Feb 21, 2024: Announcing Linkerd 2.15 with support for VM workloads, native sidecars, and SPIFFE! Read more »

This is not the latest version of Linkerd!
This documentation is for an older version of Linkerd. You may want the Linkerd 2.15 (current) documentation instead.

upgrade

Output Kubernetes configs to upgrade an existing Linkerd control plane.

Note that the default flag values for this command come from the Linkerd control plane. The default values displayed in the Flags section below only apply to the install command.

The upgrade can be configured by using the –set, –values, –set-string and –set-file flags. A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/charts/linkerd2/README.md

Examples

# Default upgrade - also removes linkerd resources that no longer exist in the current version
linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd -f -

# Then run this again to make sure that certain cluster-scoped resources are correctly pruned
linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd \
--prune-whitelist=rbac.authorization.k8s.io/v1/clusterrole \
--prune-whitelist=rbac.authorization.k8s.io/v1/clusterrolebinding \
--prune-whitelist=apiregistration.k8s.io/v1/apiservice -f -

# Similar to install, upgrade may also be broken up into two stages, by user
# privilege.

Flags

Flag Usage
--admin-port Proxy port to serve metrics on
--control-plane-tracing Enables Control Plane Tracing with the defaults
--control-plane-tracing-namespace Send control plane traces to Linkerd-Jaeger extension in this namespace
--control-plane-version Tag to be used for the control plane component images
--control-port Proxy port to use for control
--controller-log-level Log level for the controller and web components
--controller-replicas Replicas of the controller to deploy
--controller-uid Run the control plane components under this user ID
--disable-h2-upgrade Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)
--disable-heartbeat Disables the heartbeat cronjob (default false)
--enable-endpoint-slices Enables the usage of EndpointSlice informers and resources for destination service
--enable-external-profiles Enable service profiles for non-Kubernetes services
--force Force upgrade operation even when issuer certificate does not work with the trust anchors of all proxies
--from-manifests Read config from a Linkerd install YAML rather than from Kubernetes
--ha Enable HA deployment config for the control plane (default false)
--identity-clock-skew-allowance The amount of time to allow for clock skew within a Linkerd cluster
--identity-issuance-lifetime The amount of time for which the Identity issuer should certify identity
--identity-issuer-certificate-file A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)
--identity-issuer-key-file A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)
--identity-trust-anchors-file A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)
--image-pull-policy Docker image pull policy
--inbound-port Proxy port to use for inbound traffic
--init-image Linkerd init container image name
--init-image-version Linkerd init container image version
--linkerd-cni-enabled Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--outbound-port Proxy port to use for outbound traffic
--proxy-cpu Amount of CPU units that the proxy sidecar requests
--proxy-cpu-limit Maximum amount of CPU units that the proxy sidecar can use
--proxy-cpu-request Amount of CPU units that the proxy sidecar requests
--proxy-image Linkerd proxy container image name
--proxy-log-level Log level for the proxy
--proxy-memory Amount of Memory that the proxy sidecar requests
--proxy-memory-limit Maximum amount of Memory that the proxy sidecar can use
--proxy-memory-request Amount of Memory that the proxy sidecar requests
--proxy-uid Run the proxy under this user ID
--proxy-version
-v 		Tag to be used for the Linkerd proxy images
--registry Docker registry to pull images from ($LINKERD_DOCKER_REGISTRY)
--set set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--set-file set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--set-string set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--skip-inbound-ports Ports and/or port ranges (inclusive) that should skip the proxy and send directly to the application
--skip-outbound-ports Outbound ports and/or port ranges (inclusive) that should skip the proxy
--values
-f 		specify values in a YAML file or a URL (can specify multiple)

Subcommands

Upgrade supports subcommands as part of the Multi-stage install feature.

config

Output Kubernetes cluster-wide resources to upgrade an existing Linkerd.

Note that this command should be followed by “linkerd upgrade control-plane”.

The upgrade can be configured by using the –set, –values, –set-string and –set-file flags. A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/charts/linkerd2/README.md

Examples

# Default upgrade.
linkerd upgrade config | kubectl apply -f -

Flags

Flag Usage
--linkerd-cni-enabled Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--set set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--set-file set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--set-string set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--values
-f 		specify values in a YAML file or a URL (can specify multiple)

control-plane

Output Kubernetes control plane resources to upgrade an existing Linkerd.

Note that the default flag values for this command come from the Linkerd control plane. The default values displayed in the Flags section below only apply to the install command. It should be run after “linkerd upgrade config”.

The upgrade can be configured by using the –set, –values, –set-string and –set-file flags. A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/charts/linkerd2/README.md

Examples

# Default upgrade.
linkerd upgrade control-plane | kubectl apply -f -

Flags

Flag Usage
--admin-port Proxy port to serve metrics on
--control-plane-tracing Enables Control Plane Tracing with the defaults
--control-plane-tracing-namespace Send control plane traces to Linkerd-Jaeger extension in this namespace
--control-plane-version Tag to be used for the control plane component images
--control-port Proxy port to use for control
--controller-log-level Log level for the controller and web components
--controller-replicas Replicas of the controller to deploy
--controller-uid Run the control plane components under this user ID
--disable-h2-upgrade Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)
--disable-heartbeat Disables the heartbeat cronjob (default false)
--enable-endpoint-slices Enables the usage of EndpointSlice informers and resources for destination service
--enable-external-profiles Enable service profiles for non-Kubernetes services
--ha Enable HA deployment config for the control plane (default false)
--identity-clock-skew-allowance The amount of time to allow for clock skew within a Linkerd cluster
--identity-issuance-lifetime The amount of time for which the Identity issuer should certify identity
--identity-issuer-certificate-file A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)
--identity-issuer-key-file A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)
--identity-trust-anchors-file A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)
--image-pull-policy Docker image pull policy
--inbound-port Proxy port to use for inbound traffic
--init-image Linkerd init container image name
--init-image-version Linkerd init container image version
--linkerd-cni-enabled Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--outbound-port Proxy port to use for outbound traffic
--proxy-cpu Amount of CPU units that the proxy sidecar requests
--proxy-cpu-limit Maximum amount of CPU units that the proxy sidecar can use
--proxy-cpu-request Amount of CPU units that the proxy sidecar requests
--proxy-image Linkerd proxy container image name
--proxy-log-level Log level for the proxy
--proxy-memory Amount of Memory that the proxy sidecar requests
--proxy-memory-limit Maximum amount of Memory that the proxy sidecar can use
--proxy-memory-request Amount of Memory that the proxy sidecar requests
--proxy-uid Run the proxy under this user ID
--proxy-version
-v 		Tag to be used for the Linkerd proxy images
--registry Docker registry to pull images from ($LINKERD_DOCKER_REGISTRY)
--set set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--set-file set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
--set-string set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
--skip-inbound-ports Ports and/or port ranges (inclusive) that should skip the proxy and send directly to the application
--skip-outbound-ports Outbound ports and/or port ranges (inclusive) that should skip the proxy
--values
-f 		specify values in a YAML file or a URL (can specify multiple)