kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: knative-serving-istio labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: - apiGroups: ["networking.istio.io"] resources: ["virtualservices", "gateways", "destinationrules"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: knative-ingress-gateway namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: knative-local-gateway namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: istio: ingressgateway servers: - port: number: 8081 name: http protocol: HTTP hosts: - "*" --- apiVersion: v1 kind: Service metadata: name: knative-local-gateway namespace: istio-system labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: istio: ingressgateway ports: - name: http2 port: 80 targetPort: 8081 - name: https port: 443 targetPort: 8444 --- apiVersion: v1 kind: ConfigMap metadata: name: config-istio namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # external-gateways defines a gateway and Istio service to serve external traffic. # It is the new and preferred way to define the configuration. # The format is as follow: # ``` # external-gateways: | # - name: {{gateway_name}} # namespace: {{gateway_namespace}} # service: {{ingress_name}}.{{ingress_namespace}}.svc.cluster.local # labelSelector: # matchExpressions: # - key: {{label_key}} # operator: {{operator}} # values: [{{label_value}}] # matchLabels: # {{label_key}}: {{label_value}} # ``` # name, namespace & service are mandatory and can't be empty. labelSelector is optional. # If labelSelector is specified, the external gateway will be used by the knative service with matching labels. # See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more details about labelSelector. # Only one external gateway can be specified without a selector. It will act as the default external gateway. external-gateways: | - name: knative-ingress-gateway namespace: knative-serving service: istio-ingressgateway.istio-system.svc.cluster.local # # # The old format has the following pattern: # ``` # gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local" # ``` # Please use the new configuration format `external-gateways` for future compatibility. # This configuration will raise an error if either `external-gateways` or `local-gateways` is defined. gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" # local-gateways defines a cluster local gateway to allow pods outside of the mesh to access # Services and Routes not exposing through an ingress. If the users # do have a service mesh setup, this isn't required and can be removed. # # An example use case is when users want to use Istio without any # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod # is outside of the service mesh in that case, a cluster-local service # will need to be exposed to a cluster-local gateway to be accessible. # # It is the new and preferred way to define the configuration. # The format is as follow: # ``` # local-gateways: | # - name: {{local_gateway_name}} # namespace: {{local_gateway_namespace}} # service: {{cluster_local_gateway_name}}.{{cluster_local_gateway_namespace}}.svc.cluster.local # labelSelector: # matchExpressions: # - key: {{label_key}} # operator: {{operator}} # values: [{{label_value}}] # matchLabels: # {{label_key}}: {{label_value}} # ``` # name, namespace & service are mandatory and can't be empty. labelSelector is optional. # If labelSelector is specified, the local gateway will be used by the knative service with matching labels. # See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more details about labelSelector. # Only one local gateway can be specified without a selector. It will act as the default local gateway. local-gateways: | - name: knative-local-gateway namespace: knative-serving service: knative-local-gateway.istio-system.svc.cluster.local # # # The old format has the following pattern: # ``` # local-gateway.{{local_gateway_namespace}}.{{local_gateway_name}}: # "{{cluster_local_gateway_name}}.{{cluster_local_gateway_namespace}}.svc.cluster.local" # ``` # Please use the new configuration format `local-gateways` for future compatibility. # This configuration will raise an error if either `external-gateways` or `local-gateways` is defined. local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "webhook" namespace: "knative-serving" labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: webhook portLevelMtls: "8443": mode: PERMISSIVE --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "net-istio-webhook" namespace: "knative-serving" labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-webhook portLevelMtls: "8443": mode: PERMISSIVE --- apiVersion: apps/v1 kind: Deployment metadata: name: net-istio-controller namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-controller template: metadata: labels: sidecar.istio.io/inject: "false" app: net-istio-controller app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" spec: serviceAccountName: controller containers: - name: controller image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:e70bc675f97778da144157f125b3001124ba7a5903b85dab9e77776352fea1c7 resources: requests: cpu: 30m memory: 40Mi limits: cpu: 300m memory: 400Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID value: "false" - name: METRICS_DOMAIN value: knative.dev/net-istio securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - ALL seccompProfile: type: RuntimeDefault readinessProbe: httpGet: path: /readiness port: probes scheme: HTTP periodSeconds: 5 failureThreshold: 3 livenessProbe: httpGet: path: /health port: probes scheme: HTTP periodSeconds: 5 failureThreshold: 6 ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: probes containerPort: 8080 --- apiVersion: apps/v1 kind: Deployment metadata: name: net-istio-webhook namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-webhook role: net-istio-webhook template: metadata: labels: app: net-istio-webhook role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" spec: serviceAccountName: controller containers: - name: webhook image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:7d76a6d42d139ed53aae3ca2dfd600b1c776eb85a17af64dd1b604176a4b132a resources: requests: cpu: 20m memory: 20Mi limits: cpu: 200m memory: 200Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME value: net-istio-webhook - name: WEBHOOK_PORT value: "8443" securityContext: runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault readinessProbe: periodSeconds: 1 httpGet: scheme: HTTPS port: 8443 failureThreshold: 3 livenessProbe: periodSeconds: 10 httpGet: scheme: HTTPS port: 8443 failureThreshold: 6 initialDelaySeconds: 20 ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: https-webhook containerPort: 8443 --- apiVersion: v1 kind: Secret metadata: name: net-istio-webhook-certs namespace: knative-serving labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio --- apiVersion: v1 kind: Service metadata: name: net-istio-webhook namespace: knative-serving labels: role: net-istio-webhook app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio spec: ports: - name: http-metrics port: 9090 targetPort: metrics - name: http-profiling port: 8008 targetPort: profiling - name: https-webhook port: 443 targetPort: https-webhook selector: app: net-istio-webhook --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: webhook.istio.networking.internal.knative.dev labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: net-istio-webhook namespace: knative-serving failurePolicy: Fail sideEffects: None objectSelector: matchExpressions: - {key: "serving.knative.dev/configuration", operator: Exists} name: webhook.istio.networking.internal.knative.dev --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: config.webhook.istio.networking.internal.knative.dev labels: app.kubernetes.io/component: net-istio app.kubernetes.io/name: knative-serving app.kubernetes.io/version: "1.16.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: net-istio-webhook namespace: knative-serving failurePolicy: Fail sideEffects: None name: config.webhook.istio.networking.internal.knative.dev objectSelector: matchLabels: app.kubernetes.io/name: knative-serving app.kubernetes.io/component: net-istio ---