inject
The inject
command is a text transform that modifies Kubernetes manifests
passed to it either as a file or as a stream (-
) to adds a
linkerd.io/inject: enabled
annotation to eligible resources in the manifest.
When the resulting annotated manifest is applied to the Kubernetes cluster,
Linkerd’s proxy autoinjector automatically
adds the Linkerd data plane proxies to the corresponding pods.
Note that there is no a priori reason to use this command. In production, these annotations may be instead set by a CI/CD system, or any other deploy-time mechanism.
Manual injection
Alternatively, this command can also perform the full injection purely on the
client side, by enabling with the --manual
flag. (Prior to Linkerd 2.4, this
was the default behavior.)
Examples
# Inject all the deployments in the default namespace.
kubectl get deploy -o yaml | linkerd inject - | kubectl apply -f -
# Injecting a file from a remote URL
linkerd inject https://url.to/yml | kubectl apply -f -
# Inject all the resources inside a folder and its sub-folders.
linkerd inject <folder> | kubectl apply -f -
Flags
Flag | Usage |
---|---|
--admin-port | Proxy port to serve metrics on |
--close-wait-timeout | Sets nf_conntrack_tcp_timeout_close_wait |
--control-port | Proxy port to use for control |
--default-inbound-policy | Inbound policy to use to control inbound access to the proxy |
--disable-identity | Disables resources from participating in TLS identity |
--enable-debug-sidecar | Inject a debug sidecar for data plane debugging |
--enable-external-profiles | Enable service profiles for non-Kubernetes services |
--ignore-cluster | Ignore the current Kubernetes cluster when checking for existing cluster configuration (default false) |
--image-pull-policy | Docker image pull policy |
--inbound-port | Proxy port to use for inbound traffic |
--ingress | Enable ingress mode in the linkerd proxy |
--init-image | Linkerd init container image name |
--init-image-version | Linkerd init container image version |
--manual | Include the proxy sidecar container spec in the YAML output (the auto-injector won’t pick it up, so config annotations aren’t supported) (default false) |
--native-sidecar | Enable native sidecar |
--opaque-ports | Set opaque ports on the proxy |
--outbound-port | Proxy port to use for outbound traffic |
--output -o | Output format, one of: json|yaml |
--proxy-cpu | Amount of CPU units that the proxy sidecar requests |
--proxy-cpu-limit | Maximum amount of CPU units that the proxy sidecar can use |
--proxy-cpu-request | Amount of CPU units that the proxy sidecar requests |
--proxy-gid | Run the proxy under this group ID |
--proxy-image | Linkerd proxy container image name |
--proxy-log-level | Log level for the proxy |
--proxy-memory | Amount of Memory that the proxy sidecar requests |
--proxy-memory-limit | Maximum amount of Memory that the proxy sidecar can use |
--proxy-memory-request | Amount of Memory that the proxy sidecar requests |
--proxy-uid | Run the proxy under this user ID |
--proxy-version -v | Tag to be used for the Linkerd proxy images |
--registry | Docker registry to pull images from ($LINKERD_DOCKER_REGISTRY) |
--require-identity-on-inbound-ports | Inbound ports on which the proxy should require identity |
--skip-inbound-ports | Ports and/or port ranges (inclusive) that should skip the proxy and send directly to the application |
--skip-outbound-ports | Outbound ports and/or port ranges (inclusive) that should skip the proxy |
--wait-before-exit-seconds | The period during which the proxy sidecar must stay alive while its pod is terminating. Must be smaller than terminationGracePeriodSeconds for the pod (default 0) |