# Generated when HEAD was 9d63653a2ad432cdb0af7d28fed7030069ebedf0 # # Copyright 2019 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # These are the permissions needed by the Istio Ingress implementation. name: knative-serving-istio labels: serving.knative.dev/release: "v0.26.0" serving.knative.dev/controller: "true" networking.knative.dev/ingress-provider: istio rules: - apiGroups: ["networking.istio.io"] resources: ["virtualservices", "gateways", "destinationrules"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] --- # Copyright 2019 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This is the shared Gateway for all Knative routes to use. apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-ingress-gateway namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" --- # Copyright 2019 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # A cluster local gateway to allow pods outside of the mesh to access # Services and Routes not exposing through an ingress. If the users # do have a service mesh setup, this isn't required. apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: knative-local-gateway namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: istio: ingressgateway servers: - port: number: 8081 name: http protocol: HTTP hosts: - "*" --- apiVersion: v1 kind: Service metadata: name: knative-local-gateway namespace: istio-system labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio experimental.istio.io/disable-gateway-port-translation: "true" spec: type: ClusterIP selector: istio: ingressgateway ports: - name: http2 port: 80 targetPort: 8081 --- # Copyright 2018 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: ConfigMap metadata: name: config-istio namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio data: _example: | ################################ # # # EXAMPLE CONFIGURATION # # # ################################ # This block is not actually functional configuration, # but serves to illustrate the available configuration # options and document them in a way that is accessible # to users that `kubectl edit` this config map. # # These sample configuration options may be copied out of # this example block and unindented to be in the data block # to actually change the configuration. # A gateway and Istio service to serve external traffic. # The configuration format should be # `gateway.{{gateway_namespace}}.{{gateway_name}}: "{{ingress_name}}.{{ingress_namespace}}.svc.cluster.local"`. # The {{gateway_namespace}} is optional; when it is omitted, the system will search for # the gateway in the serving system namespace `knative-serving` gateway.knative-serving.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" # A cluster local gateway to allow pods outside of the mesh to access # Services and Routes not exposing through an ingress. If the users # do have a service mesh setup, this isn't required and can be removed. # # An example use case is when users want to use Istio without any # sidecar injection (like Knative's istio-ci-no-mesh.yaml). Since every pod # is outside of the service mesh in that case, a cluster-local service # will need to be exposed to a cluster-local gateway to be accessible. # The configuration format should be `local-gateway.{{local_gateway_namespace}}. # {{local_gateway_name}}: "{{cluster_local_gateway_name}}. # {{cluster_local_gateway_namespace}}.svc.cluster.local"`. The # {{local_gateway_namespace}} is optional; when it is omitted, the system # will search for the local gateway in the serving system namespace # `knative-serving` local-gateway.knative-serving.knative-local-gateway: "knative-local-gateway.istio-system.svc.cluster.local" # To use only Istio service mesh and no knative-local-gateway, replace # all local-gateway.* entries by the following entry. local-gateway.mesh: "mesh" # If true, knative will use the Istio VirtualService's status to determine # endpoint readiness. Otherwise, probe as usual. # NOTE: This feature is currently experimental and should not be used in production. enable-virtualservice-status: "false" # TODO(nghia): Extract the .svc.cluster.local suffix into its own config. --- # Allows the Webhooks to be reached by kube-api with or without # sidecar injection and with mTLS PERMISSIVE and STRICT. apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "webhook" namespace: "knative-serving" labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: webhook portLevelMtls: 8443: mode: PERMISSIVE --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "domainmapping-webhook" namespace: "knative-serving" labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: domainmapping-webhook portLevelMtls: 8443: mode: PERMISSIVE --- apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "net-istio-webhook" namespace: "knative-serving" labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-webhook portLevelMtls: 8443: mode: PERMISSIVE --- # Copyright 2019 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: net-istio-controller namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-controller template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" # This must be outside of the mesh to probe the gateways. # NOTE: this is allowed here and not elsewhere because # this is the Istio controller, and so it may be Istio-aware. sidecar.istio.io/inject: "false" labels: app: net-istio-controller serving.knative.dev/release: "v0.26.0" spec: serviceAccountName: controller containers: - name: controller # This is the Go import path for the binary that is containerized # and substituted here. image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/asm-net-istio-cmd-controller:0.26.2 resources: requests: cpu: 30m memory: 40Mi limits: cpu: 300m memory: 400Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: - all ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 # Unlike other controllers, this doesn't need a Service defined for metrics and # profiling because it opts out of the mesh (see annotation above). --- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apps/v1 kind: Deployment metadata: name: net-istio-webhook namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: selector: matchLabels: app: net-istio-webhook role: net-istio-webhook template: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "false" labels: app: net-istio-webhook role: net-istio-webhook serving.knative.dev/release: "v0.26.0" spec: serviceAccountName: controller containers: - name: webhook # This is the Go import path for the binary that is containerized # and substituted here. image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/asm-net-istio-cmd-webhook:0.26.2 resources: requests: cpu: 20m memory: 20Mi limits: cpu: 200m memory: 200Mi env: - name: SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CONFIG_LOGGING_NAME value: config-logging - name: CONFIG_OBSERVABILITY_NAME value: config-observability # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - name: METRICS_DOMAIN value: knative.dev/net-istio - name: WEBHOOK_NAME value: net-istio-webhook securityContext: allowPrivilegeEscalation: false ports: - name: metrics containerPort: 9090 - name: profiling containerPort: 8008 - name: https-webhook containerPort: 8443 --- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Secret metadata: name: net-istio-webhook-certs namespace: knative-serving labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio --- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Service metadata: name: net-istio-webhook namespace: knative-serving labels: role: net-istio-webhook serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio spec: ports: # Define metrics and profiling for them to be accessible within service meshes. - name: http-metrics port: 9090 targetPort: 9090 - name: http-profiling port: 8008 targetPort: 8008 - name: https-webhook port: 443 targetPort: 8443 selector: app: net-istio-webhook --- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: webhook.istio.networking.internal.knative.dev labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: net-istio-webhook namespace: knative-serving failurePolicy: Fail sideEffects: None objectSelector: matchExpressions: - {key: "serving.knative.dev/configuration", operator: Exists} name: webhook.istio.networking.internal.knative.dev --- # Copyright 2020 The Knative Authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: config.webhook.istio.networking.internal.knative.dev labels: serving.knative.dev/release: "v0.26.0" networking.knative.dev/ingress-provider: istio webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: net-istio-webhook namespace: knative-serving failurePolicy: Fail sideEffects: None name: config.webhook.istio.networking.internal.knative.dev namespaceSelector: matchExpressions: - key: serving.knative.dev/release operator: Exists ---