inject

The inject command modifies Kubernetes manifests that are passed to it either as a file (-f) or as a stream (-). It adds two containers to the pod spec of the manifest. Any resource types that do not need modification or are not supported, such as a Service, are skipped over. The two containers added are:

  1. An initContainer, linkerd-init, is responsible for configuring iptables. This activates forwarding incoming and outgoing traffic through the proxy.

  2. A container, linkerd-proxy, that runs the Linkerd proxy.

Let’s say for example you have the following deployment saved as deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

Now, we can run the inject command as follows:

linkerd inject -f deployment.yaml

The output should be that file should look like the following:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy: {}
  template:
    metadata:
      annotations:
        linkerd.io/created-by: linkerd/cli edge-19.2.2
        linkerd.io/proxy-version: edge-19.2.2
      creationTimestamp: null
      labels:
        app: nginx
        linkerd.io/control-plane-ns: linkerd
        linkerd.io/proxy-deployment: nginx
    spec:
      containers:
      - image: nginx
        name: nginx-foo
        ports:
        - containerPort: 80
        resources: {}
      - env:
        - name: LINKERD2_PROXY_LOG
          value: warn,linkerd2_proxy=info
        - name: LINKERD2_PROXY_CONTROL_URL
          value: tcp://linkerd-proxy-api.linkerd.svc.cluster.local:8086
        - name: LINKERD2_PROXY_CONTROL_LISTENER
          value: tcp://0.0.0.0:4190
        - name: LINKERD2_PROXY_METRICS_LISTENER
          value: tcp://0.0.0.0:4191
        - name: LINKERD2_PROXY_OUTBOUND_LISTENER
          value: tcp://127.0.0.1:4140
        - name: LINKERD2_PROXY_INBOUND_LISTENER
          value: tcp://0.0.0.0:4143
        - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES
          value: .
        - name: LINKERD2_PROXY_POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE
          value: 10000ms
        - name: LINKERD2_PROXY_ID
          value: nginx.deployment.$LINKERD2_PROXY_POD_NAMESPACE.linkerd-managed.linkerd.svc.cluster.local
        image: gcr.io/linkerd-io/proxy:edge-19.2.2
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        name: linkerd-proxy
        ports:
        - containerPort: 4143
          name: linkerd-proxy
        - containerPort: 4191
          name: linkerd-metrics
        readinessProbe:
          httpGet:
            path: /metrics
            port: 4191
          initialDelaySeconds: 10
        resources: {}
        securityContext:
          runAsUser: 2102
        terminationMessagePolicy: FallbackToLogsOnError
      initContainers:
      - args:
        - --incoming-proxy-port
        - "4143"
        - --outgoing-proxy-port
        - "4140"
        - --proxy-uid
        - "2102"
        - --inbound-ports-to-ignore
        - 4190,4191
        image: gcr.io/linkerd-io/proxy-init:edge-19.2.2
        imagePullPolicy: IfNotPresent
        name: linkerd-init
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
          privileged: false
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePolicy: FallbackToLogsOnError
status: {}
---

Examples

# Inject all the deployments in the default namespace.
kubectl get deploy -o yaml | linkerd inject - | kubectl apply -f -

# Download a resource and inject it through stdin.
curl http://url.to/yml | linkerd inject - | kubectl apply -f -

# Inject all the resources inside a folder and its sub-folders.
linkerd inject <folder> | kubectl apply -f -

Flags

Flag Usage
--api-port Port where the Linkerd controller’s destination API is running
--control-port Proxy port to use for control
--disable-external-profiles Disables service profiles for non-Kubernetes services
--image-pull-policy Docker image pull policy
--inbound-port Proxy port to use for inbound traffic
--init-image Linkerd init container image name
--linkerd-cni-enabled Experimental: Omit the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--linkerd-version
-v
Tag to be used for Linkerd images
--metrics-port Proxy port to serve metrics on
--outbound-port Proxy port to use for outbound traffic
--proxy-cpu Amount of CPU units that the proxy sidecar requests
--proxy-image Linkerd proxy container image name
--proxy-log-level Log level for the proxy
--proxy-memory Amount of Memory that the proxy sidecar requests
--proxy-uid Run the proxy under this user ID
--registry Docker registry to pull images from
--skip-inbound-ports Ports that should skip the proxy and send directly to the application
--skip-outbound-ports Outbound ports that should skip the proxy
--tls Enable TLS; valid settings: “optional”