apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-ngin
—
kind: ConfigMap
name: nginx-configuration
namespace: ingress-nginx
name: tcp-services
name: udp-services
data:
resolv.conf: |
nameserver 10.96.0.10
search default.svc.cluster.local svc.cluster.local cluster.local lj.io
options ndots:5
name: resolver
kind: ServiceAccount
name: nginx-ingress-serviceaccount
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
name: nginx-ingress-clusterrole
rules:
– apiGroups:
– “”
resources:
– configmaps
– endpoints
– nodes
– pods
– secrets
verbs:
– list
– watch
– get
– services
– “extensions”
– “networking.k8s.io”
– ingresses
– update
– events
– create
– patch
– ingresses/status
kind: Role
name: nginx-ingress-role
– namespaces
resourceNames:
# Defaults to “<election-id>-<ingress-class>”
# Here: “<ingress-controller-leader>-<nginx>”
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
– “ingress-controller-leader-nginx”
kind: RoleBinding
name: nginx-ingress-role-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
subjects:
– kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
kind: ClusterRoleBinding
name: nginx-ingress-clusterrole-nisa-binding
kind: ClusterRole
kind: Service
spec:
ports:
– port: 80
protocol: TCP
targetPort: 80
selector:
sessionAffinity: None
type: ClusterIP
apiVersion: apps/v1
kind: DaemonSet
name: nginx-ingress-controller
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: “10254”
prometheus.io/scrape: “true”
spec:
serviceAccountName: nginx-ingress-serviceaccount
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
– name: nginx-ingress-controller
image: bitnami/nginx-ingress-controller:0.47.0
args:
– /nginx-ingress-controller
– –configmap=$(POD_NAMESPACE)/nginx-configuration
– –tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
– –udp-services-configmap=$(POD_NAMESPACE)/udp-services
– –publish-service=$(POD_NAMESPACE)/ingress-nginx
– –annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
– name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
– name: POD_NAMESPACE
fieldPath: metadata.namespace
ports:
– name: http
containerPort: 80
– name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe: