BEL configuration reference

enableHttpRoutes

enableTcpRoutes

enableTlsRoutes

manageExternalWorkloads

clusterDomain

Kubernetes DNS Domain name to use

clusterNetworks

The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments.

cniEnabled

enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed

commonLabels

Labels to apply to all resources

controlPlaneTracing

enables control plane tracing

controlPlaneTracingNamespace

namespace to send control plane traces to

controller.podDisruptionBudget

sets pod disruption budget parameter for all deployments

controller.podDisruptionBudget.maxUnavailable

Maximum number of pods that can be unavailable during disruption

controllerGID

Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0)

controllerImage

Docker image for the destination and identity components

controllerImageVersion

Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage.

controllerLogFormat

Log format for the control plane components

controllerLogLevel

Log level for the control plane components

controllerReplicas

Number of replicas for each control plane pod

controllerUID

User ID for the control plane components

debugContainer.image.name

Docker image for the debug container

debugContainer.image.pullPolicy

Pull policy for the debug container image

debugContainer.image.version

Tag for the debug container image

deploymentStrategy

default kubernetes deployment strategy

destinationController.livenessProbe.timeoutSeconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds

destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle

destinationController.readinessProbe.timeoutSeconds

disableHeartBeat

Set to true to not start the heartbeat cronjob

disableIPv6

disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0)

egress.globalEgressNetworkNamespace

The namespace that is used to store egress configuration that affects all client workloads in the cluster

enableEndpointSlices

enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on

enableH2Upgrade

Allow proxies to perform transparent HTTP/2 upgrading

enablePSP

Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21

enablePodAntiAffinity

enables pod anti affinity creation on deployments for high availability

enablePodDisruptionBudget

enables the creation of pod disruption budgets for control plane components

enablePprof

enables the use of pprof endpoints on control plane component’s admin servers

identity.externalCA

If the linkerd-identity-trust-roots ConfigMap has already been created

identity.issuer.clockSkewAllowance

Amount of time to allow for clock skew within a Linkerd cluster

identity.issuer.issuanceLifetime

Amount of time for which the Identity issuer should certify identity

identity.issuer.scheme

identity.issuer.tls

Which scheme is used for the identity issuer secret format

identity.issuer.tls.crtPEM

Issuer certificate (ECDSA). It must be provided during install.

identity.issuer.tls.keyPEM

Key for the issuer certificate (ECDSA). It must be provided during install

identity.kubeAPI.clientBurst

Burst value over clientQPS

identity.kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

identity.livenessProbe.timeoutSeconds

identity.readinessProbe.timeoutSeconds

identity.serviceAccountTokenProjection

Use Service Account token Volume projection for pod validation instead of the default token

identityTrustAnchorsPEM

Trust root certificate (ECDSA). It must be provided during install.

identityTrustDomain

Trust domain used for identity

imagePullPolicy

Docker image pull policy

imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

kubeAPI.clientBurst

Burst value over clientQPS

kubeAPI.clientQPS

Maximum QPS sent to the kube-apiserver before throttling. See token bucket rate limiter implementation

license

Buoyant Enterprise for Linkerd license. Obtain at https://enterprise.buoyant.io. Exactly one of license or licenseSecret must be set.

licenseSecret

Name of the secret containing the Buoyant Enterprise for Linkerd license, at key license. Exactly one of license or licenseSecret must be set.

linkerdVersion

control plane version. See Proxy section for proxy version

manageExternalWorkloads

networkValidator.connectAddr

Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively.

networkValidator.enableSecurityContext

Include a securityContext in the network-validator pod spec

networkValidator.listenAddr

Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively.

networkValidator.logFormat

Log format (plain or json) for network-validator

networkValidator.logLevel

Log level for the network-validator

networkValidator.timeout

Timeout before network-validator fails to validate the pod’s network connectivity

nodeSelector

NodeSelector section, See the K8S documentation for more information

podAnnotations

Additional annotations to add to all pods

podLabels

Additional labels to add to all pods

podMonitor.controller.enabled

Enables the creation of PodMonitor for the control-plane

podMonitor.controller.namespaceSelector

Selector to select which namespaces the Endpoints objects are discovered from

podMonitor.enabled

Enables the creation of Prometheus Operator PodMonitor

podMonitor.labels

Labels to apply to all pod Monitors

podMonitor.proxy.enabled

Enables the creation of PodMonitor for the data-plane

podMonitor.scrapeInterval

Interval at which metrics should be scraped

podMonitor.scrapeTimeout

Iimeout after which the scrape is ended

podMonitor.serviceMirror.enabled

Enables the creation of PodMonitor for the Service Mirror component

policyController.image.name

Docker image for the policy controller

policyController.image.pullPolicy

Pull policy for the policy controller container image

policyController.image.version

Tag for the policy controller container image

policyController.livenessProbe.timeoutSeconds

policyController.logLevel

Log level for the policy controller

policyController.probeNetworks

The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized.

policyController.readinessProbe.timeoutSeconds

policyController.resources

policy controller resource requests & limits

policyController.resources.cpu.limit

Maximum amount of CPU units that the policy controller can use

policyController.resources.cpu.request

Amount of CPU units that the policy controller requests

policyController.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the policy controller can use

policyController.resources.ephemeral-storage.request

Amount of ephemeral storage that the policy controller requests

policyController.resources.memory.limit

Maximum amount of memory that the policy controller can use

policyController.resources.memory.request

Maximum amount of memory that the policy controller requests

policyValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for policyValidator.crtPEM. If policyValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

policyValidator.crtPEM

Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one.

policyValidator.externalSecret

Do not create a secret resource for the policyValidator webhook. If this is set to true, the value policyValidator.caBundle must be set or the ca bundle must injected with cert-manager ca injector using policyValidator.injectCaFrom or policyValidator.injectCaFromSecret (see below).

policyValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

policyValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

policyValidator.keyPEM

Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one.

policyValidator.namespaceSelector

Namespace selector used by admission webhook

priorityClassName

Kubernetes priorityClassName for the Linkerd Pods

profileValidator.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for profileValidator.crtPEM. If profileValidator.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

profileValidator.crtPEM

Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one.

profileValidator.externalSecret

Do not create a secret resource for the profileValidator webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

profileValidator.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

profileValidator.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

profileValidator.keyPEM

Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one.

profileValidator.namespaceSelector

Namespace selector used by admission webhook

prometheusUrl

url of external prometheus instance (used for the heartbeat)

proxy.await

If set, the application container will not start until the proxy is ready

proxy.control.streams.idleTimeout

The timeout between consecutive updates from the control plane.

proxy.control.streams.initialTimeout

The timeout for the first update from the control plane.

proxy.control.streams.lifetime

The maximum duration for a response stream (i.e. before it will be reinitialized).

proxy.cores

The cpu.limit and cores should be kept in sync. The value of cores must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is ‘1500m’, cores should be 2.

proxy.defaultInboundPolicy

The default allow policy to use when no Server selects a pod. One of: “all-authenticated”, “all-unauthenticated”, “cluster-authenticated”, “cluster-unauthenticated”, “deny”, “audit”

proxy.disableInboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value

proxy.disableOutboundProtocolDetectTimeout

When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value

proxy.enableExternalProfiles

Enable service profiles for non-Kubernetes services

proxy.enableShutdownEndpoint

Enables the proxy’s /shutdown admin endpoint

proxy.gid

Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0)

proxy.image.name

Docker image for the proxy

proxy.image.pullPolicy

Pull policy for the proxy container image

proxy.image.version

Tag for the proxy container image

proxy.inbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to remote HTTP/2 clients.

proxy.inbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections.

proxy.inboundConnectTimeout

Maximum time allowed for the proxy to establish an inbound TCP connection

proxy.inboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused inbound discovery result is evicted from the cache

proxy.livenessProbe

LivenessProbe timeout and delay configuration

proxy.logFormat

Log format (plain or json) for the proxy

proxy.logHTTPHeaders

If set to off, will prevent the proxy from logging HTTP headers. If set to insecure, HTTP headers may be logged verbatim. Note that setting this to insecure is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug.

proxy.logLevel

Log level for the proxy

proxy.nativeSidecar

Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used.

proxy.opaquePorts

Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection

proxy.outbound.server.http2.keepAliveInterval

The interval at which PINGs are issued to local application HTTP/2 clients.

proxy.outbound.server.http2.keepAliveTimeout

The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections.

proxy.outboundConnectTimeout

Maximum time allowed for the proxy to establish an outbound TCP connection

proxy.outboundDiscoveryCacheUnusedTimeout

Maximum time allowed before an unused outbound discovery result is evicted from the cache

proxy.ports.admin

Admin port for the proxy container

proxy.ports.control

Control port for the proxy container

proxy.ports.inbound

Inbound port for the proxy container

proxy.ports.outbound

Outbound port for the proxy container

proxy.readinessProbe

ReadinessProbe timeout and delay configuration

proxy.requireIdentityOnInboundPorts

proxy.resources.cpu.limit

Maximum amount of CPU units that the proxy can use

proxy.resources.cpu.request

Amount of CPU units that the proxy requests

proxy.resources.ephemeral-storage.limit

Maximum amount of ephemeral storage that the proxy can use

proxy.resources.ephemeral-storage.request

Amount of ephemeral storage that the proxy requests

proxy.resources.memory.limit

Maximum amount of memory that the proxy can use

proxy.resources.memory.request

Maximum amount of memory that the proxy requests

proxy.shutdownGracePeriod

Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections.

proxy.startupProbe.failureThreshold

proxy.startupProbe.initialDelaySeconds

proxy.startupProbe.periodSeconds

proxy.uid

User id under which the proxy runs

proxy.waitBeforeExitSeconds

If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod’s terminationGracePeriodSeconds. See Lifecycle hooks for more info on container lifecycle hooks.

proxyInit.closeWaitTimeoutSecs

proxyInit.ignoreInboundPorts

Default set of inbound ports to skip via iptables - Galera (4567,4568)

proxyInit.ignoreOutboundPorts

Default set of outbound ports to skip via iptables - Galera (4567,4568)

proxyInit.image.name

Docker image for the proxy-init container

proxyInit.image.pullPolicy

Pull policy for the proxy-init container image

proxyInit.image.version

Tag for the proxy-init container image

proxyInit.iptablesMode

Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in ’nft’ or in ’legacy’ mode. The mode will control which utility binary will be called. The host must support whichever mode will be used

proxyInit.kubeAPIServerPorts

Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server

proxyInit.logFormat

Log format (plain or json) for the proxy-init

proxyInit.logLevel

Log level for the proxy-init

proxyInit.privileged

Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with ‘runAsRoot: true’, the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host.

proxyInit.runAsGroup

This value is used only if runAsRoot is false; otherwise runAsGroup will be 0

proxyInit.runAsRoot

Allow overriding the runAsNonRoot behaviour (https://github.com/linkerd/linkerd2/issues/7308)

proxyInit.runAsUser

This value is used only if runAsRoot is false; otherwise runAsUser will be 0

proxyInit.skipSubnets

Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy

proxyInit.xtMountPath.mountPath

proxyInit.xtMountPath.name

proxyInjector.caBundle

Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for proxyInjector.crtPEM. If proxyInjector.externalSecret is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager CA Injector Docs for more information.

proxyInjector.crtPEM

Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one.

proxyInjector.externalSecret

Do not create a secret resource for the proxyInjector webhook. If this is set to true, the value proxyInjector.caBundle must be set or the ca bundle must injected with cert-manager ca injector using proxyInjector.injectCaFrom or proxyInjector.injectCaFromSecret (see below).

proxyInjector.injectCaFrom

Inject the CA bundle from a cert-manager Certificate. See the cert-manager CA Injector Docs for more information.

proxyInjector.injectCaFromSecret

Inject the CA bundle from a Secret. If set, the cert-manager.io/inject-ca-from-secret annotation will be added to the webhook. The Secret must have the CA Bundle stored in the ca.crt key and have the cert-manager.io/allow-direct-injection annotation set to true. See the cert-manager CA Injector Docs for more information.

proxyInjector.keyPEM

Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one.

proxyInjector.livenessProbe.timeoutSeconds

proxyInjector.namespaceSelector

Namespace selector used by admission webhook.

proxyInjector.objectSelector

Object selector used by admission webhook.

proxyInjector.readinessProbe.timeoutSeconds

proxyInjector.timeoutSeconds

Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used.

revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.

runtimeClassName

Runtime Class Name for all the pods

spValidator

SP validator configuration

webhookFailurePolicy

Failure policy for the proxy injector

commonLabels

Labels to apply to all resources

createNamespaceMetadataJob

Creates a Job that adds necessary metadata to the extension’s namespace during install; disable if lack of privileges require doing this manually

enablePSP

Create Roles and RoleBindings to associate this extension’s ServiceAccounts to the control plane PSP resource. This requires that enabledPSP is set to true on the control plane install. Note PSP has been deprecated since k8s v1.21

enablePodAntiAffinity

Enables Pod Anti Affinity logic to balance the placement of replicas across hosts and zones for High Availability. Enable this only when you have multiple replicas of components.

gateway.GID

Group id under which the gateway shall be ran

gateway.UID

User id under which the gateway shall be ran

gateway.deploymentAnnotations

Annotations to add to the gateway deployment

gateway.enabled

If the gateway component should be installed

gateway.loadBalancerClass

Set loadBalancerClass on gateway service

gateway.loadBalancerIP

Set loadBalancerIP on gateway service

gateway.loadBalancerSourceRanges

Set loadBalancerSourceRanges on gateway service

gateway.name

The name of the gateway that will be installed

gateway.nodeSelector

Node selectors for the gateway pod

gateway.pauseImage

The pause container to use

gateway.port

The port on which all the gateway will accept incoming traffic

gateway.probe.path

The path that will be used by remote clusters for determining whether the gateway is alive

gateway.probe.port

The port used for liveliness probing

gateway.probe.seconds

The interval (in seconds) between liveness probes

gateway.replicas

Number of replicas for the gateway pod

gateway.serviceAnnotations

Annotations to add to the gateway service

gateway.serviceExternalTrafficPolicy

Set externalTrafficPolicy on gateway service

gateway.serviceType

Service Type of gateway Service

gateway.terminationGracePeriodSeconds

Set terminationGracePeriodSeconds on gateway deployment

gateway.tolerations

Tolerations for the gateway pod

identityTrustDomain

Identity Trust Domain of the certificate authority

imagePullPolicy

Docker imagePullPolicy for all multicluster components

imagePullSecrets

For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts

linkerdNamespace

Namespace of linkerd installation

linkerdVersion

Control plane version

localServiceMirror.GID

Group id under which the Service Mirror shall be ran

localServiceMirror.UID

User id under which the Service Mirror shall be ran

localServiceMirror.enablePprof

enables the use of pprof endpoints on control plane component’s admin servers

localServiceMirror.federatedServiceSelector

Label selector for federated service members in the local cluster.

localServiceMirror.image.name

Docker image for the Service mirror component (uses the Linkerd controller image)

localServiceMirror.image.pullPolicy

Pull policy for the Service mirror container image

localServiceMirror.image.version

Tag for the Service mirror container image

localServiceMirror.logFormat

Log format (plain or json)

localServiceMirror.logLevel

Log level for the Multicluster components

localServiceMirror.replicas

Number of local service mirror replicas to run

localServiceMirror.resources

Resources for the Service mirror container

localServiceMirror.serviceMirrorRetryLimit

Number of times local service mirror updates are allowed to be requeued (retried)

namespaceMetadata.image.name

Docker image name for the namespace-metadata instance

namespaceMetadata.image.pullPolicy

Pull policy for the namespace-metadata instance

namespaceMetadata.image.registry

Docker registry for the namespace-metadata instance

namespaceMetadata.image.tag

Docker image tag for the namespace-metadata instance

namespaceMetadata.nodeSelector

Node selectors for the namespace-metadata instance

namespaceMetadata.tolerations

Tolerations for the namespace-metadata instance

podAnnotations

Additional annotations to add to all pods

podLabels

Additional labels to add to all pods

proxyOutboundPort

The port on which the proxy accepts outbound traffic

remoteMirrorServiceAccount

If the remote mirror service account should be installed

remoteMirrorServiceAccountName

The name of the service account used to allow remote clusters to mirror local services

revisionHistoryLimit

Specifies the number of old ReplicaSets to retain to allow rollback.