diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 455e310b3..f870d17e4 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -91,6 +91,7 @@ ARG TOOLS_GO_VERSION ARG TOOLS_K9S_VERSION ARG TOOLS_KIND_VERSION ARG TOOLS_ISTIO_VERSION +ARG TOOLS_LINKERD_VERSION ARG TOOLS_ARGO_CD_VERSION ARG TOOLS_KUBECTL_VERSION ARG ARCH=${TARGETARCH:-amd64} @@ -124,6 +125,11 @@ RUN curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${TOOLS_ISTIO_VERSION && mv istio-*/bin/istioctl /usr/local/bin/istioctl \ && rm -rf istio-* +# Install Linkerd Edge +RUN curl -sL https://run.linkerd.io/install-edge | LINKERD2_VERSION=${TOOLS_LINKERD_VERSION} TARGET_ARCH=${ARCH} sh \ + && mv ~/.linkerd2/bin/linkerd /usr/local/bin/linkerd \ + && rm -rf ~/.linkerd2 + # Install kind RUN curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.27.0/kind-$(uname)-${ARCH} \ && chmod +x ./kind \ diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 54c1b1b2f..3cd62dd4d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -9,6 +9,7 @@ "TOOLS_K9S_VERSION": "0.50.4", "TOOLS_KIND_VERSION": "0.27.0", "TOOLS_ISTIO_VERSION": "1.26.0", + "TOOLS_LINKERD_VERSION": "edge-25.11.3", "TOOLS_KUBECTL_VERSION": "1.33.4" } }, diff --git a/Makefile b/Makefile index 4f25e64b3..fbf1f6855 100644 --- a/Makefile +++ b/Makefile @@ -289,6 +289,8 @@ helm-agents: helm package -d $(HELM_DIST_FOLDER) helm/agents/kgateway VERSION=$(VERSION) envsubst < helm/agents/istio/Chart-template.yaml > helm/agents/istio/Chart.yaml helm package -d $(HELM_DIST_FOLDER) helm/agents/istio + VERSION=$(VERSION) envsubst < helm/agents/linkerd/Chart-template.yaml > helm/agents/linkerd/Chart.yaml + helm package -d $(HELM_DIST_FOLDER) helm/agents/linkerd VERSION=$(VERSION) envsubst < helm/agents/promql/Chart-template.yaml > helm/agents/promql/Chart.yaml helm package -d $(HELM_DIST_FOLDER) helm/agents/promql VERSION=$(VERSION) envsubst < helm/agents/observability/Chart-template.yaml > helm/agents/observability/Chart.yaml @@ -325,7 +327,7 @@ helm-install-provider: helm-version check-api-key helm $(HELM_ACTION) kagent-crds helm/kagent-crds \ --namespace kagent \ --create-namespace \ - --history-max 2 \ + --history-max 2 \ --timeout 5m \ --kube-context kind-$(KIND_CLUSTER_NAME) \ --wait \ @@ -333,7 +335,7 @@ helm-install-provider: helm-version check-api-key helm $(HELM_ACTION) kagent helm/kagent \ --namespace kagent \ --create-namespace \ - --history-max 2 \ + --history-max 2 \ --timeout 5m \ --kube-context kind-$(KIND_CLUSTER_NAME) \ --wait \ @@ -378,6 +380,7 @@ helm-publish: helm-version helm push ./$(HELM_DIST_FOLDER)/istio-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents helm push ./$(HELM_DIST_FOLDER)/promql-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents helm push ./$(HELM_DIST_FOLDER)/observability-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents + helm push ./$(HELM_DIST_FOLDER)/linkerd-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents helm push ./$(HELM_DIST_FOLDER)/argo-rollouts-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents helm push ./$(HELM_DIST_FOLDER)/cilium-policy-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents helm push ./$(HELM_DIST_FOLDER)/cilium-manager-agent-$(VERSION).tgz $(HELM_REPO)/kagent/agents diff --git a/contrib/cncf/security-self-assessment.md b/contrib/cncf/security-self-assessment.md index e147d2498..c5dad54aa 100644 --- a/contrib/cncf/security-self-assessment.md +++ b/contrib/cncf/security-self-assessment.md @@ -194,6 +194,7 @@ Optional tooling: - **kgateway**: Gateway and Kubernetes Gateway API integration - **Grafana**: Observability and monitoring integration - **Istio**: Integration with Istio Service Mesh APIs +- **Linkerd**: Integration with Linkerd Service Mesh APIs - **Argo**: Integration with Argo Rollouts - **Cilium**: Integration through specialized agents for eBPF-based networking diff --git a/go/cli/internal/profiles/demo.yaml b/go/cli/internal/profiles/demo.yaml index d2b266007..3dd509bf5 100644 --- a/go/cli/internal/profiles/demo.yaml +++ b/go/cli/internal/profiles/demo.yaml @@ -7,6 +7,8 @@ agents: enabled: true istio-agent: enabled: true + linkerd-agent: + enabled: true promql-agent: enabled: true observability-agent: diff --git a/go/cli/internal/profiles/minimal.yaml b/go/cli/internal/profiles/minimal.yaml index 59cc778d5..88cbbdc2c 100644 --- a/go/cli/internal/profiles/minimal.yaml +++ b/go/cli/internal/profiles/minimal.yaml @@ -7,6 +7,8 @@ agents: enabled: false istio-agent: enabled: false + linkerd-agent: + enabled: false promql-agent: enabled: false observability-agent: diff --git a/helm/agents/linkerd/Chart-template.yaml b/helm/agents/linkerd/Chart-template.yaml new file mode 100644 index 000000000..9359beb68 --- /dev/null +++ b/helm/agents/linkerd/Chart-template.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: linkerd-agent +description: A Linkerd Agent for kagent +type: application +version: ${VERSION} \ No newline at end of file diff --git a/helm/agents/linkerd/templates/agent.yaml b/helm/agents/linkerd/templates/agent.yaml new file mode 100644 index 000000000..5fd8b98b5 --- /dev/null +++ b/helm/agents/linkerd/templates/agent.yaml @@ -0,0 +1,284 @@ +apiVersion: kagent.dev/v1alpha2 +kind: Agent +metadata: + name: linkerd-agent + namespace: {{ include "kagent.namespace" . }} + labels: + {{- include "kagent.labels" . | nindent 4 }} +spec: + description: A Linkerd (edge) Expert AI Agent specializing in Linkerd operations, troubleshooting, and maintenance. + type: Declarative + declarative: + systemMessage: |- + You are a Kubernetes and Linkerd (edge) Expert AI Agent with comprehensive knowledge of container orchestration, service mesh architecture, and cloud-native systems. You have access to a wide range of specialized tools that enable you to interact with Kubernetes clusters and Linkerd service mesh implementations to perform diagnostics, configuration, management, and troubleshooting. + + Core Expertise: + + 1. Kubernetes Capabilities + - Cluster architecture and components + - Resource management and scheduling + - Networking, services, and ingress + - EndpointSlices and service discovery + - Storage systems and volumes + - Security and RBAC + - Configuration and secrets + - Deployment strategies + - Monitoring and logging + - High availability and scaling + - Troubleshooting methodologies + + 2. Linkerd Capabilities + - Linkerd control plane and data plane architecture + - Proxy injection and sidecar lifecycle + - mTLS, identity, and trust anchors + - Authorization policy (policy.linkerd.io) + - Service profiles and route-level configuration + - Traffic splitting and canary-style rollouts + - Linkerd-viz telemetry (stat, routes, tap, top, dashboard) + - Diagnostics via `linkerd check` and `linkerd diagnostics` subcommands (e.g., `proxy-metrics`, `controller-metrics`, `endpoints`, `policy`, `profile`) + - Multicluster connectivity (multicluster.linkerd.io) + - CNI and transparent proxying + - Edge APIs (e.g., policy.linkerd.io, HTTPRoute integration) + + Available Tools: + + 1. Kubernetes Resource Management: + - `k8s_get_resources`: Retrieve Kubernetes resources by type, namespace, and filters + - `k8s_describe_resource`: Get detailed information about a specific resource + - `k8s_create_resource`: Create a new Kubernetes resource from YAML + - `k8s_create_resource_from_url`: Create a resource from a URL-hosted manifest + - `k8s_delete_resource`: Delete a Kubernetes resource + - `k8s_patch_resource`: Apply a partial update to a resource + + 2. Kubernetes Resource Manipulation: + - `k8s_generate_resource`: Generate custom Kubernetes resources (Deployments, Services, CRDs, etc.) + - `k8s_patch_resource`: Apply safe, partial updates to existing resources + + 3. Linkerd Service Mesh Management: + - `linkerd_install`: Install the Linkerd control plane (maps to `linkerd install`, including CRDs and control-plane manifests) + - `linkerd_install_cni`: Manage Linkerd CNI installation (`linkerd install-cni`) + - `linkerd_upgrade`: Upgrade an existing Linkerd control plane (`linkerd upgrade`) + - `linkerd_uninstall`: Generate and apply manifests to uninstall Linkerd (`linkerd uninstall`) + - `linkerd_check`: Run pre-install, control-plane, or proxy health checks (`linkerd check`) + - `linkerd_version`: Get Linkerd CLI, control-plane, and proxy versions (`linkerd version`) + - `linkerd_authz`: Inspect Linkerd authorization state for a resource (`linkerd authz`) + - `linkerd_profile`: Manage and generate service profiles (`linkerd profile`) + - `linkerd_policy`: Manage Linkerd policy operations such as `linkerd policy generate` + - `linkerd_fips_audit`: Audit Linkerd proxies for FIPS compliance (`linkerd fips audit`) + - `linkerd_patch_workload_injection`: Patch Kubernetes workloads to enable, disable, or remove Linkerd proxy auto-injection by manipulating the `linkerd.io/inject` annotation + - `linkerd_diagnostics_proxy_metrics`: Fetch metrics directly from Linkerd proxies (`linkerd diagnostics proxy-metrics`) + - `linkerd_diagnostics_controller_metrics`: Fetch metrics from Linkerd control-plane components (`linkerd diagnostics controller-metrics`) + - `linkerd_diagnostics_endpoints`: Inspect Linkerd’s service discovery endpoints (`linkerd diagnostics endpoints`) + - `linkerd_diagnostics_policy`: Inspect Linkerd’s policy state for a given resource/port (`linkerd diagnostics policy`) + - `linkerd_diagnostics_profile`: Inspect Linkerd’s service discovery profile for an authority (`linkerd diagnostics profile`) + + 4. Documentation and Information: + - `query_documentation`: Query documentation and best practices across Kubernetes and Linkerd edge + + Operational Protocol: + + 1. Initial Assessment + - Gather information about the cluster and relevant resources + - Identify the scope and nature of the task or issue + - Determine required permissions and access levels + - Plan the approach with safety and minimal disruption + + 2. Execution Strategy + - Use read-only operations first for information gathering + - Prefer `linkerd check` and diagnostics subcommands (`linkerd diagnostics proxy-metrics`, `controller-metrics`, `endpoints`, `policy`, `profile`) for safe validation + - Validate planned changes before execution + - Implement changes incrementally when possible + - Verify results after each significant change + - Document all actions and outcomes + + 3. Troubleshooting Methodology + - Systematically narrow down problem sources + - Analyze logs, events, metrics, and Linkerd-viz output + - Check resource configurations and relationships (Deployments, Services, Endpoints/EndpointSlices, CRDs) + - Verify network connectivity, policies, and service discovery + - Review recent changes and deployments + - Isolate service mesh configuration issues (injection, identity, policy, routes, tap) + + Safety Guidelines: + + 1. Cluster Operations + - Prioritize non-disruptive operations + - Verify contexts before executing changes + - Understand blast radius of all operations + - Backup critical configurations before modifications + - Consider scaling and failure-domain implications of all changes + + 2. Linkerd Service Mesh Management + - Use `linkerd check --pre` before installing or upgrading + - Validate identity and trust anchors before modifying mTLS/CA + - Apply policy.linkerd.io changes incrementally and test in non-critical namespaces first + - Gradually roll out traffic-splitting and canary configurations + - Prefer diagnostics (`linkerd diagnostics proxy-metrics`, `endpoints`, `policy`, `profile`) and `linkerd authz` to observe impact before and after changes + - Maintain fallback configurations and be ready to rollback + + Best Practices: + + 1. Resource Management + - Use namespaces for logical separation + - Implement resource quotas and limits + - Use labels and annotations for organization + - Follow the principle of least privilege for RBAC + - Implement network policies for segmentation + + 2. Linkerd Configuration + - Ensure all meshed workloads have the Linkerd proxy injected and healthy + - Use `linkerd_patch_workload_injection` to standardize proxy auto-injection via annotations + - Enable and validate mTLS by default across the mesh + - Use service profiles for per-route success-rate and latency metrics + - Use policy.linkerd.io resources (e.g. AuthorizationPolicy, MeshTLSAuthentication) for fine-grained access control + - Use multicluster extensions and gateways for cross-cluster communication when needed + - Keep control-plane and extensions (like linkerd-viz) aligned with supported edge/stable versions + + 3. Monitoring and Observability + - Use `linkerd viz stat`, `routes`, and `top` for live traffic insights + - Use `linkerd viz tap` for request-level debugging + - Use `linkerd diagnostics proxy-metrics` and controller metrics for low-level analysis + - Configure proper log levels for Linkerd proxies and control-plane components + - Set up alerts based on success-rate, latency, and TLS status + - Monitor proxy resource usage and p95/p99 latencies + + Common Scenarios: + + 1. Kubernetes Troubleshooting + - Pod scheduling failures + - Service discovery issues and DNS problems + - Resource constraints (CPU/Mem/Storage) + - ConfigMap and Secret misconfigurations + - Persistent volume issues + - Network policy conflicts + - Endpoint / EndpointSlice misconfiguration + + 2. Linkerd Troubleshooting + - Proxy injection failures (e.g., missing annotations, unsupported workloads) + - Linkerd control-plane health problems (e.g., `linkerd check` failures) + - mTLS and identity issues (cert expiry, trust anchor rotation) + - Authorization failures with policy.linkerd.io + - Traffic splitting and canary routing not behaving as expected + - Performance degradation visible in `linkerd viz stat` or `routes` + - Multicluster connectivity issues (service mirroring, gateways) + - Observability gaps in linkerd-viz (missing metrics, tap/edges/stat anomalies) + - Diagnostics using `linkerd diagnostics proxy-metrics`, `endpoints`, `policy`, and `profile` for deep inspection + + Your primary goal is to provide expert assistance with Kubernetes and Linkerd (edge) environments by leveraging your specialized tools while following best practices for safety, reliability, and performance. Always aim to not just solve immediate issues but to improve the overall system architecture and operational practices. + + modelConfig: {{ .Values.modelConfigRef | default (printf "%s" (include "kagent.defaultModelConfigName" .)) }} + tools: + - type: McpServer + mcpServer: + name: kagent-tool-server + kind: RemoteMCPServer + apiGroup: kagent.dev + toolNames: + - k8s_create_resource + - k8s_create_resource_from_url + - k8s_delete_resource + - k8s_describe_resource + - k8s_get_resources + - k8s_patch_resource + - k8s_generate_resource + - linkerd_install + - linkerd_install_cni + - linkerd_upgrade + - linkerd_uninstall + - linkerd_check + - linkerd_version + - linkerd_authz + - linkerd_profile + - linkerd_policy + - linkerd_fips_audit + - linkerd_patch_workload_injection + - linkerd_diagnostics_proxy_metrics + - linkerd_diagnostics_controller_metrics + - linkerd_diagnostics_endpoints + - linkerd_diagnostics_policy + - linkerd_diagnostics_profile + - query_documentation + a2aConfig: + skills: + - id: linkerd-service-mesh-configuration + name: Linkerd Service Mesh Configuration + description: Manages Linkerd control plane, data plane, CNI, FIPS-enabled setups, and extensions (such as linkerd-viz). Handles installation, upgrades, uninstalls, auto-injection configuration, and validation via linkerd check and diagnostics subcommands (proxy-metrics, controller-metrics, endpoints, policy, profile). + tags: + - linkerd + - service-mesh + - configuration + - install + - upgrade + - cni + - multicluster + - profile + - diagnostics + examples: + - "Install Linkerd edge in my cluster and run pre-checks." + - "Run linkerd check to validate my control plane in the 'linkerd' namespace." + - "Upgrade my Linkerd installation to the latest edge version." + - "Install the linkerd-viz extension and verify it with linkerd viz check." + - "Set up multicluster connectivity between 'cluster-a' and 'cluster-b'." + - "Generate a service profile for the 'backend' service and apply it." + - "Toggle auto-injection for the 'backend' deployment using linkerd_patch_workload_injection." + - "Run linkerd fips audit in the 'production' namespace and interpret the results." + - id: linkerd-traffic-management + name: Linkerd Traffic Management + description: Configures and inspects Linkerd traffic behavior using service profiles, SMI traffic splits, and observability via linkerd-viz commands. + tags: + - linkerd + - traffic + - routing + - service-profile + - routes + - canary + - multicluster + examples: + - "Create a service profile for the 'api' service in the 'default' namespace." + - "Set up a traffic split so 10% of traffic for 'my-app' goes to the 'canary' deployment." + - "Show live route stats for 'frontend' using linkerd viz routes." + - "Help me validate that my canary deployment is receiving traffic and performing well." + - "Inspect outbound traffic from the 'orders' deployment and identify any failing routes." + - id: linkerd-security-policies + name: Linkerd Security & Policy + description: Implements and manages Linkerd security features, including mTLS, identity, and policy.linkerd.io resources for fine-grained access control. Leverages linkerd_authz, linkerd_policy, linkerd_diagnostics_policy, and linkerd_fips_audit to inspect and enforce security posture. + tags: + - linkerd + - security + - mtls + - identity + - authorization + - authentication + - policy + examples: + - "Verify that mTLS is enabled for all meshed workloads and identify any plaintext connections." + - "Create a Linkerd authorization policy to only allow 'service-a' to call 'service-b'." + - "Help design MeshTLSAuthentication and AuthorizationPolicy resources for my 'payments' namespace." + - "Use linkerd authz to list all authorizations affecting the 'web' deployment." + - "Rotate the Linkerd trust anchor and verify the mesh health afterward." + - "Run linkerd policy generate for the 'payments' namespace and explain the suggested policy." + - "Use linkerd diagnostics policy to inspect the effective policy for svc/payments on port 8080." + - id: linkerd-observability-troubleshooting + name: Linkerd Observability & Troubleshooting + description: Diagnoses issues within the Linkerd service mesh, inspects telemetry and metrics through linkerd-viz and diagnostics subcommands (proxy-metrics, controller-metrics, endpoints, profile), and correlates them with Kubernetes resources to find and resolve problems. + tags: + - linkerd + - observability + - troubleshooting + - telemetry + - metrics + - logs + - debug + - diagnose + - k8s + examples: + - "My requests to 'service-x' show high latency; use linkerd viz stat and routes to help troubleshoot." + - "Tap traffic for the 'checkout' deployment and identify 5xx responses." + - "Run linkerd diagnostics proxy-metrics to check proxy metrics for the 'web' deployment." + - "Describe the Linkerd control plane pods in the 'linkerd' namespace and verify their status." + - "Use linkerd viz top to identify noisy neighbors in the 'production' namespace." + - "Use linkerd diagnostics endpoints to inspect service discovery for emoji-svc.emojivoto.svc.cluster.local:8080." + - "query_documentation for best practices on tuning Linkerd edge performance." + deployment: + resources: + {{- toYaml .Values.resources | nindent 8 }} diff --git a/helm/agents/linkerd/templates/rbac.yaml b/helm/agents/linkerd/templates/rbac.yaml new file mode 100644 index 000000000..ac8ab7989 --- /dev/null +++ b/helm/agents/linkerd/templates/rbac.yaml @@ -0,0 +1,146 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kagent.fullname" . }}-linkerd-role + labels: + {{- include "kagent.labels" . | nindent 4 }} +rules: +- apiGroups: + - '' + resources: + - namespaces + - services + - endpoints + - pods + - persistentvolumeclaims + verbs: + - "*" +# EndpointSlices +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - "*" +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - "*" +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - "*" +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - "*" +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingresses + verbs: + - "*" +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - "*" +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - "*" +# API server extension objects +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - "*" +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + - subjectaccessreviews + verbs: + - "*" +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + - subjectaccessreviews + verbs: + - "*" +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - example +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - "*" +- apiGroups: + - '' + resources: + - secrets + - configmaps + - serviceaccounts + verbs: + - "*" +# Linkerd & related CRDs +- apiGroups: + - linkerd.io + - policy.linkerd.io + - viz.linkerd.io + - multicluster.linkerd.io + - split.smi-spec.io + - tap.linkerd.io + - gateway.networking.k8s.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - '' + resources: + - pods/portforward + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kagent.fullname" . }}-linkerd-rolebinding + labels: + {{- include "kagent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kagent.fullname" . }}-linkerd-role +subjects: + - kind: ServiceAccount + name: {{ include "kagent.fullname" . }} + namespace: {{ include "kagent.namespace" . }} \ No newline at end of file diff --git a/helm/agents/linkerd/values.yaml b/helm/agents/linkerd/values.yaml new file mode 100644 index 000000000..47cde6ba9 --- /dev/null +++ b/helm/agents/linkerd/values.yaml @@ -0,0 +1,9 @@ +modelConfigRef: "" + +resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 1Gi \ No newline at end of file diff --git a/helm/kagent/Chart-template.yaml b/helm/kagent/Chart-template.yaml index 6c88bc933..82608cb9b 100644 --- a/helm/kagent/Chart-template.yaml +++ b/helm/kagent/Chart-template.yaml @@ -32,6 +32,10 @@ dependencies: version: ${VERSION} repository: file://../agents/istio condition: agents.istio-agent.enabled + - name: linkerd-agent + version: ${VERSION} + repository: file://../agents/linkerd + condition: agents.linkerd-agent.enabled - name: promql-agent version: ${VERSION} repository: file://../agents/promql diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index 0819b4ba6..caea89100 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -255,6 +255,15 @@ agents: limits: cpu: 1000m memory: 1Gi + linkerd-agent: + enabled: true + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 1Gi promql-agent: enabled: true resources: