├── ingress-controller-service.yaml └── deploy.yaml /ingress-controller-service.yaml: -------------------------------------------------------------------------------- 1 | # this is a ingress controller service as a LB service 2 | # More info - https://www.nginx.com/resources/glossary/reverse-proxy-vs-load-balancer/ 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: ingress-nginx 7 | namespace: ingress-nginx 8 | labels: 9 | app.kubernetes.io/name: ingress-nginx 10 | app.kubernetes.io/part-of: ingress-nginx 11 | spec: 12 | type: LoadBalancer 13 | selector: 14 | app.kubernetes.io/name: ingress-nginx 15 | app.kubernetes.io/part-of: ingress-nginx 16 | ports: 17 | - name: http 18 | port: 80 19 | targetPort: http 20 | - name: https 21 | port: 443 22 | targetPort: https 23 | 24 | -------------------------------------------------------------------------------- /deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | app.kubernetes.io/instance: ingress-nginx 6 | app.kubernetes.io/name: ingress-nginx 7 | name: ingress-nginx 8 | --- 9 | apiVersion: v1 10 | automountServiceAccountToken: true 11 | kind: ServiceAccount 12 | metadata: 13 | labels: 14 | app.kubernetes.io/component: controller 15 | app.kubernetes.io/instance: ingress-nginx 16 | app.kubernetes.io/name: ingress-nginx 17 | app.kubernetes.io/part-of: ingress-nginx 18 | app.kubernetes.io/version: 1.3.0 19 | name: ingress-nginx 20 | namespace: ingress-nginx 21 | --- 22 | apiVersion: v1 23 | kind: ServiceAccount 24 | metadata: 25 | labels: 26 | app.kubernetes.io/component: admission-webhook 27 | app.kubernetes.io/instance: ingress-nginx 28 | app.kubernetes.io/name: ingress-nginx 29 | app.kubernetes.io/part-of: ingress-nginx 30 | app.kubernetes.io/version: 1.3.0 31 | name: ingress-nginx-admission 32 | namespace: ingress-nginx 33 | --- 34 | apiVersion: rbac.authorization.k8s.io/v1 35 | kind: Role 36 | metadata: 37 | labels: 38 | app.kubernetes.io/component: controller 39 | app.kubernetes.io/instance: ingress-nginx 40 | app.kubernetes.io/name: ingress-nginx 41 | app.kubernetes.io/part-of: ingress-nginx 42 | app.kubernetes.io/version: 1.3.0 43 | name: ingress-nginx 44 | namespace: ingress-nginx 45 | rules: 46 | - apiGroups: 47 | - "" 48 | resources: 49 | - namespaces 50 | verbs: 51 | - get 52 | - apiGroups: 53 | - "" 54 | resources: 55 | - configmaps 56 | - pods 57 | - secrets 58 | - endpoints 59 | verbs: 60 | - get 61 | - list 62 | - watch 63 | - apiGroups: 64 | - "" 65 | resources: 66 | - services 67 | verbs: 68 | - get 69 | - list 70 | - watch 71 | - apiGroups: 72 | - networking.k8s.io 73 | resources: 74 | - ingresses 75 | verbs: 76 | - get 77 | - list 78 | - watch 79 | - apiGroups: 80 | - networking.k8s.io 81 | resources: 82 | - ingresses/status 83 | verbs: 84 | - update 85 | - apiGroups: 86 | - networking.k8s.io 87 | resources: 88 | - ingressclasses 89 | verbs: 90 | - get 91 | - list 92 | - watch 93 | - apiGroups: 94 | - "" 95 | resourceNames: 96 | - ingress-controller-leader 97 | resources: 98 | - configmaps 99 | verbs: 100 | - get 101 | - update 102 | - apiGroups: 103 | - "" 104 | resources: 105 | - configmaps 106 | verbs: 107 | - create 108 | - apiGroups: 109 | - coordination.k8s.io 110 | resourceNames: 111 | - ingress-controller-leader 112 | resources: 113 | - leases 114 | verbs: 115 | - get 116 | - update 117 | - apiGroups: 118 | - coordination.k8s.io 119 | resources: 120 | - leases 121 | verbs: 122 | - create 123 | - apiGroups: 124 | - "" 125 | resources: 126 | - events 127 | verbs: 128 | - create 129 | - patch 130 | --- 131 | apiVersion: rbac.authorization.k8s.io/v1 132 | kind: Role 133 | metadata: 134 | labels: 135 | app.kubernetes.io/component: admission-webhook 136 | app.kubernetes.io/instance: ingress-nginx 137 | app.kubernetes.io/name: ingress-nginx 138 | app.kubernetes.io/part-of: ingress-nginx 139 | app.kubernetes.io/version: 1.3.0 140 | name: ingress-nginx-admission 141 | namespace: ingress-nginx 142 | rules: 143 | - apiGroups: 144 | - "" 145 | resources: 146 | - secrets 147 | verbs: 148 | - get 149 | - create 150 | --- 151 | apiVersion: rbac.authorization.k8s.io/v1 152 | kind: ClusterRole 153 | metadata: 154 | labels: 155 | app.kubernetes.io/instance: ingress-nginx 156 | app.kubernetes.io/name: ingress-nginx 157 | app.kubernetes.io/part-of: ingress-nginx 158 | app.kubernetes.io/version: 1.3.0 159 | name: ingress-nginx 160 | rules: 161 | - apiGroups: 162 | - "" 163 | resources: 164 | - configmaps 165 | - endpoints 166 | - nodes 167 | - pods 168 | - secrets 169 | - namespaces 170 | verbs: 171 | - list 172 | - watch 173 | - apiGroups: 174 | - coordination.k8s.io 175 | resources: 176 | - leases 177 | verbs: 178 | - list 179 | - watch 180 | - apiGroups: 181 | - "" 182 | resources: 183 | - nodes 184 | verbs: 185 | - get 186 | - apiGroups: 187 | - "" 188 | resources: 189 | - services 190 | verbs: 191 | - get 192 | - list 193 | - watch 194 | - apiGroups: 195 | - networking.k8s.io 196 | resources: 197 | - ingresses 198 | verbs: 199 | - get 200 | - list 201 | - watch 202 | - apiGroups: 203 | - "" 204 | resources: 205 | - events 206 | verbs: 207 | - create 208 | - patch 209 | - apiGroups: 210 | - networking.k8s.io 211 | resources: 212 | - ingresses/status 213 | verbs: 214 | - update 215 | - apiGroups: 216 | - networking.k8s.io 217 | resources: 218 | - ingressclasses 219 | verbs: 220 | - get 221 | - list 222 | - watch 223 | --- 224 | apiVersion: rbac.authorization.k8s.io/v1 225 | kind: ClusterRole 226 | metadata: 227 | labels: 228 | app.kubernetes.io/component: admission-webhook 229 | app.kubernetes.io/instance: ingress-nginx 230 | app.kubernetes.io/name: ingress-nginx 231 | app.kubernetes.io/part-of: ingress-nginx 232 | app.kubernetes.io/version: 1.3.0 233 | name: ingress-nginx-admission 234 | rules: 235 | - apiGroups: 236 | - admissionregistration.k8s.io 237 | resources: 238 | - validatingwebhookconfigurations 239 | verbs: 240 | - get 241 | - update 242 | --- 243 | apiVersion: rbac.authorization.k8s.io/v1 244 | kind: RoleBinding 245 | metadata: 246 | labels: 247 | app.kubernetes.io/component: controller 248 | app.kubernetes.io/instance: ingress-nginx 249 | app.kubernetes.io/name: ingress-nginx 250 | app.kubernetes.io/part-of: ingress-nginx 251 | app.kubernetes.io/version: 1.3.0 252 | name: ingress-nginx 253 | namespace: ingress-nginx 254 | roleRef: 255 | apiGroup: rbac.authorization.k8s.io 256 | kind: Role 257 | name: ingress-nginx 258 | subjects: 259 | - kind: ServiceAccount 260 | name: ingress-nginx 261 | namespace: ingress-nginx 262 | --- 263 | apiVersion: rbac.authorization.k8s.io/v1 264 | kind: RoleBinding 265 | metadata: 266 | labels: 267 | app.kubernetes.io/component: admission-webhook 268 | app.kubernetes.io/instance: ingress-nginx 269 | app.kubernetes.io/name: ingress-nginx 270 | app.kubernetes.io/part-of: ingress-nginx 271 | app.kubernetes.io/version: 1.3.0 272 | name: ingress-nginx-admission 273 | namespace: ingress-nginx 274 | roleRef: 275 | apiGroup: rbac.authorization.k8s.io 276 | kind: Role 277 | name: ingress-nginx-admission 278 | subjects: 279 | - kind: ServiceAccount 280 | name: ingress-nginx-admission 281 | namespace: ingress-nginx 282 | --- 283 | apiVersion: rbac.authorization.k8s.io/v1 284 | kind: ClusterRoleBinding 285 | metadata: 286 | labels: 287 | app.kubernetes.io/instance: ingress-nginx 288 | app.kubernetes.io/name: ingress-nginx 289 | app.kubernetes.io/part-of: ingress-nginx 290 | app.kubernetes.io/version: 1.3.0 291 | name: ingress-nginx 292 | roleRef: 293 | apiGroup: rbac.authorization.k8s.io 294 | kind: ClusterRole 295 | name: ingress-nginx 296 | subjects: 297 | - kind: ServiceAccount 298 | name: ingress-nginx 299 | namespace: ingress-nginx 300 | --- 301 | apiVersion: rbac.authorization.k8s.io/v1 302 | kind: ClusterRoleBinding 303 | metadata: 304 | labels: 305 | app.kubernetes.io/component: admission-webhook 306 | app.kubernetes.io/instance: ingress-nginx 307 | app.kubernetes.io/name: ingress-nginx 308 | app.kubernetes.io/part-of: ingress-nginx 309 | app.kubernetes.io/version: 1.3.0 310 | name: ingress-nginx-admission 311 | roleRef: 312 | apiGroup: rbac.authorization.k8s.io 313 | kind: ClusterRole 314 | name: ingress-nginx-admission 315 | subjects: 316 | - kind: ServiceAccount 317 | name: ingress-nginx-admission 318 | namespace: ingress-nginx 319 | --- 320 | apiVersion: v1 321 | data: 322 | allow-snippet-annotations: "true" 323 | kind: ConfigMap 324 | metadata: 325 | labels: 326 | app.kubernetes.io/component: controller 327 | app.kubernetes.io/instance: ingress-nginx 328 | app.kubernetes.io/name: ingress-nginx 329 | app.kubernetes.io/part-of: ingress-nginx 330 | app.kubernetes.io/version: 1.3.0 331 | name: ingress-nginx-controller 332 | namespace: ingress-nginx 333 | --- 334 | apiVersion: v1 335 | kind: Service 336 | metadata: 337 | labels: 338 | app.kubernetes.io/component: controller 339 | app.kubernetes.io/instance: ingress-nginx 340 | app.kubernetes.io/name: ingress-nginx 341 | app.kubernetes.io/part-of: ingress-nginx 342 | app.kubernetes.io/version: 1.3.0 343 | name: ingress-nginx-controller 344 | namespace: ingress-nginx 345 | spec: 346 | externalTrafficPolicy: Local 347 | ports: 348 | - appProtocol: http 349 | name: http 350 | port: 80 351 | protocol: TCP 352 | targetPort: http 353 | - appProtocol: https 354 | name: https 355 | port: 443 356 | protocol: TCP 357 | targetPort: https 358 | selector: 359 | app.kubernetes.io/component: controller 360 | app.kubernetes.io/instance: ingress-nginx 361 | app.kubernetes.io/name: ingress-nginx 362 | type: LoadBalancer 363 | --- 364 | apiVersion: v1 365 | kind: Service 366 | metadata: 367 | labels: 368 | app.kubernetes.io/component: controller 369 | app.kubernetes.io/instance: ingress-nginx 370 | app.kubernetes.io/name: ingress-nginx 371 | app.kubernetes.io/part-of: ingress-nginx 372 | app.kubernetes.io/version: 1.3.0 373 | name: ingress-nginx-controller-admission 374 | namespace: ingress-nginx 375 | spec: 376 | ports: 377 | - appProtocol: https 378 | name: https-webhook 379 | port: 443 380 | targetPort: webhook 381 | selector: 382 | app.kubernetes.io/component: controller 383 | app.kubernetes.io/instance: ingress-nginx 384 | app.kubernetes.io/name: ingress-nginx 385 | type: ClusterIP 386 | --- 387 | apiVersion: apps/v1 388 | kind: Deployment 389 | metadata: 390 | labels: 391 | app.kubernetes.io/component: controller 392 | app.kubernetes.io/instance: ingress-nginx 393 | app.kubernetes.io/name: ingress-nginx 394 | app.kubernetes.io/part-of: ingress-nginx 395 | app.kubernetes.io/version: 1.3.0 396 | name: ingress-nginx-controller 397 | namespace: ingress-nginx 398 | spec: 399 | minReadySeconds: 0 400 | revisionHistoryLimit: 10 401 | selector: 402 | matchLabels: 403 | app.kubernetes.io/component: controller 404 | app.kubernetes.io/instance: ingress-nginx 405 | app.kubernetes.io/name: ingress-nginx 406 | template: 407 | metadata: 408 | labels: 409 | app.kubernetes.io/component: controller 410 | app.kubernetes.io/instance: ingress-nginx 411 | app.kubernetes.io/name: ingress-nginx 412 | spec: 413 | containers: 414 | - args: 415 | - /nginx-ingress-controller 416 | - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller 417 | - --election-id=ingress-controller-leader 418 | - --controller-class=k8s.io/ingress-nginx 419 | - --ingress-class=nginx 420 | - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller 421 | - --validating-webhook=:8443 422 | - --validating-webhook-certificate=/usr/local/certificates/cert 423 | - --validating-webhook-key=/usr/local/certificates/key 424 | env: 425 | - name: POD_NAME 426 | valueFrom: 427 | fieldRef: 428 | fieldPath: metadata.name 429 | - name: POD_NAMESPACE 430 | valueFrom: 431 | fieldRef: 432 | fieldPath: metadata.namespace 433 | - name: LD_PRELOAD 434 | value: /usr/local/lib/libmimalloc.so 435 | image: iad.ocir.io/ocuocictrng5/ingress-controller:v1.3.0 436 | imagePullPolicy: IfNotPresent 437 | lifecycle: 438 | preStop: 439 | exec: 440 | command: 441 | - /wait-shutdown 442 | livenessProbe: 443 | failureThreshold: 5 444 | httpGet: 445 | path: /healthz 446 | port: 10254 447 | scheme: HTTP 448 | initialDelaySeconds: 10 449 | periodSeconds: 10 450 | successThreshold: 1 451 | timeoutSeconds: 1 452 | name: controller 453 | ports: 454 | - containerPort: 80 455 | name: http 456 | protocol: TCP 457 | - containerPort: 443 458 | name: https 459 | protocol: TCP 460 | - containerPort: 8443 461 | name: webhook 462 | protocol: TCP 463 | readinessProbe: 464 | failureThreshold: 3 465 | httpGet: 466 | path: /healthz 467 | port: 10254 468 | scheme: HTTP 469 | initialDelaySeconds: 10 470 | periodSeconds: 10 471 | successThreshold: 1 472 | timeoutSeconds: 1 473 | resources: 474 | requests: 475 | cpu: 100m 476 | memory: 90Mi 477 | securityContext: 478 | allowPrivilegeEscalation: true 479 | capabilities: 480 | add: 481 | - NET_BIND_SERVICE 482 | drop: 483 | - ALL 484 | runAsUser: 101 485 | volumeMounts: 486 | - mountPath: /usr/local/certificates/ 487 | name: webhook-cert 488 | readOnly: true 489 | dnsPolicy: ClusterFirst 490 | nodeSelector: 491 | kubernetes.io/os: linux 492 | serviceAccountName: ingress-nginx 493 | terminationGracePeriodSeconds: 300 494 | volumes: 495 | - name: webhook-cert 496 | secret: 497 | secretName: ingress-nginx-admission 498 | --- 499 | apiVersion: batch/v1 500 | kind: Job 501 | metadata: 502 | labels: 503 | app.kubernetes.io/component: admission-webhook 504 | app.kubernetes.io/instance: ingress-nginx 505 | app.kubernetes.io/name: ingress-nginx 506 | app.kubernetes.io/part-of: ingress-nginx 507 | app.kubernetes.io/version: 1.3.0 508 | name: ingress-nginx-admission-create 509 | namespace: ingress-nginx 510 | spec: 511 | template: 512 | metadata: 513 | labels: 514 | app.kubernetes.io/component: admission-webhook 515 | app.kubernetes.io/instance: ingress-nginx 516 | app.kubernetes.io/name: ingress-nginx 517 | app.kubernetes.io/part-of: ingress-nginx 518 | app.kubernetes.io/version: 1.3.0 519 | name: ingress-nginx-admission-create 520 | spec: 521 | containers: 522 | - args: 523 | - create 524 | - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc 525 | - --namespace=$(POD_NAMESPACE) 526 | - --secret-name=ingress-nginx-admission 527 | env: 528 | - name: POD_NAMESPACE 529 | valueFrom: 530 | fieldRef: 531 | fieldPath: metadata.namespace 532 | image: iad.ocir.io/ocuocictrng5/kube-webhook-certgen:v1.1.1 533 | imagePullPolicy: IfNotPresent 534 | name: create 535 | securityContext: 536 | allowPrivilegeEscalation: false 537 | nodeSelector: 538 | kubernetes.io/os: linux 539 | restartPolicy: OnFailure 540 | securityContext: 541 | fsGroup: 2000 542 | runAsNonRoot: true 543 | runAsUser: 2000 544 | serviceAccountName: ingress-nginx-admission 545 | --- 546 | apiVersion: batch/v1 547 | kind: Job 548 | metadata: 549 | labels: 550 | app.kubernetes.io/component: admission-webhook 551 | app.kubernetes.io/instance: ingress-nginx 552 | app.kubernetes.io/name: ingress-nginx 553 | app.kubernetes.io/part-of: ingress-nginx 554 | app.kubernetes.io/version: 1.3.0 555 | name: ingress-nginx-admission-patch 556 | namespace: ingress-nginx 557 | spec: 558 | template: 559 | metadata: 560 | labels: 561 | app.kubernetes.io/component: admission-webhook 562 | app.kubernetes.io/instance: ingress-nginx 563 | app.kubernetes.io/name: ingress-nginx 564 | app.kubernetes.io/part-of: ingress-nginx 565 | app.kubernetes.io/version: 1.3.0 566 | name: ingress-nginx-admission-patch 567 | spec: 568 | containers: 569 | - args: 570 | - patch 571 | - --webhook-name=ingress-nginx-admission 572 | - --namespace=$(POD_NAMESPACE) 573 | - --patch-mutating=false 574 | - --secret-name=ingress-nginx-admission 575 | - --patch-failure-policy=Fail 576 | env: 577 | - name: POD_NAMESPACE 578 | valueFrom: 579 | fieldRef: 580 | fieldPath: metadata.namespace 581 | image: iad.ocir.io/ocuocictrng5/kube-webhook-certgen:v1.1.1 582 | imagePullPolicy: IfNotPresent 583 | name: patch 584 | securityContext: 585 | allowPrivilegeEscalation: false 586 | nodeSelector: 587 | kubernetes.io/os: linux 588 | restartPolicy: OnFailure 589 | securityContext: 590 | fsGroup: 2000 591 | runAsNonRoot: true 592 | runAsUser: 2000 593 | serviceAccountName: ingress-nginx-admission 594 | --- 595 | apiVersion: networking.k8s.io/v1 596 | kind: IngressClass 597 | metadata: 598 | labels: 599 | app.kubernetes.io/component: controller 600 | app.kubernetes.io/instance: ingress-nginx 601 | app.kubernetes.io/name: ingress-nginx 602 | app.kubernetes.io/part-of: ingress-nginx 603 | app.kubernetes.io/version: 1.3.0 604 | name: nginx 605 | spec: 606 | controller: k8s.io/ingress-nginx 607 | --- 608 | apiVersion: admissionregistration.k8s.io/v1 609 | kind: ValidatingWebhookConfiguration 610 | metadata: 611 | labels: 612 | app.kubernetes.io/component: admission-webhook 613 | app.kubernetes.io/instance: ingress-nginx 614 | app.kubernetes.io/name: ingress-nginx 615 | app.kubernetes.io/part-of: ingress-nginx 616 | app.kubernetes.io/version: 1.3.0 617 | name: ingress-nginx-admission 618 | webhooks: 619 | - admissionReviewVersions: 620 | - v1 621 | clientConfig: 622 | service: 623 | name: ingress-nginx-controller-admission 624 | namespace: ingress-nginx 625 | path: /networking/v1/ingresses 626 | failurePolicy: Fail 627 | matchPolicy: Equivalent 628 | name: validate.nginx.ingress.kubernetes.io 629 | rules: 630 | - apiGroups: 631 | - networking.k8s.io 632 | apiVersions: 633 | - v1 634 | operations: 635 | - CREATE 636 | - UPDATE 637 | resources: 638 | - ingresses 639 | sideEffects: None 640 | --------------------------------------------------------------------------------