diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index 07eb87d52ce3f..166aeb53d93c6 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -187,7 +187,7 @@ Kubernetes: `>=1.22.0-0` | kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | | kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | -| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. we expect this to be rewritten | +| networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. | | networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec | | networkValidator.listenAddr | string | `"0.0.0.0:4140"` | Address to which network-validator listens to requests from itself | | networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 43e09e40e56b2..e706bc8c9c686 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -323,7 +323,9 @@ networkValidator: # -- Log format (`plain` or `json`) for network-validator # @default -- plain logFormat: plain - # -- Address to which the network-validator will attempt to connect. we expect this to be rewritten + # -- Address to which the network-validator will attempt to connect. This should be an IP + # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP + # for public clusters and a private IP for air-gapped clusters with a port like 20001. connectAddr: "1.1.1.1:20001" # -- Address to which network-validator listens to requests from itself listenAddr: "0.0.0.0:4140"