nginx-ingress-controller的日志
    nginx-ingress-controller的日志包括三个部分:

    • controller日志: 输出到stdout,通过启动参数中的–log_dir可已配置输出到文件,重定向到文件后会自动轮转,但不会自动清理
    • accesslog:输出到stdout,通过nginx-configuration中的字段可以配置输出到哪个文件。输出到文件后不会自动轮转或清理
    • errorlog:输出到stderr,配置方式与accesslog类似。

    给controller日志落盘

    • 给nginx-ingress-controller挂一个hostpath: /data/log/nginx/ 映射到容器里的/var/log/nginx/ ,
    • 给nginx-ingress-controller配置log-dir和logtostderr参数,将日志重定向到/var/log/nginx/中。

    controller的日志需要做定时清理。由于controller的日志是通过klog(k8s.io/klog)输出的,会进行日志滚动,所以我们通过脚本定时清理一定时间之前的日志文件即可。
    给nginx日志落盘
    修改configmap: nginx-configuration。配置accesslog和errorlog的输出路径,替换默认的stdout和stderr。输出路径我们可以与controller一致,便于查找。
    accesslog和errorlog都只有一个日志文件,我们可以使用logrotate进行日志轮转,将输出到宿主机上的日志进行轮转和清理。配置如:

    1. $ cat /etc/logrotate.d/nginx.log
    2. /data/log/nginx/access.log {
    3.   su root list
    4.   rotate 7
    5.   daily
    6.   maxsize 50M
    7.   copytruncate
    8.   missingok
    9.   create 0644 www-data root
    10. }

    官方提供的模板中,nginx-ingress-controller默认都是以33这个用户登录启动容器的,因此挂载hostpath路径时存在权限问题。我们需要手动在机器上执行chown -R 33:33 /data/log/nginx.
    自动化
    nginx日志落盘中,第2、3两点均需要人工运维,有什么解决办法吗?
    问题的关键是:有什么办法可以在nginx-ingress-controller容器启动之前加一个hook,将宿主机的指定目录执行chown呢?
    可以用initContainer。initcontainer必须在containers中的容器运行前运行完毕并成功退出。再说第二点,我们注意到nginx-ingress-controller的基础镜像中就自带了logrotate,那么问题就简单了,我们将写好的logrotate配置文件以configmap的形式挂载到容器中就可以了。
    完整的yaml文件如下:

    1. apiVersion: v1
    2. kind: Namespace
    3. metadata:
    4.   name: ingress-nginx
    5.   labels:
    6.     app.kubernetes.io/name: ingress-nginx
    7.     app.kubernetes.io/instance: ingress-nginx
    9. ---
    10. # Source: ingress-nginx/templates/controller-serviceaccount.yaml
    11. apiVersion: v1
    12. kind: ServiceAccount
    13. metadata:
    14.   labels:
    15.     helm.sh/chart: ingress-nginx-2.0.3
    16.     app.kubernetes.io/name: ingress-nginx
    17.     app.kubernetes.io/instance: ingress-nginx
    18.     app.kubernetes.io/version: 0.32.0
    19.     app.kubernetes.io/managed-by: Helm
    20.     app.kubernetes.io/component: controller
    21.   name: ingress-nginx
    22.   namespace: ingress-nginx
    23. ---
    24. # Source: ingress-nginx/templates/controller-configmap.yaml
    25. apiVersion: v1
    26. kind: ConfigMap
    27. metadata:
    28.   labels:
    29.     helm.sh/chart: ingress-nginx-2.0.3
    30.     app.kubernetes.io/name: ingress-nginx
    31.     app.kubernetes.io/instance: ingress-nginx
    32.     app.kubernetes.io/version: 0.32.0
    33.     app.kubernetes.io/managed-by: Helm
    34.     app.kubernetes.io/component: controller
    35.   name: ingress-nginx-controller
    36.   namespace: ingress-nginx
    37. data:
    38.   client_max_body_size: "100m"
    39.   proxy_body_size: "100m"
    40.   access-log-path: /var/log/nginx/access.log
    41.   error-log-path: /var/log/nginx/erroes.log
    42. ---
    43. # 创建一个configmap,配置nginx日志的轮转策略,对应的是nginx日志在容器内的日志文件
    44. apiVersion: v1
    45. data:
    46.  nginx.log: |
    47.   /var/log/nginx/access.log {
    48.     rotate 7 
    49.     daily
    50.     maxsize 200M 
    51.     minsize 10M
    52.     copytruncate
    53.     missingok
    54.     create 0644 root root
    55.   }
    56.   /var/log/nginx/error.log {
    57.     rotate 7 
    58.     daily
    59.     maxsize 200M 
    60.     minsize 10M
    61.     copytruncate
    62.     missingok
    63.     create 0644 root root
    64.   }
    65. kind: ConfigMap
    66. metadata:
    67.   name: nginx-ingress-logrotate
    68.   namespace: ingress-nginx
    69. ---
    70. # Source: ingress-nginx/templates/clusterrole.yaml
    71. apiVersion: rbac.authorization.k8s.io/v1
    72. kind: ClusterRole
    73. metadata:
    74.   labels:
    75.     helm.sh/chart: ingress-nginx-2.0.3
    76.     app.kubernetes.io/name: ingress-nginx
    77.     app.kubernetes.io/instance: ingress-nginx
    78.     app.kubernetes.io/version: 0.32.0
    79.     app.kubernetes.io/managed-by: Helm
    80.   name: ingress-nginx
    81.   namespace: ingress-nginx
    82. rules:
    83.   - apiGroups:
    84.       - ''
    85.     resources:
    86.       - configmaps
    87.       - endpoints
    88.       - nodes
    89.       - pods
    90.       - secrets
    91.     verbs:
    92.       - list
    93.       - watch
    94.   - apiGroups:
    95.       - ''
    96.     resources:
    97.       - nodes
    98.     verbs:
    99.       - get
    100.   - apiGroups:
    101.       - ''
    102.     resources:
    103.       - services
    104.     verbs:
    105.       - get
    106.       - list
    107.       - update
    108.       - watch
    109.   - apiGroups:
    110.       - extensions
    111.       - networking.k8s.io   # k8s 1.14+
    112.     resources:
    113.       - ingresses
    114.     verbs:
    115.       - get
    116.       - list
    117.       - watch
    118.   - apiGroups:
    119.       - ''
    120.     resources:
    121.       - events
    122.     verbs:
    123.       - create
    124.       - patch
    125.   - apiGroups:
    126.       - extensions
    127.       - networking.k8s.io   # k8s 1.14+
    128.     resources:
    129.       - ingresses/status
    130.     verbs:
    131.       - update
    132.   - apiGroups:
    133.       - networking.k8s.io   # k8s 1.14+
    134.     resources:
    135.       - ingressclasses
    136.     verbs:
    137.       - get
    138.       - list
    139.       - watch
    140. ---
    141. # Source: ingress-nginx/templates/clusterrolebinding.yaml
    142. apiVersion: rbac.authorization.k8s.io/v1
    143. kind: ClusterRoleBinding
    144. metadata:
    145.   labels:
    146.     helm.sh/chart: ingress-nginx-2.0.3
    147.     app.kubernetes.io/name: ingress-nginx
    148.     app.kubernetes.io/instance: ingress-nginx
    149.     app.kubernetes.io/version: 0.32.0
    150.     app.kubernetes.io/managed-by: Helm
    151.   name: ingress-nginx
    152.   namespace: ingress-nginx
    153. roleRef:
    154.   apiGroup: rbac.authorization.k8s.io
    155.   kind: ClusterRole
    156.   name: ingress-nginx
    157. subjects:
    158.   - kind: ServiceAccount
    159.     name: ingress-nginx
    160.     namespace: ingress-nginx
    161. ---
    162. # Source: ingress-nginx/templates/controller-role.yaml
    163. apiVersion: rbac.authorization.k8s.io/v1
    164. kind: Role
    165. metadata:
    166.   labels:
    167.     helm.sh/chart: ingress-nginx-2.0.3
    168.     app.kubernetes.io/name: ingress-nginx
    169.     app.kubernetes.io/instance: ingress-nginx
    170.     app.kubernetes.io/version: 0.32.0
    171.     app.kubernetes.io/managed-by: Helm
    172.     app.kubernetes.io/component: controller
    173.   name: ingress-nginx
    174.   namespace: ingress-nginx
    175. rules:
    176.   - apiGroups:
    177.       - ''
    178.     resources:
    179.       - namespaces
    180.     verbs:
    181.       - get
    182.   - apiGroups:
    183.       - ''
    184.     resources:
    185.       - configmaps
    186.       - pods
    187.       - secrets
    188.       - endpoints
    189.     verbs:
    190.       - get
    191.       - list
    192.       - watch
    193.   - apiGroups:
    194.       - ''
    195.     resources:
    196.       - services
    197.     verbs:
    198.       - get
    199.       - list
    200.       - update
    201.       - watch
    202.   - apiGroups:
    203.       - extensions
    204.       - networking.k8s.io   # k8s 1.14+
    205.     resources:
    206.       - ingresses
    207.     verbs:
    208.       - get
    209.       - list
    210.       - watch
    211.   - apiGroups:
    212.       - extensions
    213.       - networking.k8s.io   # k8s 1.14+
    214.     resources:
    215.       - ingresses/status
    216.     verbs:
    217.       - update
    218.   - apiGroups:
    219.       - networking.k8s.io   # k8s 1.14+
    220.     resources:
    221.       - ingressclasses
    222.     verbs:
    223.       - get
    224.       - list
    225.       - watch
    226.   - apiGroups:
    227.       - ''
    228.     resources:
    229.       - configmaps
    230.     resourceNames:
    231.       - ingress-controller-leader-nginx
    232.     verbs:
    233.       - get
    234.       - update
    235.   - apiGroups:
    236.       - ''
    237.     resources:
    238.       - configmaps
    239.     verbs:
    240.       - create
    241.   - apiGroups:
    242.       - ''
    243.     resources:
    244.       - endpoints
    245.     verbs:
    246.       - create
    247.       - get
    248.       - update
    249.   - apiGroups:
    250.       - ''
    251.     resources:
    252.       - events
    253.     verbs:
    254.       - create
    255.       - patch
    256. ---
    257. # Source: ingress-nginx/templates/controller-rolebinding.yaml
    258. apiVersion: rbac.authorization.k8s.io/v1
    259. kind: RoleBinding
    260. metadata:
    261.   labels:
    262.     helm.sh/chart: ingress-nginx-2.0.3
    263.     app.kubernetes.io/name: ingress-nginx
    264.     app.kubernetes.io/instance: ingress-nginx
    265.     app.kubernetes.io/version: 0.32.0
    266.     app.kubernetes.io/managed-by: Helm
    267.     app.kubernetes.io/component: controller
    268.   name: ingress-nginx
    269.   namespace: ingress-nginx
    270. roleRef:
    271.   apiGroup: rbac.authorization.k8s.io
    272.   kind: Role
    273.   name: ingress-nginx
    274. subjects:
    275.   - kind: ServiceAccount
    276.     name: ingress-nginx
    277.     namespace: ingress-nginx
    278. ---
    279. # Source: ingress-nginx/templates/controller-service-webhook.yaml
    280. apiVersion: v1
    281. kind: Service
    282. metadata:
    283.   labels:
    284.     helm.sh/chart: ingress-nginx-2.0.3
    285.     app.kubernetes.io/name: ingress-nginx
    286.     app.kubernetes.io/instance: ingress-nginx
    287.     app.kubernetes.io/version: 0.32.0
    288.     app.kubernetes.io/managed-by: Helm
    289.     app.kubernetes.io/component: controller
    290.   name: ingress-nginx-controller-admission
    291.   namespace: ingress-nginx
    292. spec:
    293.   type: ClusterIP
    294.   ports:
    295.     - name: https-webhook
    296.       port: 443
    297.       targetPort: webhook
    298.   selector:
    299.     app.kubernetes.io/name: ingress-nginx
    300.     app.kubernetes.io/instance: ingress-nginx
    301.     app.kubernetes.io/component: controller
    302. ---
    303. # Source: ingress-nginx/templates/controller-service.yaml
    304. apiVersion: v1
    305. kind: Service
    306. metadata:
    307.   labels:
    308.     helm.sh/chart: ingress-nginx-2.0.3
    309.     app.kubernetes.io/name: ingress-nginx
    310.     app.kubernetes.io/instance: ingress-nginx
    311.     app.kubernetes.io/version: 0.32.0
    312.     app.kubernetes.io/managed-by: Helm
    313.     app.kubernetes.io/component: controller
    314.   name: ingress-nginx-controller
    315.   namespace: ingress-nginx
    316. spec:
    317.   type: LoadBalancer
    318.   externalTrafficPolicy: Local
    319.   ports:
    320.     - name: http
    321.       port: 80
    322.       protocol: TCP
    323.       targetPort: http
    324.     - name: https
    325.       port: 443
    326.       protocol: TCP
    327.       targetPort: https
    328.   selector:
    329.     app.kubernetes.io/name: ingress-nginx
    330.     app.kubernetes.io/instance: ingress-nginx
    331.     app.kubernetes.io/component: controller
    332. ---
    333. # Source: ingress-nginx/templates/controller-deployment.yaml
    334. apiVersion: apps/v1
    335. kind: Deployment
    336. metadata:
    337.   labels:
    338.     helm.sh/chart: ingress-nginx-2.0.3
    339.     app.kubernetes.io/name: ingress-nginx
    340.     app.kubernetes.io/instance: ingress-nginx
    341.     app.kubernetes.io/version: 0.32.0
    342.     app.kubernetes.io/managed-by: Helm
    343.     app.kubernetes.io/component: controller
    344.   name: ingress-nginx-controller
    345.   namespace: ingress-nginx
    346. spec:
    347.   selector:
    348.     matchLabels:
    349.       app.kubernetes.io/name: ingress-nginx
    350.       app.kubernetes.io/instance: ingress-nginx
    351.       app.kubernetes.io/component: controller
    352.   revisionHistoryLimit: 10
    353.   minReadySeconds: 0
    354.   replicas: 1
    355.   template:
    356.     metadata:
    357.       labels:
    358.         app.kubernetes.io/name: ingress-nginx
    359.         app.kubernetes.io/instance: ingress-nginx
    360.         app.kubernetes.io/component: controller
    361.     spec:
    362.       dnsPolicy: ClusterFirst
    363.       hostNetwork: true
    364.       tolerations:
    365.       - operator: "Exists"
    366.       nodeSelector:
    367.         kubernetes.io/hostname: k8s-master-134
    368.       initContainers:
    369.       - name: adddirperm
    370.         image: busybox
    371.         command:
    372.         - /bin/sh
    373.         - -c
    374.         - chown -R ${USER_ID}:${USER_ID} ${LOG_DIR} 
    375.         env:
    376.         - name: LOG_DIR
    377.           value: /var/log/nginx
    378.         - name: USER_ID
    379.           value: "101"
    380.         volumeMounts:
    381.         - name: logdir
    382.           mountPath: /var/log/nginx
    383.       containers:
    384.         - name: controller
    385.           image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
    386.           imagePullPolicy: IfNotPresent
    387.           lifecycle:
    388.             preStop:
    389.               exec:
    390.                 command:
    391.                   - /wait-shutdown
    392.           args:
    393.             - /nginx-ingress-controller
    394.             - --publish-service=ingress-nginx/ingress-nginx-controller
    395.             - --election-id=ingress-controller-leader
    396.             - --ingress-class=nginx
    397.             - --configmap=ingress-nginx/ingress-nginx-controller
    398.             - --validating-webhook=:8443
    399.             - --validating-webhook-certificate=/usr/local/certificates/cert
    400.             - --validating-webhook-key=/usr/local/certificates/key
    401.             - --log_dir=/var/log/nginx
    402.             - --logtostderr=false
    403.           securityContext:
    404.             capabilities:
    405.               drop:
    406.                 - ALL
    407.               add:
    408.                 - NET_BIND_SERVICE
    409.             runAsUser: 101
    410.             allowPrivilegeEscalation: true
    411.           env:
    412.             - name: POD_NAME
    413.               valueFrom:
    414.                 fieldRef:
    415.                   fieldPath: metadata.name
    416.             - name: POD_NAMESPACE
    417.               valueFrom:
    418.                 fieldRef:
    419.                   fieldPath: metadata.namespace
    420.           livenessProbe:
    421.             httpGet:
    422.               path: /healthz
    423.               port: 10254
    424.               scheme: HTTP
    425.             initialDelaySeconds: 10
    426.             periodSeconds: 10
    427.             timeoutSeconds: 1
    428.             successThreshold: 1
    429.             failureThreshold: 3
    430.           readinessProbe:
    431.             httpGet:
    432.               path: /healthz
    433.               port: 10254
    434.               scheme: HTTP
    435.             initialDelaySeconds: 10
    436.             periodSeconds: 10
    437.             timeoutSeconds: 1
    438.             successThreshold: 1
    439.             failureThreshold: 3
    440.           ports:
    441.             - name: http
    442.               containerPort: 80
    443.               protocol: TCP
    444.             - name: https
    445.               containerPort: 443
    446.               protocol: TCP
    447.             - name: webhook
    448.               containerPort: 8443
    449.               protocol: TCP
    450.           volumeMounts:
    451.             - name: webhook-cert
    452.               mountPath: /usr/local/certificates/
    453.               readOnly: true
    454.             - name: logdir
    455.               mountPath: /var/log/nginx
    456.             - name: logrotateconf
    457.               mountPath: /etc/logrotate.d/nginx.log
    458.               subPath: nginx.log
    459.           resources:
    460.             requests:
    461.               cpu: 100m
    462.               memory: 90Mi
    463.       serviceAccountName: ingress-nginx
    464.       terminationGracePeriodSeconds: 300
    465.       volumes:
    466.         - name: webhook-cert
    467.           secret:
    468.             secretName: ingress-nginx-admission
    469.         - name: logdir
    470.           hostPath:
    471.             path: /var/log/nginx
    472.             type: DirectoryOrCreate
    473.         - name: logrotateconf
    474.           configMap:
    475.             name: nginx-ingress-logrotate
    476.             items:
    477.             - key: nginx.log
    478.               path: nginx.log
    479. ---
    480. # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
    481. apiVersion: admissionregistration.k8s.io/v1beta1
    482. kind: ValidatingWebhookConfiguration
    483. metadata:
    484.   labels:
    485.     helm.sh/chart: ingress-nginx-2.0.3
    486.     app.kubernetes.io/name: ingress-nginx
    487.     app.kubernetes.io/instance: ingress-nginx
    488.     app.kubernetes.io/version: 0.32.0
    489.     app.kubernetes.io/managed-by: Helm
    490.     app.kubernetes.io/component: admission-webhook
    491.   name: ingress-nginx-admission
    492.   namespace: ingress-nginx
    493. webhooks:
    494.   - name: validate.nginx.ingress.kubernetes.io
    495.     rules:
    496.       - apiGroups:
    497.           - extensions
    498.           - networking.k8s.io
    499.         apiVersions:
    500.           - v1beta1
    501.         operations:
    502.           - CREATE
    503.           - UPDATE
    504.         resources:
    505.           - ingresses
    506.     failurePolicy: Fail
    507.     clientConfig:
    508.       service:
    509.         namespace: ingress-nginx
    510.         name: ingress-nginx-controller-admission
    511.         path: /extensions/v1beta1/ingresses
    512. ---
    513. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
    514. apiVersion: rbac.authorization.k8s.io/v1
    515. kind: ClusterRole
    516. metadata:
    517.   name: ingress-nginx-admission
    518.   annotations:
    519.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    520.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    521.   labels:
    522.     helm.sh/chart: ingress-nginx-2.0.3
    523.     app.kubernetes.io/name: ingress-nginx
    524.     app.kubernetes.io/instance: ingress-nginx
    525.     app.kubernetes.io/version: 0.32.0
    526.     app.kubernetes.io/managed-by: Helm
    527.     app.kubernetes.io/component: admission-webhook
    528.   namespace: ingress-nginx
    529. rules:
    530.   - apiGroups:
    531.       - admissionregistration.k8s.io
    532.     resources:
    533.       - validatingwebhookconfigurations
    534.     verbs:
    535.       - get
    536.       - update
    537. ---
    538. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
    539. apiVersion: rbac.authorization.k8s.io/v1
    540. kind: ClusterRoleBinding
    541. metadata:
    542.   name: ingress-nginx-admission
    543.   annotations:
    544.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    545.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    546.   labels:
    547.     helm.sh/chart: ingress-nginx-2.0.3
    548.     app.kubernetes.io/name: ingress-nginx
    549.     app.kubernetes.io/instance: ingress-nginx
    550.     app.kubernetes.io/version: 0.32.0
    551.     app.kubernetes.io/managed-by: Helm
    552.     app.kubernetes.io/component: admission-webhook
    553.   namespace: ingress-nginx
    554. roleRef:
    555.   apiGroup: rbac.authorization.k8s.io
    556.   kind: ClusterRole
    557.   name: ingress-nginx-admission
    558. subjects:
    559.   - kind: ServiceAccount
    560.     name: ingress-nginx-admission
    561.     namespace: ingress-nginx
    562. ---
    563. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
    564. apiVersion: batch/v1
    565. kind: Job
    566. metadata:
    567.   name: ingress-nginx-admission-create
    568.   annotations:
    569.     helm.sh/hook: pre-install,pre-upgrade
    570.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    571.   labels:
    572.     helm.sh/chart: ingress-nginx-2.0.3
    573.     app.kubernetes.io/name: ingress-nginx
    574.     app.kubernetes.io/instance: ingress-nginx
    575.     app.kubernetes.io/version: 0.32.0
    576.     app.kubernetes.io/managed-by: Helm
    577.     app.kubernetes.io/component: admission-webhook
    578.   namespace: ingress-nginx
    579. spec:
    580.   template:
    581.     metadata:
    582.       name: ingress-nginx-admission-create
    583.       labels:
    584.         helm.sh/chart: ingress-nginx-2.0.3
    585.         app.kubernetes.io/name: ingress-nginx
    586.         app.kubernetes.io/instance: ingress-nginx
    587.         app.kubernetes.io/version: 0.32.0
    588.         app.kubernetes.io/managed-by: Helm
    589.         app.kubernetes.io/component: admission-webhook
    590.     spec:
    591.       containers:
    592.         - name: create
    593.           image: jettech/kube-webhook-certgen:v1.2.0
    594.           imagePullPolicy: IfNotPresent
    595.           args:
    596.             - create
    597.             - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc
    598.             - --namespace=ingress-nginx
    599.             - --secret-name=ingress-nginx-admission
    600.       restartPolicy: OnFailure
    601.       serviceAccountName: ingress-nginx-admission
    602.       securityContext:
    603.         runAsNonRoot: true
    604.         runAsUser: 2000
    605. ---
    606. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
    607. apiVersion: batch/v1
    608. kind: Job
    609. metadata:
    610.   name: ingress-nginx-admission-patch
    611.   annotations:
    612.     helm.sh/hook: post-install,post-upgrade
    613.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    614.   labels:
    615.     helm.sh/chart: ingress-nginx-2.0.3
    616.     app.kubernetes.io/name: ingress-nginx
    617.     app.kubernetes.io/instance: ingress-nginx
    618.     app.kubernetes.io/version: 0.32.0
    619.     app.kubernetes.io/managed-by: Helm
    620.     app.kubernetes.io/component: admission-webhook
    621.   namespace: ingress-nginx
    622. spec:
    623.   template:
    624.     metadata:
    625.       name: ingress-nginx-admission-patch
    626.       labels:
    627.         helm.sh/chart: ingress-nginx-2.0.3
    628.         app.kubernetes.io/name: ingress-nginx
    629.         app.kubernetes.io/instance: ingress-nginx
    630.         app.kubernetes.io/version: 0.32.0
    631.         app.kubernetes.io/managed-by: Helm
    632.         app.kubernetes.io/component: admission-webhook
    633.     spec:
    634.       containers:
    635.         - name: patch
    636.           image: jettech/kube-webhook-certgen:v1.2.0
    637.           imagePullPolicy:
    638.           args:
    639.             - patch
    640.             - --webhook-name=ingress-nginx-admission
    641.             - --namespace=ingress-nginx
    642.             - --patch-mutating=false
    643.             - --secret-name=ingress-nginx-admission
    644.             - --patch-failure-policy=Fail
    645.       restartPolicy: OnFailure
    646.       serviceAccountName: ingress-nginx-admission
    647.       securityContext:
    648.         runAsNonRoot: true
    649.         runAsUser: 2000
    650. ---
    651. # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
    652. apiVersion: rbac.authorization.k8s.io/v1
    653. kind: Role
    654. metadata:
    655.   name: ingress-nginx-admission
    656.   annotations:
    657.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    658.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    659.   labels:
    660.     helm.sh/chart: ingress-nginx-2.0.3
    661.     app.kubernetes.io/name: ingress-nginx
    662.     app.kubernetes.io/instance: ingress-nginx
    663.     app.kubernetes.io/version: 0.32.0
    664.     app.kubernetes.io/managed-by: Helm
    665.     app.kubernetes.io/component: admission-webhook
    666.   namespace: ingress-nginx
    667. rules:
    668.   - apiGroups:
    669.       - ''
    670.     resources:
    671.       - secrets
    672.     verbs:
    673.       - get
    674.       - create
    675. ---
    676. # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
    677. apiVersion: rbac.authorization.k8s.io/v1
    678. kind: RoleBinding
    679. metadata:
    680.   name: ingress-nginx-admission
    681.   annotations:
    682.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    683.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    684.   labels:
    685.     helm.sh/chart: ingress-nginx-2.0.3
    686.     app.kubernetes.io/name: ingress-nginx
    687.     app.kubernetes.io/instance: ingress-nginx
    688.     app.kubernetes.io/version: 0.32.0
    689.     app.kubernetes.io/managed-by: Helm
    690.     app.kubernetes.io/component: admission-webhook
    691.   namespace: ingress-nginx
    692. roleRef:
    693.   apiGroup: rbac.authorization.k8s.io
    694.   kind: Role
    695.   name: ingress-nginx-admission
    696. subjects:
    697.   - kind: ServiceAccount
    698.     name: ingress-nginx-admission
    699.     namespace: ingress-nginx
    700. ---
    701. # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
    702. apiVersion: v1
    703. kind: ServiceAccount
    704. metadata:
    705.   name: ingress-nginx-admission
    706.   annotations:
    707.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    708.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    709.   labels:
    710.     helm.sh/chart: ingress-nginx-2.0.3
    711.     app.kubernetes.io/name: ingress-nginx
    712.     app.kubernetes.io/instance: ingress-nginx
    713.     app.kubernetes.io/version: 0.32.0
    714.     app.kubernetes.io/managed-by: Helm
    715.     app.kubernetes.io/component: admission-webhook
    716.   namespace: ingress-nginx

    https://www.jb51.net/article/183828.htm