at
- #
- # https://www.apache.org/licenses/LICENSE-2.0
- #
- # Unless required by applicable law or agreed to in writing, software
- # distributed under the License is distributed on an "AS IS" BASIS,
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- # See the License for the specific language governing permissions and
- # limitations under the License.
-
- apiVersion: v1
- kind: Service
- metadata:
- name: istio-webhook
- namespace: knative-serving
- labels:
- role: istio-webhook
- serving.knative.dev/release: "v0.15.0"
- networking.knative.dev/ingress-provider: istio
- spec:
- ports:
- - # Define metrics and profiling for them to be accessible within service meshes.
- name: http-metrics
- port: 9090
- targetPort: 9090
- - name: http-profiling
- port: 8008
- targetPort: 8008
- - name: https-webhook
- port: 443
- targetPort: 8443
- selector:
- app: istio-webhook
-
- ---
|