Inject

The linkerd inject command allows for a quick and reliable setup of theLinkerd Proxy in a Kubernetes Deployment. This page is useful as a reference tohelp you understand what linkerd inject is doing under the hood, as well asprovide a reference for the flags that can be passed at the command line.

If you run the command linkerd inject -h it will provide you with the sameinformation as the table below:

Flag Explanation Example
—api-port The port where the Linkerd controller is running (default 8086). If you changed any of the port settings on linkerd install this flag will be necessary. —api-port=9045
—control-port The proxy port to use for control (default 4190). This is the port the Linkerd Proxy Pod uses communicates with the control plane. If 4190 is a reserved port for your application, it can be changed with this flag. —control-port=5431
-h, —help The command that prints this table out, but on the command line. -h
—image-pull-policy The Docker image pull policy (default "IfNotPresent"). For the injected Linkerd Proxy images (or your own modified variant) choose whether or not you want to have the Kubelet pull the image from the registry Always or Ony If Not Present. —image-pull-policy="Always"
—inbound-port The proxy port to use for inbound traffic (default 4143). This port number is arbitrary, but can be changed if your Pod has that port reserved inbound or outbound already. —inbound-port=1234
—init-image The Linkerd init container image name (default "gcr.io/linkerd-io/proxy-init"). If you have modified (or made private) the Linkerd Proxy Init Container, you will adjust that here. —init-image="quay.io/org/imagename"
-v, —linkerd-version Tag to be used for Linkerd images (default "v18.8.2"). IMPORTANT this version should be the same as your Linkerd control plane version. -v="1.0.0"
—metrics-port The proxy port to serve metrics on (default 4191). This port number is arbitrary, but you will want to update your Prometheus installation to match this port number if you change it. —metrics-port=10234
—outbound-port The proxy port to use for outbound traffic (default 4140). This port number is arbitrary, but can be changed if your Pod has that port reserved inbound or outbound already. —outbound-port=1234
—proxy-bind-timeout The timeout the proxy will use (default "10s"). The amount of time to allow the proxy to bind to the Pod's network interface and begin receiving traffic on behalf of your deployment. If you have especially long start time for a container, you may consider adjusting this. This string will eventually be converted to a Rust Duration, so you'll want to keep this this of the form "[0-9]*s" —proxy-bind-timeout="30s"
—proxy-image The linkerd proxy container image name (default "gcr.io/linkerd-io/proxy"). If you have modified (or made private) the Linkerd Proxy Init Container, you will adjust that here. —proxy-image="quay.io/org/imagename"
—proxy-log-level The log level for the proxy (default "warn,linkerd2_proxy=info"). The first value is the log level for the Init Container, and the second is the level for the Proxy Container. —proxy-log-level="info,linkerd2_proxy=debug"
—proxy-uid Run the proxy under this user ID (default 2102) —proxy-uid=123
—registry Docker registry to pull images from (default "gcr.io/linkerd-io") —registry="quay.io/ygrene
—skip-inbound-ports Ports that should skip the proxy and send directly to the application (default []). IMPORTANT! If there is a port you do not want Linkerd proxying (for example SMTP port 25) you will need to put it in this list. —skip-inbound-ports=25,26,27
—skip-outbound-ports Outbound ports that should skip the proxy (default []). Similarly to the above, if there are outbound ports you don't want leaving the pod from the —outbound-port (such as MySQL,) they need to be listed here. —skip-outbound-ports=25,3306,5432
—tls Enable TLS; valid settings: "optional". Whether or not you want Linkerd Proxy to attempt an mTLS session between two Pods in the mesh. The only option that is valid is "optional". —tls="optional"
—api-addr Override the kubeconfig and communicate directly with the control plane at host:port (mostly for testing). —api-addr="127.0.0.1:80"
—kubeconfig Path to the kubeconfig file to use for CLI requests. The local path for your Kubernetes config manifest. —kubeconfig="~/.kube/config"
-l, —linkerd-namespace Namespace in which Linkerd is installed (default "linkerd"). If you modified the linkerd install command and adjusted the Kubernetes Namespace it was deployed into, you'll want to adjust it here. -l="default"
—verbose Turn on debug logging. Log all the things. (Especially those things that linkerd inject does.) —verbose

What linkerd inject Is Doing

linkerd inject is modifying the Kubernetes Deployment manifest that is being passed to iteither as a file or as a stream to its stdin. It is adding two things:

  • An Init Container (supported as of Kubernetes version 1.6 or greater)

  • A Linkerd Proxy sidecar container into each Pod belonging to your Deployment

The Init Container is responsible for pulling configuration (such ascertificates) from the Kubernetes API/Linkerd Controller, as well as providingconfiguration to the Linkerd Proxy container for its runtime.

Example Deployment

Let's say for example you have the following deployment saved as deployment.yaml:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: example-deployment
  5.   namespace: default
  6. spec:
  7.   replicas: 3
  8.   selector:
  9.     matchLabels:
  10.       app: example-deployment
  11.       env: default
  12.   template:
  13.     metadata:
  14.       labels:
  15.         app: example-deployment
  16.         env: default
  17.     spec:
  18.       containers:
  19.       - name: app
  20.         image: quay.io/ygrene/hello-docker
  21.         ports:
  22.         - containerPort: 3000

Now, we can run the linkerd inject command as follows:

  1. linkerd inject \
  2.   --proxy-log-level="debug" \
  3.   --skip-outbound-ports=3306 \
  4.   deployment.yaml > deployment_with_linkerd.yaml

The output of that file should look like the following:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   creationTimestamp: null
  5.   name: example-deployment
  6.   namespace: default
  7. spec:
  8.   replicas: 3
  9.   selector:
  10.     matchLabels:
  11.       app: example-deployment
  12.       env: default
  13.   strategy: {}
  14.   template:
  15.     metadata:
  16.       annotations:
  17.         linkerd.io/created-by: linkerd/cli v18.8.2
  18.         linkerd.io/proxy-version: v18.8.2
  19.       creationTimestamp: null
  20.       labels:
  21.         app: example-deployment
  22.         env: default
  23.         linkerd.io/control-plane-ns: linkerd
  24.         linkerd.io/proxy-deployment: example-deployment
  25.     spec:
  26.       containers:
  27.       - image: quay.io/ygrene/hello-docker
  28.         name: app
  29.         ports:
  30.         - containerPort: 3000
  31.         resources: {}
  32.       - env:
  33.         - name: LINKERD2_PROXY_LOG
  34.           value: debug
  35.         - name: LINKERD2_PROXY_BIND_TIMEOUT
  36.           value: 10s
  37.         - name: LINKERD2_PROXY_CONTROL_URL
  38.           value: tcp://proxy-api.linkerd.svc.cluster.local:8086
  39.         - name: LINKERD2_PROXY_CONTROL_LISTENER
  40.           value: tcp://0.0.0.0:4190
  41.         - name: LINKERD2_PROXY_METRICS_LISTENER
  42.           value: tcp://0.0.0.0:4191
  43.         - name: LINKERD2_PROXY_PRIVATE_LISTENER
  44.           value: tcp://127.0.0.1:4140
  45.         - name: LINKERD2_PROXY_PUBLIC_LISTENER
  46.           value: tcp://0.0.0.0:4143
  47.         - name: LINKERD2_PROXY_POD_NAMESPACE
  48.           valueFrom:
  49.             fieldRef:
  50.               fieldPath: metadata.namespace
  51.         image: gcr.io/linkerd-io/proxy:v18.8.2
  52.         imagePullPolicy: IfNotPresent
  53.         name: linkerd-proxy
  54.         ports:
  55.         - containerPort: 4143
  56.           name: linkerd-proxy
  57.         - containerPort: 4191
  58.           name: linkerd-metrics
  59.         resources: {}
  60.         securityContext:
  61.           runAsUser: 2102
  62.         terminationMessagePolicy: FallbackToLogsOnError
  63.       initContainers:
  64.       - args:
  65.         - --incoming-proxy-port
  66.         - "4143"
  67.         - --outgoing-proxy-port
  68.         - "4140"
  69.         - --proxy-uid
  70.         - "2102"
  71.         - --inbound-ports-to-ignore
  72.         - 4190,4191
  73.         - --outbound-ports-to-ignore
  74.         - "3306"
  75.         image: gcr.io/linkerd-io/proxy-init:v18.8.2
  76.         imagePullPolicy: IfNotPresent
  77.         name: linkerd-init
  78.         resources: {}
  79.         securityContext:
  80.           capabilities:
  81.             add:
  82.             - NET_ADMIN
  83.           privileged: false
  84.         terminationMessagePolicy: FallbackToLogsOnError
  85. status: {}
  86. ---

Note here how the initContainer and linkerd-proxy sidecar are added to themanifest with configuration we passed as command line flags.

原文: https://linkerd.io/2/cli/inject/