The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all private networks are specified so that resolution works in typical Kubernetes environments.
enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on
Type
Default
bool
true
linkerd-control-plane.enableH2Upgrade
Allow proxies to perform transparent HTTP/2 upgrading
Type
Default
bool
true
linkerd-control-plane.enablePSP
Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21
Type
Default
bool
false
linkerd-control-plane.enablePodAntiAffinity
enables pod anti affinity creation on deployments for high availability
Type
Default
bool
false
linkerd-control-plane.enablePodDisruptionBudget
enables the creation of pod disruption budgets for control plane components
Type
Default
bool
false
linkerd-control-plane.enablePprof
enables the use of pprof endpoints on control plane component’s admin servers
Type
Default
bool
false
linkerd-control-plane.identity.externalCA
If the linkerd-identity-trust-roots ConfigMap has already been created
Maximum amount of memory that the policy controller requests
Type
Default
string
""
linkerd-control-plane.policyValidator.caBundle
Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for policyValidator.crtPEM. If policyValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.policyValidator.crtPEM
Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one.
Do not create a secret resource for the policyValidator webhook. If this is set to true, the value policyValidator.caBundle must be set or the ca bundle must injected with cert-manager ca injector using policyValidator.injectCaFrom or policyValidator.injectCaFromSecret (see below).
Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.policyValidator.keyPEM
Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one.
Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for profileValidator.crtPEM. If profileValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.profileValidator.crtPEM
Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one.
Do not create a secret resource for the profileValidator webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).
Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.profileValidator.keyPEM
Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one.
The maximum duration for a response stream (i.e. before it will be reinitialized).
Type
Default
string
"1h"
linkerd-control-plane.proxy.cores
The cpu.limit and cores should be kept in sync. The value of cores must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is ‘1500m’, cores should be 2.
Type
Default
int
0
linkerd-control-plane.proxy.defaultInboundPolicy
The default allow policy to use when no Server selects a pod. One of: “all-authenticated”, “all-unauthenticated”, “cluster-authenticated”, “cluster-unauthenticated”, “deny”
Maximum time allowed before an unused inbound discovery result is evicted from the cache
Type
Default
string
"90s"
linkerd-control-plane.proxy.livenessProbe
LivenessProbe timeout and delay configuration
Type
Default
object
{"initialDelaySeconds":10,"timeoutSeconds":1}
linkerd-control-plane.proxy.logFormat
Log format (plain or json) for the proxy
Type
Default
string
"plain"
linkerd-control-plane.proxy.logHTTPHeaders
If set to off, will prevent the proxy from logging HTTP headers. If set to insecure, HTTP headers may be logged verbatim. Note that setting this to insecure is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug.
Type
Default
`off` or `insecure`
"off"
linkerd-control-plane.proxy.logLevel
Log level for the proxy
Type
Default
string
"warn,linkerd=info,trust_dns=error"
linkerd-control-plane.proxy.nativeSidecar
Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.
Type
Default
bool
false
linkerd-control-plane.proxy.opaquePorts
Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection
Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.
If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod’s terminationGracePeriodSeconds. See Lifecycle hooks for more info on container lifecycle hooks.
Default set of outbound ports to skip via iptables - Galera (4567,4568)
Type
Default
string
"4567,4568"
linkerd-control-plane.proxyInit.image.name
Docker image for the proxy-init container
Type
Default
string
"cr.l5d.io/linkerd/proxy-init"
linkerd-control-plane.proxyInit.image.pullPolicy
Pull policy for the proxy-init container image
Type
Default
string
imagePullPolicy
linkerd-control-plane.proxyInit.image.version
Tag for the proxy-init container image
Type
Default
string
"v2.2.4"
linkerd-control-plane.proxyInit.iptablesMode
Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in ’nft’ or in ’legacy’ mode. The mode will control which utility binary will be called. The host must support whichever mode will be used
Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server
Type
Default
string
"443,6443"
linkerd-control-plane.proxyInit.logFormat
Log format (plain or json) for the proxy-init
Type
Default
string
plain
linkerd-control-plane.proxyInit.logLevel
Log level for the proxy-init
Type
Default
string
info
linkerd-control-plane.proxyInit.privileged
Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with ‘runAsRoot: true’, the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host.
Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for proxyInjector.crtPEM. If proxyInjector.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.proxyInjector.crtPEM
Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one.
Do not create a secret resource for the proxyInjector webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).
Type
Default
bool
false
linkerd-control-plane.proxyInjector.injectCaFrom
Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.
Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.
Type
Default
string
""
linkerd-control-plane.proxyInjector.keyPEM
Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one.
Creates a Job that adds necessary metadata to the extension’s namespace during install; disable if lack of privileges require doing this manually
Type
Default
bool
true
linkerd-multicluster.enablePSP
Create Roles and RoleBindings to associate this extension’s ServiceAccounts to the control plane PSP resource. This requires that enabledPSP is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21
Type
Default
bool
false
linkerd-multicluster.enablePodAntiAffinity
Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components.