athens-school/K3s-cluster
3
0
Fork 0
Code Issues 11 Pull Requests Packages Projects Releases Wiki Activity

feat(nginx): Add nginx ingress controller

Browse Source
This commit is contained in:
Tanguy Herbron 2024-12-21 22:26:14 +01:00
parent 515ee92abe
commit a964118922
14 changed files with 1482 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
nginx/deployment.yaml
View File

@ -1,20 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80

678
nginx/external/deploy.yaml vendored Normal file
View File

@ -0,0 +1,678 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- nginx-external-ingress-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-external-ingress
subjects:
- kind: ServiceAccount
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-external-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-external-ingress
subjects:
- kind: ServiceAccount
name: nginx-external-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-external-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-external-ingress-admission
namespace: nginx-ingress
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
- name: prometheus
port: 10254
protocol: TCP
targetPort: prometheus
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller-admission
namespace: nginx-ingress
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-controller
namespace: nginx-ingress
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: ingress
operator: In
values:
- external
tolerations:
- key: "type"
operator: "Equal"
value: "services"
effect: "NoSchedule"
containers:
- args:
- /nginx-ingress-controller
- --election-id=nginx-external-ingress-leader
- --controller-class=k8s.io/nginx-external-ingress
- --ingress-class=nginx-external
- --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
- containerPort: 10254
name: prometheus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: nginx-external-ingress
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: nginx-external-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-create
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-create
spec:
containers:
- args:
- create
- --host=nginx-external-ingress-controller-admission,nginx-external-ingress-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=nginx-external-ingress-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-external-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-patch
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=nginx-external-ingress-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=nginx-external-ingress-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-external-ingress-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external
spec:
controller: k8s.io/nginx-external-ingress
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
app.kubernetes.io/part-of: nginx-external-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-external-ingress-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: nginx-external-ingress-controller-admission
namespace: nginx-ingress
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

7
nginx/external/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deploy.yaml
- loadbalancer.yaml
- networkpolicy.yaml

21
nginx/external/loadbalancer.yaml vendored Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-external-ingress-controller-loadbalancer
namespace: nginx-ingress
spec:
selector:
app.kubernetes.io/component: controller-external
app.kubernetes.io/instance: nginx-external-ingress
app.kubernetes.io/name: nginx-external-ingress
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer
externalTrafficPolicy: Local

28
nginx/external/networkpolicy.yaml vendored Normal file
View File

@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-scrapper-blocker
namespace: nginx-ingress
spec:
podSelector: {} # Applies to all pods in the namespace
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 57.141.0.0/24 # Facebook crawler
- 85.208.96.0/24 # Semrush crawler
- 185.191.171.0/24 # Random crawler
- 44.192.0.0/10 # AWS crawler
- 3.0.0.0/9 # AWS crawler
- 34.192.0.0/10 # AWS crawler
- 100.24.0.0/13 # AWS crawler
- 216.244.64.0/19 # Random crawler
- 54.224.0.0/11 # Random crawler
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
- protocol: TCP
port: 8443

14
nginx/external/servicemonitor.yaml vendored Normal file
View File

@ -0,0 +1,14 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: nginx-external
namespace: nginx-ingress
labels:
app.kubernetes.io/name: nginx-external-ingress
spec:
selector:
matchLabels:
app.kubernetes.io/name: nginx-external-ingress
endpoints:
- port: prometheus
path: /metrics

23
nginx/ingress.yaml
View File

@ -1,23 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
tls:
- secretName: nginx-beta-tls
hosts:
- nginx.beta.halia.dev
rules:
- host: nginx.beta.halia.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-svc
port:
number: 80

678
nginx/internal/deploy.yaml Normal file
View File

@ -0,0 +1,678 @@
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- nginx-internal-ingress-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-internal-ingress
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
namespace: nginx-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-internal-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-internal-ingress
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress
namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-internal-ingress-admission
subjects:
- kind: ServiceAccount
name: nginx-internal-ingress-admission
namespace: nginx-ingress
---
apiVersion: v1
data:
allow-snippet-annotations: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
- name: prometheus
port: 10254
protocol: TCP
targetPort: prometheus
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller-admission
namespace: nginx-ingress
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-controller
namespace: nginx-ingress
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: ingress
operator: In
values:
- internal
tolerations:
- key: "type"
operator: "Equal"
value: "services"
effect: "NoSchedule"
containers:
- args:
- /nginx-ingress-controller
- --election-id=nginx-internal-ingress-leader
- --controller-class=k8s.io/nginx-internal-ingress
- --ingress-class=nginx-internal
- --configmap=$(POD_NAMESPACE)/nginx-internal-ingress-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
- --enable-metrics=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
- containerPort: 10254
name: prometheus
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: nginx-internal-ingress
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: nginx-internal-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-create
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-create
spec:
containers:
- args:
- create
- --host=nginx-internal-ingress-controller-admission,nginx-internal-ingress-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=nginx-internal-ingress-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-internal-ingress-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-patch
namespace: nginx-ingress
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=nginx-internal-ingress-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=nginx-internal-ingress-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: nginx-internal-ingress-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal
spec:
controller: k8s.io/nginx-internal-ingress
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
app.kubernetes.io/part-of: nginx-internal-ingress
app.kubernetes.io/version: 1.11.3
name: nginx-internal-ingress-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: nginx-internal-ingress-controller-admission
namespace: nginx-ingress
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

6
nginx/internal/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deploy.yaml
- loadbalancer.yaml

22
nginx/internal/loadbalancer.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-internal-ingress-controller-loadbalancer
namespace: nginx-ingress
spec:
selector:
app.kubernetes.io/component: controller-internal
app.kubernetes.io/instance: nginx-internal-ingress
app.kubernetes.io/name: nginx-internal-ingress
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 10.10.0.16

14
nginx/internal/servicemonitor.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: nginx-internal
namespace: nginx-ingress
labels:
app.kubernetes.io/name: nginx-internal-ingress
spec:
selector:
matchLabels:
app.kubernetes.io/name: nginx-internal-ingress
endpoints:
- port: prometheus
path: /metrics

7
nginx/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- internal
- external

7
nginx/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/name: nginx-ingress
name: nginx-ingress

14
nginx/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
labels:
app: nginx
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: nginx