inject

The inject command is a text transform that modifies Kubernetes manifests passed to it either as a file or as a stream (-) to adds a linkerd.io/inject: enabled annotation to eligible resources in the manifest. When the resulting annotated manifest is applied to the Kubernetes cluster, Linkerd’s proxy autoinjector automatically adds the Linkerd data plane proxies to the corresponding pods.

Note that there is no a priori reason to use this command. In production, these annotations may be instead set by a CI/CD system, or any other deploy-time mechanism.

Manual injection

Alternatively, this command can also perform the full injection purely on the client side, by enabling with the --manual flag. (Prior to Linkerd 2.4, this was the default behavior.)

Examples

  1. # Inject all the deployments in the default namespace.
  2. kubectl get deploy -o yaml | linkerd inject - | kubectl apply -f -
  3. # Injecting a file from a remote URL
  4. linkerd inject https://url.to/yml | kubectl apply -f -
  5. # Inject all the resources inside a folder and its sub-folders.
  6. linkerd inject <folder> | kubectl apply -f -

Flags

FlagUsage
—admin-portProxy port to serve metrics on
—close-wait-timeoutSets nf_conntrack_tcp_timeout_close_wait
—control-portProxy port to use for control
—default-inbound-policyInbound policy to use to control inbound access to the proxy
—disable-identityDisables resources from participating in TLS identity
—enable-debug-sidecarInject a debug sidecar for data plane debugging
—enable-external-profilesEnable service profiles for non-Kubernetes services
—ignore-clusterIgnore the current Kubernetes cluster when checking for existing cluster configuration (default false)
—image-pull-policyDocker image pull policy
—inbound-portProxy port to use for inbound traffic
—ingressEnable ingress mode in the linkerd proxy
—init-imageLinkerd init container image name
—init-image-versionLinkerd init container image version
—manualInclude the proxy sidecar container spec in the YAML output (the auto-injector won’t pick it up, so config annotations aren’t supported) (default false)
—native-sidecarEnable native sidecar
—opaque-portsSet opaque ports on the proxy
—outbound-portProxy port to use for outbound traffic
—output
-o
Output format, one of: json|yaml
—proxy-cpuAmount of CPU units that the proxy sidecar requests
—proxy-cpu-limitMaximum amount of CPU units that the proxy sidecar can use
—proxy-cpu-requestAmount of CPU units that the proxy sidecar requests
—proxy-gidRun the proxy under this group ID
—proxy-imageLinkerd proxy container image name
—proxy-log-levelLog level for the proxy
—proxy-memoryAmount of Memory that the proxy sidecar requests
—proxy-memory-limitMaximum amount of Memory that the proxy sidecar can use
—proxy-memory-requestAmount of Memory that the proxy sidecar requests
—proxy-uidRun the proxy under this user ID
—proxy-version
-v
Tag to be used for the Linkerd proxy images
—registryDocker registry to pull images from ($LINKERD_DOCKER_REGISTRY)
—require-identity-on-inbound-portsInbound ports on which the proxy should require identity
—skip-inbound-portsPorts and/or port ranges (inclusive) that should skip the proxy and send directly to the application
—skip-outbound-portsOutbound ports and/or port ranges (inclusive) that should skip the proxy
—wait-before-exit-secondsThe period during which the proxy sidecar must stay alive while its pod is terminating. Must be smaller than terminationGracePeriodSeconds for the pod (default 0)