install

Output Kubernetes configs to install Linkerd.

This command provides all Kubernetes configs necessary to install the Linkerd control plane.

For further details on how to install Linkerd onto your own cluster, check out the install documentation.

Examples

# Default install.
linkerd install | kubectl apply -f -

# Install Linkerd into a non-default namespace.
linkerd install -l linkerdtest | kubectl apply -f -

# Installation may also be broken up into two stages by user privilege, via
# subcommands.

Flags

Flag Usage
--admin-port Proxy port to serve metrics on
--cluster-domain Set custom cluster domain
--control-plane-tracing Enables Control Plane Tracing with the defaults
--control-plane-version (Development) Tag to be used for the control plane component images
--control-port Proxy port to use for control
--controller-log-level Log level for the controller and web components
--controller-replicas Replicas of the controller to deploy
--controller-uid Run the control plane components under this user ID
--disable-h2-upgrade Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)
--disable-heartbeat Disables the heartbeat cronjob (default false)
--enable-external-profiles Enable service profiles for non-Kubernetes services
--ha Enable HA deployment config for the control plane (default false)
--identity-clock-skew-allowance The amount of time to allow for clock skew within a Linkerd cluster
--identity-external-issuer Whether to use an external identity issuer (default false)
--identity-issuance-lifetime The amount of time for which the Identity issuer should certify identity
--identity-issuer-certificate-file A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)
--identity-issuer-key-file A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)
--identity-trust-anchors-file A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)
--identity-trust-domain Configures the name suffix used for identities.
--ignore-cluster Ignore the current Kubernetes cluster when checking for existing cluster configuration (default false)
--image-pull-policy Docker image pull policy
--inbound-port Proxy port to use for inbound traffic
--init-image Linkerd init container image name
--init-image-version Linkerd init container image version
--linkerd-cni-enabled Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--omit-webhook-side-effects Omit the sideEffects flag in the webhook manifests, This flag must be provided during install or upgrade for Kubernetes versions pre 1.12
--outbound-port Proxy port to use for outbound traffic
--proxy-cpu Amount of CPU units that the proxy sidecar requests
--proxy-cpu-limit Maximum amount of CPU units that the proxy sidecar can use
--proxy-cpu-request Amount of CPU units that the proxy sidecar requests
--proxy-image Linkerd proxy container image name
--proxy-log-level Log level for the proxy
--proxy-memory Amount of Memory that the proxy sidecar requests
--proxy-memory-limit Maximum amount of Memory that the proxy sidecar can use
--proxy-memory-request Amount of Memory that the proxy sidecar requests
--proxy-uid Run the proxy under this user ID
--proxy-version
-v
Tag to be used for the Linkerd proxy images
--registry Docker registry to pull images from
--restrict-dashboard-privileges Restrict the Linkerd Dashboard’s default privileges to disallow Tap
--skip-inbound-ports Ports that should skip the proxy and send directly to the application
--skip-outbound-ports Outbound ports that should skip the proxy

Subcommands

Install supports subcommands as part of the Multi-stage install feature.

config

Output Kubernetes cluster-wide resources to install Linkerd.

This command provides Kubernetes configs necessary to install cluster-wide resources for the Linkerd control plane. This command should be followed by “linkerd install control-plane”.

Examples

# Default install.
linkerd install config | kubectl apply -f -

# Install Linkerd into a non-default namespace.
linkerd install config -l linkerdtest | kubectl apply -f -

Flags

Flag Usage
--linkerd-cni-enabled Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--restrict-dashboard-privileges Restrict the Linkerd Dashboard’s default privileges to disallow Tap

control-plane

Output Kubernetes control plane resources to install Linkerd.

This command provides Kubernetes configs necessary to install the Linkerd control plane. It should be run after “linkerd install config”.

Examples

# Default install.
linkerd install control-plane | kubectl apply -f -

# Install Linkerd into a non-default namespace.
linkerd install control-plane -l linkerdtest | kubectl apply -f -

Flags

Flag Usage
--admin-port Proxy port to serve metrics on
--cluster-domain Set custom cluster domain
--control-plane-tracing Enables Control Plane Tracing with the defaults
--control-plane-version (Development) Tag to be used for the control plane component images
--control-port Proxy port to use for control
--controller-log-level Log level for the controller and web components
--controller-replicas Replicas of the controller to deploy
--controller-uid Run the control plane components under this user ID
--disable-h2-upgrade Prevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)
--disable-heartbeat Disables the heartbeat cronjob (default false)
--enable-external-profiles Enable service profiles for non-Kubernetes services
--ha Enable HA deployment config for the control plane (default false)
--identity-clock-skew-allowance The amount of time to allow for clock skew within a Linkerd cluster
--identity-external-issuer Whether to use an external identity issuer (default false)
--identity-issuance-lifetime The amount of time for which the Identity issuer should certify identity
--identity-issuer-certificate-file A path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)
--identity-issuer-key-file A path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)
--identity-trust-anchors-file A path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)
--identity-trust-domain Configures the name suffix used for identities.
--image-pull-policy Docker image pull policy
--inbound-port Proxy port to use for inbound traffic
--init-image Linkerd init container image name
--init-image-version Linkerd init container image version
--linkerd-cni-enabled Experimental: Omit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
--omit-webhook-side-effects Omit the sideEffects flag in the webhook manifests, This flag must be provided during install or upgrade for Kubernetes versions pre 1.12
--outbound-port Proxy port to use for outbound traffic
--proxy-cpu Amount of CPU units that the proxy sidecar requests
--proxy-cpu-limit Maximum amount of CPU units that the proxy sidecar can use
--proxy-cpu-request Amount of CPU units that the proxy sidecar requests
--proxy-image Linkerd proxy container image name
--proxy-log-level Log level for the proxy
--proxy-memory Amount of Memory that the proxy sidecar requests
--proxy-memory-limit Maximum amount of Memory that the proxy sidecar can use
--proxy-memory-request Amount of Memory that the proxy sidecar requests
--proxy-uid Run the proxy under this user ID
--proxy-version
-v
Tag to be used for the Linkerd proxy images
--registry Docker registry to pull images from
--restrict-dashboard-privileges Restrict the Linkerd Dashboard’s default privileges to disallow Tap
--skip-checks Skip checks for namespace existence
--skip-inbound-ports Ports that should skip the proxy and send directly to the application
--skip-outbound-ports Outbound ports that should skip the proxy