BEL configuration reference

installGatewayAPI

Controls if Linkerd should install the Gateway API CRDs. This value acts as a default and can be overridden by the more specific enable*Routes values.

manageExternalWorkloads

cli.installURL

clusterDomain

Kubernetes DNS Domain name to use

clusterNetworks

The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments.

cniEnabled

enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed

commonLabels

Labels to apply to all resources

configReaders

List of additional service accounts with read access to the linkerd-config ConfigMap

controller.podDisruptionBudget

sets pod disruption budget parameter for all deployments

controller.podDisruptionBudget.maxUnavailable

Maximum number of pods that can be unavailable during disruption

controller.tracing.collector.endpoint

The collector endpoint to send traces to. Required if tracing is enabled. If this is unset and proxy.tracing.collector.endpoint is set, that endpoint will be re-used here.

controller.tracing.enabled

Enables trace collection and export in the proxy

controllerGID

Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)

controllerImage

Docker image for the destination and identity components

controllerImageVersion

Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.

controllerLogFormat

Log format for the control plane components

controllerLogLevel

Log level for the control plane components

controllerReplicas

Number of replicas for each control plane pod

controllerUID

User ID for the control plane components

debugContainer.image.name

Docker image for the debug container

debugContainer.image.pullPolicy

Pull policy for the debug container image

debugContainer.image.version

Tag for the debug container image

deploymentStrategy

default kubernetes deployment strategy

destinationController.livenessProbe.timeoutSeconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle

destinationController.podAnnotations

Additional annotations to add to destination pods

destinationController.readinessProbe.timeoutSeconds

disableHeartBeat

Set to true to not start the heartbeat cronjob

disableIPv6

disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0)

egress.globalEgressNetworkNamespace

The namespace that is used to store egress configuration that affects all client workloads in the cluster

enableEndpointSlices

enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on

enableH2Upgrade

Allow proxies to perform transparent HTTP/2 upgrading

enablePSP

Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21

enablePodAntiAffinity

enables pod anti affinity creation on deployments for high availability

enablePodDisruptionBudget

enables the creation of pod disruption budgets for control plane components

enablePprof

enables the use of pprof endpoints on control plane component’s admin servers

identity.externalCA

If the linkerd-identity-trust-roots ConfigMap has already been created

identity.issuer.clockSkewAllowance

Amount of time to allow for clock skew within a Linkerd cluster

identity.issuer.issuanceLifetime

Amount of time for which the Identity issuer should certify identity

identity.issuer.scheme

identity.issuer.tls

Which scheme is used for the identity issuer secret format

identity.issuer.tls.crtPEM

Issuer certificate (ECDSA). It must be provided during install.

identity.issuer.tls.keyPEM

Key for the issuer certificate (ECDSA). It must be provided during install

identity.kubeAPI.clientBurst

Burst value over clientQPS

identity.kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

identity.livenessProbe.timeoutSeconds

identity.podAnnotations

Additional annotations to add to identity pods

identity.readinessProbe.timeoutSeconds

identity.serviceAccountTokenProjection

Use Service Account token Volume projection for pod validation instead of the default token

identityTrustAnchorsPEM

Trust root certificate (ECDSA). It must be provided during install.

identityTrustDomain

Trust domain used for identity

imagePullPolicy

Docker image pull policy

imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

kubeAPI.clientBurst

Burst value over clientQPS

kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

license

Buoyant Enterprise for Linkerd license. Obtain at https://enterprise.buoyant.io. Exactly one of license or licenseSecret must be set.

licenseSecret

Name of the secret containing the Buoyant Enterprise for Linkerd license, at key license. Exactly one of license or licenseSecret must be set.

linkerdVersion

control plane version. See Proxy section for proxy version

manageExternalWorkloads

networkValidator.connectAddr

Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.

networkValidator.listenAddr

Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively.

networkValidator.logFormat

Log format (plain or json) for network-validator

networkValidator.logLevel

Log level for the network-validator

networkValidator.securityContext

The securityContext in the network-validator pod spec

networkValidator.timeout

Timeout before network-validator fails to validate the pod’s network connectivity

nodeSelector

NodeSelector section, See the K8S documentation for more information

podAnnotations

Additional annotations to add to all pods

podLabels

Additional labels to add to all pods

podMonitor.controller.enabled

Enables the creation of PodMonitor for the control-plane

podMonitor.controller.namespaceSelector

Selector to select which namespaces the Endpoints objects are discovered from

podMonitor.enabled

Enables the creation of Prometheus Operator PodMonitor

podMonitor.labels

Labels to apply to all pod Monitors

podMonitor.proxy.enabled

Enables the creation of PodMonitor for the data-plane

podMonitor.scrapeInterval

Interval at which metrics should be scraped

podMonitor.scrapeTimeout

Iimeout after which the scrape is ended

podMonitor.serviceMirror.enabled

Enables the creation of PodMonitor for the Service Mirror component

policyController.livenessProbe.timeoutSeconds

policyController.logLevel

Log level for the policy controller

policyController.probeNetworks

The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized.

policyController.readinessProbe.timeoutSeconds

policyController.resources

policy controller resource requests & limits

policyController.resources.cpu.limit

Maximum amount of CPU units that the policy controller can use

policyController.resources.cpu.request

Amount of CPU units that the policy controller requests

policyController.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the policy controller can use

policyController.resources.ephemeral-storage.request

Amount of ephemeral storage that the policy controller requests

policyController.resources.memory.limit

Maximum amount of memory that the policy controller can use

policyController.resources.memory.request

Maximum amount of memory that the policy controller requests

policyValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for policyValidator.crtPEM. If policyValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

policyValidator.crtPEM

Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one.

policyValidator.externalSecret

Do not create a secret resource for the policyValidator webhook. If this is set to true, the value policyValidator.caBundle must be set or the ca bundle must injected with cert-manager ca injector using policyValidator.injectCaFrom or policyValidator.injectCaFromSecret (see below).

policyValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

policyValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

policyValidator.keyPEM

Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one.

policyValidator.namespaceSelector

Namespace selector used by admission webhook

priorityClassName

Kubernetes priorityClassName for the Linkerd Pods

profileValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for profileValidator.crtPEM. If profileValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

profileValidator.crtPEM

Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one.

profileValidator.externalSecret

Do not create a secret resource for the profileValidator webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

profileValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

profileValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

profileValidator.keyPEM

Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one.

profileValidator.namespaceSelector

Namespace selector used by admission webhook

prometheusUrl

url of external prometheus instance (used for the heartbeat)

proxy.await

If set, the application container will not start until the proxy is ready

proxy.control.streams.idleTimeout

The timeout between consecutive updates from the control plane.

proxy.control.streams.initialTimeout

The timeout for the first update from the control plane.

proxy.control.streams.lifetime

The maximum duration for a response stream (i.e. before it will be reinitialized).

proxy.cores

Deprecated: use runtime.workers.minimum

proxy.defaultInboundPolicy

The default allow policy to use when no Server selects a pod. One of: “all-authenticated”, “all-unauthenticated”, “cluster-authenticated”, “cluster-unauthenticated”, “deny”, “audit”

proxy.disableInboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value

proxy.disableOutboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value

proxy.enableExternalProfiles

Enable service profiles for non-Kubernetes services

proxy.enableShutdownEndpoint

Enables the proxy’s /shutdown admin endpoint

proxy.gid

Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)

proxy.image.name

Docker image for the proxy

proxy.image.pullPolicy

Pull policy for the proxy container image

proxy.image.version

Tag for the proxy container image

proxy.inbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to remote HTTP/2 clients.

proxy.inbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections.

proxy.inboundConnectTimeout

Maximum time allowed for the proxy to establish an inbound TCP connection

proxy.inboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused inbound discovery result is evicted from the cache

proxy.livenessProbe

LivenessProbe timeout and delay configuration

proxy.logFormat

Log format (plain or json) for the proxy

proxy.logHTTPHeaders

If set to off, will prevent the proxy from logging HTTP headers. If set to insecure, HTTP headers may be logged verbatim. Note that setting this to insecure is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug.

proxy.logLevel

Log level for the proxy

proxy.metrics.hostnameLabels

Whether or not to export hostname labels in outbound request metrics.

proxy.nativeSidecar

Enable KEP-753 native sidecars This is a beta feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.

proxy.opaquePorts

Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection

proxy.outbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to local application HTTP/2 clients.

proxy.outbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections.

proxy.outboundConnectTimeout

Maximum time allowed for the proxy to establish an outbound TCP connection

proxy.outboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused outbound discovery result is evicted from the cache

proxy.outboundTransportMode

Configures the outbound transport mode. Valid values are “transport-header” and “transparent”

proxy.ports.admin

Admin port for the proxy container

proxy.ports.control

Control port for the proxy container

proxy.ports.inbound

Inbound port for the proxy container

proxy.ports.outbound

Outbound port for the proxy container

proxy.readinessProbe

ReadinessProbe timeout and delay configuration

proxy.requireIdentityOnInboundPorts

proxy.resources.cpu

CPU configuration, when specified globally in Helm values, should be kept in sync with the above runtime.workers.minimum configuration. The minimum should reflect at least the CPU request. When a limit is set, the minimum should match the limit (and the maximumCPURatio should be unset).

proxy.resources.cpu.limit

Maximum amount of CPU units that the proxy can use

proxy.resources.cpu.request

Amount of CPU units that the proxy requests

proxy.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the proxy can use

proxy.resources.ephemeral-storage.request

Amount of ephemeral storage that the proxy requests

proxy.resources.memory.limit

Maximum amount of memory that the proxy can use

proxy.resources.memory.request

Maximum amount of memory that the proxy requests

proxy.runtime.workers

Worker threadpool configuration. The minimum will be automatically derived from workload proxy CPU requests, when they are configured by annotation. A cluster-level maximum may be configured here (and a workload-level annotation is supported as well).

proxy.runtime.workers.maximumCPURatio

Maximum number of worker threads that the proxy can use, by ratio of the number of available CPUs. A value of 1.0 allocates a worker thread for all available CPUs. A value of 0.1 allocates a worker thread for 10% of the available CPUs.

proxy.runtime.workers.minimum

Configures a lower bound on the number of worker threads that the proxy can use. When maximumCPURatio is not set, this value is used.

proxy.securityContext

Optional custom security context for the proxy container.

proxy.shutdownGracePeriod

Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.

proxy.startupProbe.failureThreshold

proxy.startupProbe.initialDelaySeconds

proxy.startupProbe.periodSeconds

proxy.tracing.collector.endpoint

The collector endpoint to send traces to.

proxy.tracing.collector.meshIdentity

The identity of the collector in the linkerd mesh.

proxy.tracing.collector.meshIdentity.namespace

Mesh identity namespace for the trace collector. This should be set to the namespace of the service account attached to the collector. If there’s no explicitly set service account, this is the namespace of the collector.

proxy.tracing.collector.meshIdentity.serviceAccountName

Mesh identity name for the trace collector. This should be set to the name of the service account attached to the collector. If there’s no explicitly set service account, this will probably be “default”.

proxy.tracing.enabled

Enables trace collection and export in the proxy

proxy.tracing.labels

Additional labels to add to the traces emitted by the proxy. These should generally not be set globally, and instead overridden on individual workloads via resource.opentelemetry.io/<label> annotations.

proxy.tracing.traceServiceName

proxy.uid

User id under which the proxy runs

proxy.waitBeforeExitSeconds

If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod’s terminationGracePeriodSeconds. See Lifecycle hooks for more info on container lifecycle hooks.

proxy.windowsUsername

proxyInit.closeWaitTimeoutSecs

Changes the default value for the nf_conntrack_tcp_timeout_close_wait kernel parameter. If used, runAsRoot needs to be true.

proxyInit.ignoreInboundPorts

Default set of inbound ports to skip via iptables - Galera (4567,4568)

proxyInit.ignoreOutboundPorts

Default set of outbound ports to skip via iptables - Galera (4567,4568)

proxyInit.image.name

Docker image for the proxy-init container

proxyInit.image.pullPolicy

Pull policy for the proxy-init container image

proxyInit.image.version

Tag for the proxy-init container image

proxyInit.iptablesMode

Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in ’nft’ or in ’legacy’ mode. The mode will control which utility binary will be called. The host must support whichever mode will be used

proxyInit.kubeAPIServerPorts

Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server

proxyInit.logFormat

Log format (plain or json) for the proxy-init

proxyInit.logLevel

Log level for the proxy-init

proxyInit.privileged

Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with ‘runAsRoot: true’, the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host.

proxyInit.runAsGroup

This value is used only if runAsRoot is false; otherwise runAsGroup will be 0

proxyInit.runAsRoot

Allow overriding the runAsNonRoot behaviour (https://github.com/linkerd/linkerd2/issues/7308)

proxyInit.runAsUser

This value is used only if runAsRoot is false; otherwise runAsUser will be 0

proxyInit.skipSubnets

Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy

proxyInit.xtMountPath.mountPath

proxyInit.xtMountPath.name

proxyInjector.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for proxyInjector.crtPEM. If proxyInjector.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

proxyInjector.crtPEM

Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one.

proxyInjector.externalSecret

Do not create a secret resource for the proxyInjector webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

proxyInjector.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

proxyInjector.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

proxyInjector.keyPEM

Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one.

proxyInjector.livenessProbe.timeoutSeconds

proxyInjector.namespaceSelector

Namespace selector used by admission webhook.

proxyInjector.objectSelector

Object selector used by admission webhook.

proxyInjector.podAnnotations

Additional annotations to add to proxy-injector pods

proxyInjector.readinessProbe.timeoutSeconds

proxyInjector.timeoutSeconds

Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used.

revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.

runtimeClassName

Runtime Class Name for all the pods

spValidator

SP validator configuration

webhookFailurePolicy

Failure policy for the proxy injector

commonLabels

Labels to apply to all resources

controllerDefaults.GID

controllerDefaults.UID

controllerDefaults.enableHeadlessServices

Toggle support for mirroring headless services

controllerDefaults.enablePodAntiAffinity

controllerDefaults.enablePprof

Enables the use of pprof endpoints for the controller

controllerDefaults.gateway.enabled

Enables a probe service for the gateway

controllerDefaults.gateway.probe.port

Port used for liveliness probing

controllerDefaults.image.name

controllerDefaults.image.pullPolicy

controllerDefaults.image.version

controllerDefaults.logFormat

Log format (plain or json)

controllerDefaults.logLevel

Log level (error, warn, info, debug or trace)

controllerDefaults.nodeAffinity

controllerDefaults.nodeSelector

controllerDefaults.replicas

Number of service mirror replicas for a given Link

controllerDefaults.resources

Resources to assign to the controller. See policyController.resources in the linkerd-control-plane chart for the expected format

controllerDefaults.retryLimit

Number of times service mirror updates are allowed to be requeued (retried)

controllerDefaults.tolerations

controllerImageVersion

controllers

List of service mirror controllers. References to the Links deployed in the cluster, each of which will have a corresponding service mirror controller deployed. Only link.ref.name is required for each entry. Example (all the missing values take their values from controllerDefaults): controllers: - link: ref: name: target1 logLevel: debug - link: ref: name: target2 gateway: enabled: false replicas: 2

createNamespaceMetadataJob

Creates a Job that adds necessary metadata to the extension’s namespace during install; disable if lack of privileges require doing this manually

enableNamespaceCreation

Toggle support for creating namespaces for mirror services when necessary

enablePSP

Create Roles and RoleBindings to associate this extension’s ServiceAccounts to the control plane PSP resource. This requires that enabledPSP is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21

enablePodAntiAffinity

Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components.

gateway.GID

Group id under which the gateway shall be ran

gateway.UID

User id under which the gateway shall be ran

gateway.deploymentAnnotations

Annotations to add to the gateway deployment

gateway.enabled

If the gateway component should be installed

gateway.loadBalancerClass

Set loadBalancerClass on gateway service

gateway.loadBalancerIP

Set loadBalancerIP on gateway service

gateway.loadBalancerSourceRanges

Set loadBalancerSourceRanges on gateway service

gateway.name

The name of the gateway that will be installed

gateway.nodeSelector

Node selectors for the gateway pod

gateway.pauseImage

The pause container to use

gateway.port

The port on which all the gateway will accept incoming traffic

gateway.probe.path

The path that will be used by remote clusters for determining whether the gateway is alive

gateway.probe.port

The port used for liveliness probing

gateway.probe.seconds

The interval (in seconds) between liveness probes

gateway.replicas

Number of replicas for the gateway pod

gateway.serviceAnnotations

Annotations to add to the gateway service

gateway.serviceExternalTrafficPolicy

Set externalTrafficPolicy on gateway service

gateway.serviceType

Service Type of gateway Service

gateway.terminationGracePeriodSeconds

Set terminationGracePeriodSeconds on gateway deployment

gateway.tolerations

Tolerations for the gateway pod

identityTrustDomain

Identity Trust Domain of the certificate authority

imagePullPolicy

Docker imagePullPolicy for all multicluster components

imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

linkerdNamespace

Namespace of linkerd installation

linkerdVersion

Control plane version

localServiceMirror.GID

Group id under which the Service Mirror shall be ran

localServiceMirror.UID

User id under which the Service Mirror shall be ran

localServiceMirror.enablePprof

enables the use of pprof endpoints on control plane component’s admin servers

localServiceMirror.excludedAnnotations

Annotations that should not be copied from the local service to the mirror service.

localServiceMirror.excludedLabels

Labels that should not be copied from the local service to the mirror service.

localServiceMirror.federatedServiceSelector

Label selector for federated service members in the local cluster.

localServiceMirror.image.name

Docker image for the Service mirror component (uses the Linkerd controller image)

localServiceMirror.image.pullPolicy

Pull policy for the Service mirror container image

localServiceMirror.image.version

Tag for the Service mirror container image

localServiceMirror.logFormat

Log format (plain or json)

localServiceMirror.logLevel

Log level for the Multicluster components

localServiceMirror.replicas

Number of local service mirror replicas to run

localServiceMirror.resources

Resources for the Service mirror container

localServiceMirror.serviceMirrorRetryLimit

Number of times local service mirror updates are allowed to be requeued (retried)

namespaceMetadata.image.name

Docker image name for the namespace-metadata instance

namespaceMetadata.image.pullPolicy

Pull policy for the namespace-metadata instance

namespaceMetadata.image.registry

Docker registry for the namespace-metadata instance

namespaceMetadata.image.tag

Docker image tag for the namespace-metadata instance

namespaceMetadata.nodeSelector

Node selectors for the namespace-metadata instance

namespaceMetadata.tolerations

Tolerations for the namespace-metadata instance

podAnnotations

Additional annotations to add to all pods

podLabels

Additional labels to add to all pods

proxyOutboundPort

The port on which the proxy accepts outbound traffic

remoteMirrorServiceAccount

If the remote mirror service account should be installed

remoteMirrorServiceAccountName

The name of the service account used to allow remote clusters to mirror local services

revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.