apiVersion: v1 kind: Namespace metadata: labels: app: ingress-nginx name: ingress-nginx --- apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: component: controller app: ingress-nginx name: ingress-nginx namespace: ingress-nginx --- apiVersion: v1 kind: ServiceAccount metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: component: controller app: ingress-nginx name: ingress-nginx namespace: ingress-nginx rules: - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - configmaps - pods - secrets - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - list - watch - apiGroups: - "" resourceNames: - ingress-controller-leader-default - ingress-controller-leader-itsystem resources: - configmaps verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission namespace: ingress-nginx rules: - apiGroups: - "" resources: - secrets verbs: - get - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: ingress-nginx name: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets - namespaces verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: component: controller app: ingress-nginx name: ingress-nginx namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: ingress-nginx name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx --- apiVersion: v1 data: Cache-Control: no-cache kind: ConfigMap metadata: name: custom-headers-default namespace: ingress-nginx --- apiVersion: v1 data: add-headers: ingress-nginx/custom-headers-default enable-real-ip: "true" error-log-level: notice hsts: 'false' max-worker-connections: '65535' proxy-body-size: 4096M proxy-connect-timeout: '3600' proxy-read-timeout: '3600' proxy-send-timeout: '3600' upstream-keepalive-connections: '40000' ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-protocols: TLSv1.2 TLSv1.1 TLSv1 #use-http2: 'true' use-http2: 'false' worker-processes: '2' worker-shutdown-timeout: 2hs kind: ConfigMap metadata: name: ingress-nginx-controller-default namespace: ingress-nginx --- apiVersion: v1 kind: ConfigMap metadata: name: tcp-services namespace: ingress-nginx data: '6379': 'uen/redis-0-nodeport:6379' kind: ConfigMap metadata: name: tcp-services namespace: ingress-nginx --- apiVersion: v1 kind: ConfigMap metadata: name: udp-services namespace: ingress-nginx data: '53': 'kube-system/kube-dns:53' --- apiVersion: apps/v1 kind: Deployment metadata: labels: component: controller app: ingress-nginx-default name: ingress-nginx-controller-default namespace: ingress-nginx spec: replicas: 1 minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: component: controller app: ingress-nginx-default strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 1 type: RollingUpdate template: metadata: labels: component: controller app: ingress-nginx-default tier: ingress-nginx spec: containers: - args: - /nginx-ingress-controller - --election-id=ingress-controller-leader-default - --controller-class=k8s.io/ingress-nginx # ingressclass.spec.controller - --ingress-class=nginx - --watch-ingress-without-class - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller-default - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key - --default-backend-service=$(POD_NAMESPACE)/nginx-errors env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so image: registry.cn-hangzhou.aliyuncs.com/zhengyu1992/ingress-nginx-controller:v1.2.0 #image: harbor.uenpay.com/base/ingress-nginx-controller:v1.2.0 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP - containerPort: 8443 name: webhook protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 90Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE drop: - ALL runAsUser: 101 volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: nginx-ingress-controller: "1" tolerations: - effect: NoSchedule key: node.kubernetes.io/unschedulable - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission --- apiVersion: v1 kind: Service metadata: labels: component: controller app: ingress-nginx-default name: ingress-nginx-controller-default namespace: ingress-nginx spec: ports: - appProtocol: http name: http port: 80 protocol: TCP targetPort: http - appProtocol: https name: https port: 443 protocol: TCP targetPort: https selector: component: controller app: ingress-nginx-default type: ClusterIP --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: component: controller app: ingress-nginx-default annotations: ingressclass.kubernetes.io/is-default-class: "true" name: nginx # .ingress.spec.ingressClassName spec: controller: k8s.io/ingress-nginx --- apiVersion: v1 kind: Service metadata: labels: component: controller app: ingress-nginx name: ingress-nginx-controller-admission namespace: ingress-nginx spec: ports: - appProtocol: https name: https-webhook port: 443 targetPort: webhook selector: component: controller app: ingress-nginx-default type: ClusterIP --- apiVersion: batch/v1 kind: Job metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission-create namespace: ingress-nginx spec: template: metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission-create spec: containers: - args: - create - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: registry.cn-hangzhou.aliyuncs.com/zhengyu1992/kube-webhook-certgen:v1.1.1 #image: harbor.uenpay.com/base/kube-webhook-certgen:v1.1.1 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure securityContext: fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 kind: Job metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission-patch namespace: ingress-nginx spec: template: metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission-patch spec: containers: - args: - patch - --webhook-name=ingress-nginx-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: registry.cn-hangzhou.aliyuncs.com/zhengyu1992/kube-webhook-certgen:v1.1.1 #image: harbor.uenpay.com/base/kube-webhook-certgen:v1.1.1 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure securityContext: fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: component: admission-webhook app: ingress-nginx name: ingress-nginx-admission webhooks: - admissionReviewVersions: - v1 clientConfig: service: name: ingress-nginx-controller-admission namespace: ingress-nginx path: /networking/v1/ingresses failurePolicy: Fail matchPolicy: Equivalent name: validate.nginx.ingress.kubernetes.io rules: - apiGroups: - networking.k8s.io apiVersions: - v1 operations: - CREATE - UPDATE resources: - ingresses sideEffects: None --- apiVersion: v1 kind: Service metadata: name: ingress-nginx-controller-metrics namespace: ingress-nginx labels: app: ingress-nginx-default component: controller tier: ingress-nginx spec: type: ClusterIP ports: - name: metrics port: 10254 protocol: TCP selector: app: ingress-nginx-default component: controller tier: ingress-nginx --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: ingress-nginx-controller-metrics namespace: ingress-nginx spec: endpoints: - interval: 30s port: metrics jobLabel: k8s-app namespaceSelector: matchNames: - ingress-nginx selector: matchLabels: app: ingress-nginx-default component: controller tier: ingress-nginx