apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress namespace: nginx-ingress --- apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission namespace: nginx-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress namespace: nginx-ingress rules: - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - configmaps - pods - secrets - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - list - watch - apiGroups: - coordination.k8s.io resourceNames: - nginx-external-ingress-leader resources: - leases verbs: - get - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission namespace: nginx-ingress rules: - apiGroups: - "" resources: - secrets verbs: - get - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets - namespaces verbs: - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress namespace: nginx-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-external-ingress subjects: - kind: ServiceAccount name: nginx-external-ingress namespace: nginx-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission namespace: nginx-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-external-ingress-admission subjects: - kind: ServiceAccount name: nginx-external-ingress-admission namespace: nginx-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-external-ingress subjects: - kind: ServiceAccount name: nginx-external-ingress namespace: nginx-ingress --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-external-ingress-admission subjects: - kind: ServiceAccount name: nginx-external-ingress-admission namespace: nginx-ingress --- apiVersion: v1 data: allow-snippet-annotations: "true" kind: ConfigMap metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-controller namespace: nginx-ingress --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-controller namespace: nginx-ingress spec: ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - appProtocol: http name: http port: 80 protocol: TCP targetPort: http - appProtocol: https name: https port: 443 protocol: TCP targetPort: https - name: prometheus port: 10254 protocol: TCP targetPort: prometheus selector: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress type: NodePort --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-controller-admission namespace: nginx-ingress spec: ports: - appProtocol: https name: https-webhook port: 443 targetPort: webhook selector: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-controller namespace: nginx-ingress spec: minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress strategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: ingress operator: In values: - external tolerations: - key: "type" operator: "Equal" value: "services" effect: "NoSchedule" containers: - args: - /nginx-ingress-controller - --election-id=nginx-external-ingress-leader - --controller-class=k8s.io/nginx-external-ingress - --ingress-class=nginx-external - --configmap=$(POD_NAMESPACE)/nginx-external-ingress-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - --enable-metrics=true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so image: registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 8443 name: webhook protocol: TCP - containerPort: 10254 name: prometheus protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 90Mi securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 101 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os: linux serviceAccountName: nginx-external-ingress terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: nginx-external-ingress-admission --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission-create namespace: nginx-ingress spec: template: metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission-create spec: containers: - args: - create - --host=nginx-external-ingress-controller-admission,nginx-external-ingress-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - --secret-name=nginx-external-ingress-admission env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: nginx-external-ingress-admission --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission-patch namespace: nginx-ingress spec: template: metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission-patch spec: containers: - args: - patch - --webhook-name=nginx-external-ingress-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=nginx-external-ingress-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: nginx-external-ingress-admission --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/component: controller-external app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external spec: controller: k8s.io/nginx-external-ingress --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: nginx-external-ingress app.kubernetes.io/name: nginx-external-ingress app.kubernetes.io/part-of: nginx-external-ingress app.kubernetes.io/version: 1.11.3 name: nginx-external-ingress-admission webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: nginx-external-ingress-controller-admission namespace: nginx-ingress path: /networking/v1/ingresses port: 443 failurePolicy: Fail matchPolicy: Equivalent name: validate.nginx.ingress.kubernetes.io rules: - apiGroups: - networking.k8s.io apiVersions: - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None