Skip to content

Commit c3a529f

Browse files
aledbfaledbf
committed
Update ingress-nginx addon
1 parent 0b60ff2 commit c3a529f

File tree

4 files changed

+463
-159
lines changed

4 files changed

+463
-159
lines changed

deploy/addons/ingress/ingress-configmap.yaml.tmpl

-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@
1515
apiVersion: v1
1616
data:
1717
# see https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md for all possible options and their description
18-
map-hash-bucket-size: "128"
1918
hsts: "false"
2019
kind: ConfigMap
2120
metadata:

deploy/addons/ingress/ingress-dp.yaml.tmpl

+244-58
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,13 @@
1616
apiVersion: apps/v1
1717
kind: Deployment
1818
metadata:
19-
name: nginx-ingress-controller
19+
name: ingress-nginx-controller
2020
namespace: kube-system
2121
labels:
22-
app.kubernetes.io/name: nginx-ingress-controller
22+
app.kubernetes.io/name: ingress-nginx
23+
app.kubernetes.io/instance: ingress-nginx
2324
app.kubernetes.io/part-of: kube-system
25+
app.kubernetes.io/component: controller
2426
addonmanager.kubernetes.io/mode: Reconcile
2527
spec:
2628
replicas: 1
@@ -32,67 +34,251 @@ spec:
3234
maxSurge: 1
3335
selector:
3436
matchLabels:
35-
app.kubernetes.io/name: nginx-ingress-controller
36-
app.kubernetes.io/part-of: kube-system
37-
addonmanager.kubernetes.io/mode: Reconcile
37+
app.kubernetes.io/name: ingress-nginx
38+
app.kubernetes.io/instance: ingress-nginx
39+
app.kubernetes.io/component: controller
3840
template:
3941
metadata:
4042
labels:
41-
app.kubernetes.io/name: nginx-ingress-controller
42-
app.kubernetes.io/part-of: kube-system
43+
app.kubernetes.io/name: ingress-nginx
44+
app.kubernetes.io/instance: ingress-nginx
45+
app.kubernetes.io/component: controller
4346
addonmanager.kubernetes.io/mode: Reconcile
44-
annotations:
45-
prometheus.io/port: '10254'
46-
prometheus.io/scrape: 'true'
4747
spec:
48-
serviceAccountName: nginx-ingress
49-
terminationGracePeriodSeconds: 60
48+
serviceAccountName: ingress-nginx
5049
containers:
51-
- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller{{.ExoticArch}}:0.26.1
52-
name: nginx-ingress-controller
53-
imagePullPolicy: IfNotPresent
54-
readinessProbe:
55-
httpGet:
56-
path: /healthz
57-
port: 10254
58-
scheme: HTTP
59-
livenessProbe:
60-
httpGet:
61-
path: /healthz
62-
port: 10254
63-
scheme: HTTP
64-
initialDelaySeconds: 10
65-
timeoutSeconds: 1
66-
env:
67-
- name: POD_NAME
68-
valueFrom:
69-
fieldRef:
70-
fieldPath: metadata.name
71-
- name: POD_NAMESPACE
72-
valueFrom:
73-
fieldRef:
74-
fieldPath: metadata.namespace
75-
ports:
76-
- containerPort: 80
77-
hostPort: 80
78-
- containerPort: 443
79-
hostPort: 443
80-
# (Optional) we expose 18080 to access nginx stats in url /nginx-status
81-
- containerPort: 18080
82-
hostPort: 18080
83-
args:
84-
- /nginx-ingress-controller
85-
- --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
86-
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
87-
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
88-
- --annotations-prefix=nginx.ingress.kubernetes.io
89-
# use minikube IP address in ingress status field
90-
- --report-node-internal-ip-address
91-
securityContext:
92-
capabilities:
50+
- name: controller
51+
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
52+
imagePullPolicy: IfNotPresent
53+
lifecycle:
54+
preStop:
55+
exec:
56+
command:
57+
- /wait-shutdown
58+
args:
59+
- /nginx-ingress-controller
60+
- --configmap=$(POD_NAMESPACE)/nginx-load-balancer-conf
61+
- --report-node-internal-ip-address
62+
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
63+
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
64+
- --validating-webhook=:8443
65+
- --validating-webhook-certificate=/usr/local/certificates/cert
66+
- --validating-webhook-key=/usr/local/certificates/key
67+
securityContext:
68+
capabilities:
9369
drop:
94-
- ALL
70+
- ALL
9571
add:
96-
- NET_BIND_SERVICE
97-
# www-data -> 33
98-
runAsUser: 33
72+
- NET_BIND_SERVICE
73+
runAsUser: 101
74+
allowPrivilegeEscalation: true
75+
env:
76+
- name: POD_NAME
77+
valueFrom:
78+
fieldRef:
79+
fieldPath: metadata.name
80+
- name: POD_NAMESPACE
81+
valueFrom:
82+
fieldRef:
83+
fieldPath: metadata.namespace
84+
livenessProbe:
85+
httpGet:
86+
path: /healthz
87+
port: 10254
88+
scheme: HTTP
89+
initialDelaySeconds: 10
90+
periodSeconds: 10
91+
timeoutSeconds: 1
92+
successThreshold: 1
93+
failureThreshold: 3
94+
readinessProbe:
95+
httpGet:
96+
path: /healthz
97+
port: 10254
98+
scheme: HTTP
99+
initialDelaySeconds: 10
100+
timeoutSeconds: 1
101+
successThreshold: 1
102+
failureThreshold: 3
103+
ports:
104+
- name: http
105+
containerPort: 80
106+
protocol: TCP
107+
hostPort: 80
108+
- name: https
109+
containerPort: 443
110+
protocol: TCP
111+
hostPort: 443
112+
- name: webhook
113+
containerPort: 8443
114+
protocol: TCP
115+
volumeMounts:
116+
- name: webhook-cert
117+
mountPath: /usr/local/certificates/
118+
readOnly: true
119+
resources:
120+
requests:
121+
cpu: 100m
122+
memory: 90Mi
123+
volumes:
124+
- name: webhook-cert
125+
secret:
126+
secretName: ingress-nginx-admission
127+
128+
---
129+
130+
apiVersion: admissionregistration.k8s.io/v1beta1
131+
kind: ValidatingWebhookConfiguration
132+
metadata:
133+
labels:
134+
app.kubernetes.io/name: ingress-nginx
135+
app.kubernetes.io/instance: ingress-nginx
136+
app.kubernetes.io/component: admission-webhook
137+
name: ingress-nginx-admission
138+
namespace: kube-system
139+
webhooks:
140+
- name: validate.nginx.ingress.kubernetes.io
141+
rules:
142+
- apiGroups:
143+
- extensions
144+
- networking.k8s.io
145+
apiVersions:
146+
- v1beta1
147+
operations:
148+
- CREATE
149+
- UPDATE
150+
resources:
151+
- ingresses
152+
failurePolicy: Fail
153+
clientConfig:
154+
service:
155+
namespace: kube-system
156+
name: ingress-nginx-controller-admission
157+
path: /extensions/v1beta1/ingresses
158+
---
159+
apiVersion: rbac.authorization.k8s.io/v1
160+
kind: ClusterRole
161+
metadata:
162+
name: ingress-nginx-admission
163+
labels:
164+
app.kubernetes.io/name: ingress-nginx
165+
app.kubernetes.io/instance: ingress-nginx
166+
app.kubernetes.io/component: admission-webhook
167+
namespace: kube-system
168+
rules:
169+
- apiGroups:
170+
- admissionregistration.k8s.io
171+
resources:
172+
- validatingwebhookconfigurations
173+
verbs:
174+
- get
175+
- update
176+
---
177+
apiVersion: rbac.authorization.k8s.io/v1
178+
kind: ClusterRoleBinding
179+
metadata:
180+
name: ingress-nginx-admission
181+
labels:
182+
app.kubernetes.io/name: ingress-nginx
183+
app.kubernetes.io/instance: ingress-nginx
184+
app.kubernetes.io/component: admission-webhook
185+
namespace: kube-system
186+
roleRef:
187+
apiGroup: rbac.authorization.k8s.io
188+
kind: ClusterRole
189+
name: ingress-nginx-admission
190+
subjects:
191+
- kind: ServiceAccount
192+
name: ingress-nginx-admission
193+
namespace: kube-system
194+
---
195+
apiVersion: batch/v1
196+
kind: Job
197+
metadata:
198+
name: ingress-nginx-admission-create
199+
labels:
200+
app.kubernetes.io/name: ingress-nginx
201+
app.kubernetes.io/instance: ingress-nginx
202+
app.kubernetes.io/component: admission-webhook
203+
namespace: kube-system
204+
spec:
205+
template:
206+
metadata:
207+
name: ingress-nginx-admission-create
208+
labels:
209+
app.kubernetes.io/name: ingress-nginx
210+
app.kubernetes.io/instance: ingress-nginx
211+
app.kubernetes.io/component: admission-webhook
212+
spec:
213+
containers:
214+
- name: create
215+
image: jettech/kube-webhook-certgen:v1.2.0
216+
imagePullPolicy: IfNotPresent
217+
args:
218+
- create
219+
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.kube-system.svc
220+
- --namespace=kube-system
221+
- --secret-name=ingress-nginx-admission
222+
restartPolicy: OnFailure
223+
serviceAccountName: ingress-nginx-admission
224+
securityContext:
225+
runAsNonRoot: true
226+
runAsUser: 2000
227+
228+
---
229+
230+
apiVersion: batch/v1
231+
kind: Job
232+
metadata:
233+
name: ingress-nginx-admission-patch
234+
labels:
235+
app.kubernetes.io/name: ingress-nginx
236+
app.kubernetes.io/instance: ingress-nginx
237+
app.kubernetes.io/component: admission-webhook
238+
namespace: kube-system
239+
spec:
240+
template:
241+
metadata:
242+
name: ingress-nginx-admission-patch
243+
labels:
244+
app.kubernetes.io/name: ingress-nginx
245+
app.kubernetes.io/instance: ingress-nginx
246+
app.kubernetes.io/component: admission-webhook
247+
spec:
248+
containers:
249+
- name: patch
250+
image: jettech/kube-webhook-certgen:v1.2.0
251+
imagePullPolicy:
252+
args:
253+
- patch
254+
- --webhook-name=ingress-nginx-admission
255+
- --namespace=kube-system
256+
- --patch-mutating=false
257+
- --secret-name=ingress-nginx-admission
258+
- --patch-failure-policy=Fail
259+
restartPolicy: OnFailure
260+
serviceAccountName: ingress-nginx-admission
261+
securityContext:
262+
runAsNonRoot: true
263+
runAsUser: 2000
264+
---
265+
266+
apiVersion: v1
267+
kind: Service
268+
metadata:
269+
labels:
270+
app.kubernetes.io/name: ingress-nginx
271+
app.kubernetes.io/instance: ingress-nginx
272+
app.kubernetes.io/component: controller
273+
addonmanager.kubernetes.io/mode: Reconcile
274+
name: ingress-nginx-controller-admission
275+
namespace: kube-system
276+
spec:
277+
ports:
278+
- name: https-webhook
279+
port: 443
280+
targetPort: webhook
281+
selector:
282+
app.kubernetes.io/name: ingress-nginx
283+
app.kubernetes.io/instance: ingress-nginx
284+
app.kubernetes.io/component: controller

0 commit comments

Comments
 (0)