upgrade

Output Kubernetes configs to upgrade an existing Linkerd control plane.

Note that the default flag values for this command come from the Linkerd control plane. The default values displayed in the Flags section below only apply to the install command.

The upgrade can be configured by using the –set, –values, –set-string and –set-file flags. A full list of configurable values can be found at https://www.github.com/linkerd/linkerd2/tree/main/charts/linkerd2/README.md

Examples

  1. # Upgrade CRDs first
  2. linkerd upgrade --crds | kubectl apply --prune --prune-whitelist=apiextensions.k8s.io/v1/customresourcedefinitions
  3. # Then upgrade the controle-plane and remove linkerd resources that no longer exist in the current version
  4. linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd -f -
  5. # Then run this again to make sure that certain cluster-scoped resources are correctly pruned
  6. linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd \
  7. --prune-whitelist=rbac.authorization.k8s.io/v1/clusterrole \
  8. --prune-whitelist=rbac.authorization.k8s.io/v1/clusterrolebinding \
  9. --prune-whitelist=apiregistration.k8s.io/v1/apiservice -f -

Flags

FlagUsage
—admin-portProxy port to serve metrics on
—control-plane-tracingEnables Control Plane Tracing with the defaults
—control-plane-tracing-namespaceSend control plane traces to Linkerd-Jaeger extension in this namespace
—control-portProxy port to use for control
—controller-log-levelLog level for the controller and web components
—controller-replicasReplicas of the controller to deploy
—controller-uidRun the control plane components under this user ID
—crdsUpgrade Linkerd CRDs
—default-inbound-policyInbound policy to use to control inbound access to the proxy
—disable-h2-upgradePrevents the controller from instructing proxies to perform transparent HTTP/2 upgrading (default false)
—disable-heartbeatDisables the heartbeat cronjob (default false)
—enable-endpoint-slicesEnables the usage of EndpointSlice informers and resources for destination service
—enable-external-profilesEnable service profiles for non-Kubernetes services
—forceForce upgrade operation even when issuer certificate does not work with the trust anchors of all proxies
—from-manifestsRead config from a Linkerd install YAML rather than from Kubernetes
—haEnable HA deployment config for the control plane (default false)
—identity-clock-skew-allowanceThe amount of time to allow for clock skew within a Linkerd cluster
—identity-issuance-lifetimeThe amount of time for which the Identity issuer should certify identity
—identity-issuer-certificate-fileA path to a PEM-encoded file containing the Linkerd Identity issuer certificate (generated by default)
—identity-issuer-key-fileA path to a PEM-encoded file containing the Linkerd Identity issuer private key (generated by default)
—identity-trust-anchors-fileA path to a PEM-encoded file containing Linkerd Identity trust anchors (generated by default)
—image-pull-policyDocker image pull policy
—inbound-portProxy port to use for inbound traffic
—init-imageLinkerd init container image name
—init-image-versionLinkerd init container image version
—linkerd-cni-enabledOmit the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed
—outbound-portProxy port to use for outbound traffic
—proxy-cpuAmount of CPU units that the proxy sidecar requests
—proxy-cpu-limitMaximum amount of CPU units that the proxy sidecar can use
—proxy-cpu-requestAmount of CPU units that the proxy sidecar requests
—proxy-imageLinkerd proxy container image name
—proxy-log-levelLog level for the proxy
—proxy-memoryAmount of Memory that the proxy sidecar requests
—proxy-memory-limitMaximum amount of Memory that the proxy sidecar can use
—proxy-memory-requestAmount of Memory that the proxy sidecar requests
—proxy-uidRun the proxy under this user ID
—proxy-version
-v
Tag to be used for the Linkerd proxy images
—registryDocker registry to pull images from ($LINKERD_DOCKER_REGISTRY)
—setset values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
—set-fileset values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
—set-stringset STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
—skip-inbound-portsPorts and/or port ranges (inclusive) that should skip the proxy and send directly to the application
—skip-outbound-portsOutbound ports and/or port ranges (inclusive) that should skip the proxy
—values
-f
specify values in a YAML file or a URL (can specify multiple)