1212# See the License for the specific language governing permissions and
1313# limitations under the License.
1414
15+ ---
16+ apiVersion: v1
17+ kind: Service
18+ metadata:
19+ labels:
20+ app.kubernetes.io/name: ingress-nginx
21+ app.kubernetes.io/instance: ingress-nginx
22+ app.kubernetes.io/component: controller
23+ addonmanager.kubernetes.io/mode: Reconcile
24+ name: ingress-nginx-controller-admission
25+ namespace: ingress-nginx
26+ spec:
27+ type: ClusterIP
28+ ports:
29+ - name: https-webhook
30+ port: 443
31+ targetPort: webhook
32+ selector:
33+ app.kubernetes.io/name: ingress-nginx
34+ app.kubernetes.io/instance: ingress-nginx
35+ app.kubernetes.io/component: controller
36+ ---
37+ apiVersion: v1
38+ kind: Service
39+ metadata:
40+ labels:
41+ app.kubernetes.io/name: ingress-nginx
42+ app.kubernetes.io/instance: ingress-nginx
43+ app.kubernetes.io/component: controller
44+ addonmanager.kubernetes.io/mode: Reconcile
45+ name: ingress-nginx-controller
46+ namespace: ingress-nginx
47+ spec:
48+ type: NodePort
49+ ports:
50+ - name: http
51+ port: 80
52+ protocol: TCP
53+ targetPort: http
54+ - name: https
55+ port: 443
56+ protocol: TCP
57+ targetPort: https
58+ selector:
59+ app.kubernetes.io/name: ingress-nginx
60+ app.kubernetes.io/instance: ingress-nginx
61+ app.kubernetes.io/component: controller
1562---
1663apiVersion: apps/v1
1764kind: Deployment
1865metadata:
1966 name: ingress-nginx-controller
20- namespace: kube-system
67+ namespace: ingress-nginx
2168 labels:
2269 app.kubernetes.io/name: ingress-nginx
2370 app.kubernetes.io/instance: ingress-nginx
24- app.kubernetes.io/part-of: kube-system
2571 app.kubernetes.io/component: controller
2672 addonmanager.kubernetes.io/mode: Reconcile
2773spec:
28- replicas: 1
29- strategy:
30- type: RollingUpdate
31- rollingUpdate:
32- # maxUnavailable needs to be 1 so that port conflicts between the old and new pod doesn't happen when using hostPort
33- maxUnavailable: 1
34- maxSurge: 1
3574 selector:
3675 matchLabels:
3776 app.kubernetes.io/name: ingress-nginx
3877 app.kubernetes.io/instance: ingress-nginx
3978 app.kubernetes.io/component: controller
79+ addonmanager.kubernetes.io/mode: Reconcile
80+ revisionHistoryLimit: 10
81+ strategy:
82+ rollingUpdate:
83+ maxUnavailable: 1
84+ type: RollingUpdate
85+ minReadySeconds: 0
4086 template:
4187 metadata:
4288 labels:
4692 addonmanager.kubernetes.io/mode: Reconcile
4793 gcp-auth-skip-secret: "true"
4894 spec:
49- serviceAccountName: ingress-nginx
95+ dnsPolicy: ClusterFirst
5096 containers:
5197 - name: controller
5298 image: {{.CustomRegistries.IngressController | default .ImageRepository | default .Registries.IngressController }}{{.Images.IngressController}}
58104 - /wait-shutdown
59105 args:
60106 - /nginx-ingress-controller
61- - --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
107+ - --ingress-class=nginx
108+ - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
62109 - --report-node-internal-ip-address
63110 - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
64111 - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
67114 - --validating-webhook-key=/usr/local/certificates/key
68115 {{if .CustomIngressCert}}
69116 - --default-ssl-certificate={{ .CustomIngressCert }}
70- {{end}}
117+ {{end}}
71118 securityContext:
72119 capabilities:
73120 drop:
85132 valueFrom:
86133 fieldRef:
87134 fieldPath: metadata.namespace
135+ - name: LD_PRELOAD
136+ value: /usr/local/lib/libmimalloc.so
88137 livenessProbe:
89138 httpGet:
90139 path: /healthz
@@ -94,13 +143,14 @@ spec:
94143 periodSeconds: 10
95144 timeoutSeconds: 1
96145 successThreshold: 1
97- failureThreshold: 3
146+ failureThreshold: 5
98147 readinessProbe:
99148 httpGet:
100149 path: /healthz
101150 port: 10254
102151 scheme: HTTP
103152 initialDelaySeconds: 10
153+ periodSeconds: 10
104154 timeoutSeconds: 1
105155 successThreshold: 1
106156 failureThreshold: 3
@@ -124,24 +174,24 @@ spec:
124174 requests:
125175 cpu: 100m
126176 memory: 90Mi
177+ serviceAccountName: ingress-nginx
127178 volumes:
128179 - name: webhook-cert
129180 secret:
130181 secretName: ingress-nginx-admission
131-
132182---
133-
134- apiVersion: admissionregistration.k8s.io/v1beta1
183+ apiVersion: admissionregistration.k8s.io/v1
135184kind: ValidatingWebhookConfiguration
136185metadata:
137186 labels:
138187 app.kubernetes.io/name: ingress-nginx
139188 app.kubernetes.io/instance: ingress-nginx
140189 app.kubernetes.io/component: admission-webhook
190+ addonmanager.kubernetes.io/mode: Reconcile
141191 name: ingress-nginx-admission
142- namespace: kube-system
143192webhooks:
144193 - name: validate.nginx.ingress.kubernetes.io
194+ matchPolicy: Equivalent
145195 rules:
146196 - apiGroups:
147197 - networking.k8s.io
@@ -160,46 +210,10 @@ webhooks:
160210 - v1beta1
161211 clientConfig:
162212 service:
163- namespace: kube-system
213+ namespace: ingress-nginx
164214 name: ingress-nginx-controller-admission
165215 path: /networking/v1beta1/ingresses
166216---
167- apiVersion: rbac.authorization.k8s.io/v1
168- kind: ClusterRole
169- metadata:
170- name: ingress-nginx-admission
171- labels:
172- app.kubernetes.io/name: ingress-nginx
173- app.kubernetes.io/instance: ingress-nginx
174- app.kubernetes.io/component: admission-webhook
175- namespace: kube-system
176- rules:
177- - apiGroups:
178- - admissionregistration.k8s.io
179- resources:
180- - validatingwebhookconfigurations
181- verbs:
182- - get
183- - update
184- ---
185- apiVersion: rbac.authorization.k8s.io/v1
186- kind: ClusterRoleBinding
187- metadata:
188- name: ingress-nginx-admission
189- labels:
190- app.kubernetes.io/name: ingress-nginx
191- app.kubernetes.io/instance: ingress-nginx
192- app.kubernetes.io/component: admission-webhook
193- namespace: kube-system
194- roleRef:
195- apiGroup: rbac.authorization.k8s.io
196- kind: ClusterRole
197- name: ingress-nginx-admission
198- subjects:
199- - kind: ServiceAccount
200- name: ingress-nginx-admission
201- namespace: kube-system
202- ---
203217apiVersion: batch/v1
204218kind: Job
205219metadata:
@@ -208,7 +222,8 @@ metadata:
208222 app.kubernetes.io/name: ingress-nginx
209223 app.kubernetes.io/instance: ingress-nginx
210224 app.kubernetes.io/component: admission-webhook
211- namespace: kube-system
225+ addonmanager.kubernetes.io/mode: Reconcile
226+ namespace: ingress-nginx
212227spec:
213228 template:
214229 metadata:
@@ -217,24 +232,28 @@ spec:
217232 app.kubernetes.io/name: ingress-nginx
218233 app.kubernetes.io/instance: ingress-nginx
219234 app.kubernetes.io/component: admission-webhook
235+ addonmanager.kubernetes.io/mode: Reconcile
220236 spec:
221237 containers:
222238 - name: create
223239 image: {{.CustomRegistries.KubeWebhookCertgenCreate | default .ImageRepository | default .Registries.KubeWebhookCertgenCreate }}{{.Images.KubeWebhookCertgenCreate}}
224240 imagePullPolicy: IfNotPresent
225241 args:
226242 - create
227- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.kube-system .svc
228- - --namespace=kube-system
243+ - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE) .svc
244+ - --namespace=$(POD_NAMESPACE)
229245 - --secret-name=ingress-nginx-admission
246+ env:
247+ - name: POD_NAMESPACE
248+ valueFrom:
249+ fieldRef:
250+ fieldPath: metadata.namespace
230251 restartPolicy: OnFailure
231252 serviceAccountName: ingress-nginx-admission
232253 securityContext:
233254 runAsNonRoot: true
234255 runAsUser: 2000
235-
236256---
237-
238257apiVersion: batch/v1
239258kind: Job
240259metadata:
@@ -243,7 +262,8 @@ metadata:
243262 app.kubernetes.io/name: ingress-nginx
244263 app.kubernetes.io/instance: ingress-nginx
245264 app.kubernetes.io/component: admission-webhook
246- namespace: kube-system
265+ addonmanager.kubernetes.io/mode: Reconcile
266+ namespace: ingress-nginx
247267spec:
248268 template:
249269 metadata:
@@ -252,41 +272,26 @@ spec:
252272 app.kubernetes.io/name: ingress-nginx
253273 app.kubernetes.io/instance: ingress-nginx
254274 app.kubernetes.io/component: admission-webhook
275+ addonmanager.kubernetes.io/mode: Reconcile
255276 spec:
256277 containers:
257278 - name: patch
258279 image: {{.CustomRegistries.KubeWebhookCertgenPatch | default .ImageRepository | default .Registries.KubeWebhookCertgenPatch }}{{.Images.KubeWebhookCertgenPatch}}
259- imagePullPolicy:
280+ imagePullPolicy: IfNotPresent
260281 args:
261282 - patch
262283 - --webhook-name=ingress-nginx-admission
263- - --namespace=kube-system
284+ - --namespace=$(POD_NAMESPACE)
264285 - --patch-mutating=false
265286 - --secret-name=ingress-nginx-admission
266287 - --patch-failure-policy=Fail
288+ env:
289+ - name: POD_NAMESPACE
290+ valueFrom:
291+ fieldRef:
292+ fieldPath: metadata.namespace
267293 restartPolicy: OnFailure
268294 serviceAccountName: ingress-nginx-admission
269295 securityContext:
270296 runAsNonRoot: true
271297 runAsUser: 2000
272- ---
273-
274- apiVersion: v1
275- kind: Service
276- metadata:
277- labels:
278- app.kubernetes.io/name: ingress-nginx
279- app.kubernetes.io/instance: ingress-nginx
280- app.kubernetes.io/component: controller
281- addonmanager.kubernetes.io/mode: Reconcile
282- name: ingress-nginx-controller-admission
283- namespace: kube-system
284- spec:
285- ports:
286- - name: https-webhook
287- port: 443
288- targetPort: webhook
289- selector:
290- app.kubernetes.io/name: ingress-nginx
291- app.kubernetes.io/instance: ingress-nginx
292- app.kubernetes.io/component: controller
0 commit comments