dip
/
tenant-catalog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Repository for dip
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
17 Branches
0 Tags
3.2 MiB
Tag: Branch: Tree: 7b853ab70e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b853ab70e'
${ noResults }
tenant-catalog/kubeflow/common/knative/knative-serving/base/upstream/net-istio.yaml

465 lines
14 KiB
Raw Blame History

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-istio
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
serving.knative.dev/controller: "true"
networking.knative.dev/ingress-provider: istio
rules:
- apiGroups: ["networking.istio.io"]
resources: ["virtualservices", "gateways", "destinationrules"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: knative-ingress-gateway
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: knative-local-gateway
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 8081
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: v1
kind: Service
metadata:
name: knative-local-gateway
namespace: istio-system
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
experimental.istio.io/disable-gateway-port-translation: "true"
spec:
type: ClusterIP
selector:
istio: ingressgateway
ports:
- name: http2
port: 80
targetPort: 8081
- name: https
port: 443
targetPort: 8444
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config-istio
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
data:
_example: |
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
# but serves to illustrate the available configuration
# options and document them in a way that is accessible
# to users that `kubectl edit` this config map.
#
# These sample configuration options may be copied out of
# this example block and unindented to be in the data block
# to actually change the configuration.
# external-gateways defines a gateway and Istio service to serve external traffic.
# It is the new and preferred way to define the configuration.
# The format is as follow:
# ```
# external-gateways: |
# - name: {{gateway_name}}
# namespace: {{gateway_namespace}}
# service: {{ingress_name}}.{{ingress_namespace}}.svc.cluster.local
# labelSelector:
# matchExpressions:
# - key: {{label_key}}
# operator: {{operator}}
# values: [{{label_value}}]
# matchLabels:
# {{label_key}}: {{label_value}}
# ```
# name, namespace & service are mandatory and can't be empty. labelSelector is optional.
# If labelSelector is specified, the external gateway will be used by the knative service with matching labels.
# See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more details about labelSelector.
# Only one external gateway can be specified without a selector. It will act as the default external gateway.
external-gateways: |
- name: knative-ingress-gateway
namespace: knative-serving
service: istio-ingressgateway.istio-system.svc.cluster.local
#
#
# The old format has the following pattern:
# ```
# gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"
# ```
# Please use the new configuration format `external-gateways` for future compatibility.
# This configuration will raise an error if either `external-gateways` or `local-gateways` is defined.
gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local"
# local-gateways defines a cluster local gateway to allow pods outside of the mesh to access
# Services and Routes not exposing through an ingress. If the users
# do have a service mesh setup, this isn't required and can be removed.
#
# An example use case is when users want to use Istio without any
# sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod
# is outside of the service mesh in that case, a cluster-local service
# will need to be exposed to a cluster-local gateway to be accessible.
#
# It is the new and preferred way to define the configuration.
# The format is as follow:
# ```
# local-gateways: |
# - name: {{local_gateway_name}}
# namespace: {{local_gateway_namespace}}
# service: {{cluster_local_gateway_name}}.{{cluster_local_gateway_namespace}}.svc.cluster.local
# labelSelector:
# matchExpressions:
# - key: {{label_key}}
# operator: {{operator}}
# values: [{{label_value}}]
# matchLabels:
# {{label_key}}: {{label_value}}
# ```
# name, namespace & service are mandatory and can't be empty. labelSelector is optional.
# If labelSelector is specified, the local gateway will be used by the knative service with matching labels.
# See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more details about labelSelector.
# Only one local gateway can be specified without a selector. It will act as the default local gateway.
local-gateways: |
- name: knative-local-gateway
namespace: knative-serving
service: knative-local-gateway.istio-system.svc.cluster.local
#
#
# The old format has the following pattern:
# ```
# local-gateway.{{local_gateway_namespace}}.{{local_gateway_name}}:
# "{{cluster_local_gateway_name}}.{{cluster_local_gateway_namespace}}.svc.cluster.local"
# ```
# Please use the new configuration format `local-gateways` for future compatibility.
# This configuration will raise an error if either `external-gateways` or `local-gateways` is defined.
local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local"
---
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "webhook"
namespace: "knative-serving"
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
matchLabels:
app: webhook
portLevelMtls:
"8443":
mode: PERMISSIVE
---
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "net-istio-webhook"
namespace: "knative-serving"
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
matchLabels:
app: net-istio-webhook
portLevelMtls:
"8443":
mode: PERMISSIVE
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: net-istio-controller
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
matchLabels:
app: net-istio-controller
template:
metadata:
labels:
sidecar.istio.io/inject: "false"
app: net-istio-controller
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
spec:
serviceAccountName: controller
containers:
- name: controller
image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:e70bc675f97778da144157f125b3001124ba7a5903b85dab9e77776352fea1c7
resources:
requests:
cpu: 30m
memory: 40Mi
limits:
cpu: 300m
memory: 400Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: ENABLE_SECRET_INFORMER_FILTERING_BY_CERT_UID
value: "false"
- name: METRICS_DOMAIN
value: knative.dev/net-istio
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readinessProbe:
httpGet:
path: /readiness
port: probes
scheme: HTTP
periodSeconds: 5
failureThreshold: 3
livenessProbe:
httpGet:
path: /health
port: probes
scheme: HTTP
periodSeconds: 5
failureThreshold: 6
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: probes
containerPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: net-istio-webhook
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
selector:
matchLabels:
app: net-istio-webhook
role: net-istio-webhook
template:
metadata:
labels:
app: net-istio-webhook
role: net-istio-webhook
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
spec:
serviceAccountName: controller
containers:
- name: webhook
image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:7d76a6d42d139ed53aae3ca2dfd600b1c776eb85a17af64dd1b604176a4b132a
resources:
requests:
cpu: 20m
memory: 20Mi
limits:
cpu: 200m
memory: 200Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: CONFIG_OBSERVABILITY_NAME
value: config-observability
- name: METRICS_DOMAIN
value: knative.dev/net-istio
- name: WEBHOOK_NAME
value: net-istio-webhook
- name: WEBHOOK_PORT
value: "8443"
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readinessProbe:
periodSeconds: 1
httpGet:
scheme: HTTPS
port: 8443
failureThreshold: 3
livenessProbe:
periodSeconds: 10
httpGet:
scheme: HTTPS
port: 8443
failureThreshold: 6
initialDelaySeconds: 20
ports:
- name: metrics
containerPort: 9090
- name: profiling
containerPort: 8008
- name: https-webhook
containerPort: 8443
---
apiVersion: v1
kind: Secret
metadata:
name: net-istio-webhook-certs
namespace: knative-serving
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
---
apiVersion: v1
kind: Service
metadata:
name: net-istio-webhook
namespace: knative-serving
labels:
role: net-istio-webhook
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
spec:
ports:
- name: http-metrics
port: 9090
targetPort: metrics
- name: http-profiling
port: 8008
targetPort: profiling
- name: https-webhook
port: 443
targetPort: https-webhook
selector:
app: net-istio-webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: webhook.istio.networking.internal.knative.dev
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: net-istio-webhook
namespace: knative-serving
failurePolicy: Fail
sideEffects: None
objectSelector:
matchExpressions:
- {key: "serving.knative.dev/configuration", operator: Exists}
name: webhook.istio.networking.internal.knative.dev
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: config.webhook.istio.networking.internal.knative.dev
labels:
app.kubernetes.io/component: net-istio
app.kubernetes.io/name: knative-serving
app.kubernetes.io/version: "1.16.0"
networking.knative.dev/ingress-provider: istio
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: net-istio-webhook
namespace: knative-serving
failurePolicy: Fail
sideEffects: None
name: config.webhook.istio.networking.internal.knative.dev
objectSelector:
matchLabels:
app.kubernetes.io/name: knative-serving
app.kubernetes.io/component: net-istio
---