Ingress控制器

Ingress是Service的Service,而Ingress控制器是用来创建Ingress的Pod。注意Ingress控制器本身也是Pod。Ingress控制器仅仅是K8s提供的规范,微服务最常使用的就是基于nginx实现的Ingress-nginx控制器。

安装Ingress-nginx控制器

下载这个文件:https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
对其进行改造:
1、增加Node标签选择器
2、镜像改为国内镜像
3、nodeport的http端口设置为40001
4、nodeport的https端口设置为40002

  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5.   name: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/instance: ingress-nginx
  10. ---
  11. # Source: ingress-nginx/templates/controller-serviceaccount.yaml
  12. apiVersion: v1
  13. kind: ServiceAccount
  14. metadata:
  15.   labels:
  16.     helm.sh/chart: ingress-nginx-3.33.0
  17.     app.kubernetes.io/name: ingress-nginx
  18.     app.kubernetes.io/instance: ingress-nginx
  19.     app.kubernetes.io/version: 0.47.0
  20.     app.kubernetes.io/managed-by: Helm
  21.     app.kubernetes.io/component: controller
  22.   name: ingress-nginx
  23.   namespace: ingress-nginx
  24. automountServiceAccountToken: true
  25. ---
  26. # Source: ingress-nginx/templates/controller-configmap.yaml
  27. apiVersion: v1
  28. kind: ConfigMap
  29. metadata:
  30.   labels:
  31.     helm.sh/chart: ingress-nginx-3.33.0
  32.     app.kubernetes.io/name: ingress-nginx
  33.     app.kubernetes.io/instance: ingress-nginx
  34.     app.kubernetes.io/version: 0.47.0
  35.     app.kubernetes.io/managed-by: Helm
  36.     app.kubernetes.io/component: controller
  37.   name: ingress-nginx-controller
  38.   namespace: ingress-nginx
  39. data:
  40. ---
  41. # Source: ingress-nginx/templates/clusterrole.yaml
  42. apiVersion: rbac.authorization.k8s.io/v1
  43. kind: ClusterRole
  44. metadata:
  45.   labels:
  46.     helm.sh/chart: ingress-nginx-3.33.0
  47.     app.kubernetes.io/name: ingress-nginx
  48.     app.kubernetes.io/instance: ingress-nginx
  49.     app.kubernetes.io/version: 0.47.0
  50.     app.kubernetes.io/managed-by: Helm
  51.   name: ingress-nginx
  52. rules:
  53.   - apiGroups:
  54.       - ''
  55.     resources:
  56.       - configmaps
  57.       - endpoints
  58.       - nodes
  59.       - pods
  60.       - secrets
  61.     verbs:
  62.       - list
  63.       - watch
  64.   - apiGroups:
  65.       - ''
  66.     resources:
  67.       - nodes
  68.     verbs:
  69.       - get
  70.   - apiGroups:
  71.       - ''
  72.     resources:
  73.       - services
  74.     verbs:
  75.       - get
  76.       - list
  77.       - watch
  78.   - apiGroups:
  79.       - extensions
  80.       - networking.k8s.io   # k8s 1.14+
  81.     resources:
  82.       - ingresses
  83.     verbs:
  84.       - get
  85.       - list
  86.       - watch
  87.   - apiGroups:
  88.       - ''
  89.     resources:
  90.       - events
  91.     verbs:
  92.       - create
  93.       - patch
  94.   - apiGroups:
  95.       - extensions
  96.       - networking.k8s.io   # k8s 1.14+
  97.     resources:
  98.       - ingresses/status
  99.     verbs:
  100.       - update
  101.   - apiGroups:
  102.       - networking.k8s.io   # k8s 1.14+
  103.     resources:
  104.       - ingressclasses
  105.     verbs:
  106.       - get
  107.       - list
  108.       - watch
  109. ---
  110. # Source: ingress-nginx/templates/clusterrolebinding.yaml
  111. apiVersion: rbac.authorization.k8s.io/v1
  112. kind: ClusterRoleBinding
  113. metadata:
  114.   labels:
  115.     helm.sh/chart: ingress-nginx-3.33.0
  116.     app.kubernetes.io/name: ingress-nginx
  117.     app.kubernetes.io/instance: ingress-nginx
  118.     app.kubernetes.io/version: 0.47.0
  119.     app.kubernetes.io/managed-by: Helm
  120.   name: ingress-nginx
  121. roleRef:
  122.   apiGroup: rbac.authorization.k8s.io
  123.   kind: ClusterRole
  124.   name: ingress-nginx
  125. subjects:
  126.   - kind: ServiceAccount
  127.     name: ingress-nginx
  128.     namespace: ingress-nginx
  129. ---
  130. # Source: ingress-nginx/templates/controller-role.yaml
  131. apiVersion: rbac.authorization.k8s.io/v1
  132. kind: Role
  133. metadata:
  134.   labels:
  135.     helm.sh/chart: ingress-nginx-3.33.0
  136.     app.kubernetes.io/name: ingress-nginx
  137.     app.kubernetes.io/instance: ingress-nginx
  138.     app.kubernetes.io/version: 0.47.0
  139.     app.kubernetes.io/managed-by: Helm
  140.     app.kubernetes.io/component: controller
  141.   name: ingress-nginx
  142.   namespace: ingress-nginx
  143. rules:
  144.   - apiGroups:
  145.       - ''
  146.     resources:
  147.       - namespaces
  148.     verbs:
  149.       - get
  150.   - apiGroups:
  151.       - ''
  152.     resources:
  153.       - configmaps
  154.       - pods
  155.       - secrets
  156.       - endpoints
  157.     verbs:
  158.       - get
  159.       - list
  160.       - watch
  161.   - apiGroups:
  162.       - ''
  163.     resources:
  164.       - services
  165.     verbs:
  166.       - get
  167.       - list
  168.       - watch
  169.   - apiGroups:
  170.       - extensions
  171.       - networking.k8s.io   # k8s 1.14+
  172.     resources:
  173.       - ingresses
  174.     verbs:
  175.       - get
  176.       - list
  177.       - watch
  178.   - apiGroups:
  179.       - extensions
  180.       - networking.k8s.io   # k8s 1.14+
  181.     resources:
  182.       - ingresses/status
  183.     verbs:
  184.       - update
  185.   - apiGroups:
  186.       - networking.k8s.io   # k8s 1.14+
  187.     resources:
  188.       - ingressclasses
  189.     verbs:
  190.       - get
  191.       - list
  192.       - watch
  193.   - apiGroups:
  194.       - ''
  195.     resources:
  196.       - configmaps
  197.     resourceNames:
  198.       - ingress-controller-leader-nginx
  199.     verbs:
  200.       - get
  201.       - update
  202.   - apiGroups:
  203.       - ''
  204.     resources:
  205.       - configmaps
  206.     verbs:
  207.       - create
  208.   - apiGroups:
  209.       - ''
  210.     resources:
  211.       - events
  212.     verbs:
  213.       - create
  214.       - patch
  215. ---
  216. # Source: ingress-nginx/templates/controller-rolebinding.yaml
  217. apiVersion: rbac.authorization.k8s.io/v1
  218. kind: RoleBinding
  219. metadata:
  220.   labels:
  221.     helm.sh/chart: ingress-nginx-3.33.0
  222.     app.kubernetes.io/name: ingress-nginx
  223.     app.kubernetes.io/instance: ingress-nginx
  224.     app.kubernetes.io/version: 0.47.0
  225.     app.kubernetes.io/managed-by: Helm
  226.     app.kubernetes.io/component: controller
  227.   name: ingress-nginx
  228.   namespace: ingress-nginx
  229. roleRef:
  230.   apiGroup: rbac.authorization.k8s.io
  231.   kind: Role
  232.   name: ingress-nginx
  233. subjects:
  234.   - kind: ServiceAccount
  235.     name: ingress-nginx
  236.     namespace: ingress-nginx
  237. ---
  238. # Source: ingress-nginx/templates/controller-service-webhook.yaml
  239. apiVersion: v1
  240. kind: Service
  241. metadata:
  242.   labels:
  243.     helm.sh/chart: ingress-nginx-3.33.0
  244.     app.kubernetes.io/name: ingress-nginx
  245.     app.kubernetes.io/instance: ingress-nginx
  246.     app.kubernetes.io/version: 0.47.0
  247.     app.kubernetes.io/managed-by: Helm
  248.     app.kubernetes.io/component: controller
  249.   name: ingress-nginx-controller-admission
  250.   namespace: ingress-nginx
  251. spec:
  252.   type: ClusterIP
  253.   ports:
  254.     - name: https-webhook
  255.       port: 443
  256.       targetPort: webhook
  257.   selector:
  258.     app.kubernetes.io/name: ingress-nginx
  259.     app.kubernetes.io/instance: ingress-nginx
  260.     app.kubernetes.io/component: controller
  261. ---
  262. # Source: ingress-nginx/templates/controller-service.yaml
  263. apiVersion: v1
  264. kind: Service
  265. metadata:
  266.   annotations:
  267.   labels:
  268.     helm.sh/chart: ingress-nginx-3.33.0
  269.     app.kubernetes.io/name: ingress-nginx
  270.     app.kubernetes.io/instance: ingress-nginx
  271.     app.kubernetes.io/version: 0.47.0
  272.     app.kubernetes.io/managed-by: Helm
  273.     app.kubernetes.io/component: controller
  274.   name: ingress-nginx-controller
  275.   namespace: ingress-nginx
  276. spec:
  277.   type: NodePort
  278.   ports:
  279.     - name: http
  280.       port: 80
  281.       protocol: TCP
  282.       targetPort: http
  283.       nodePort: 40001
  284.     - name: https
  285.       port: 443
  286.       protocol: TCP
  287.       targetPort: https
  288.       nodePort: 40002
  289.   selector:
  290.     app.kubernetes.io/name: ingress-nginx
  291.     app.kubernetes.io/instance: ingress-nginx
  292.     app.kubernetes.io/component: controller
  293. ---
  294. # Source: ingress-nginx/templates/controller-deployment.yaml
  295. apiVersion: apps/v1
  296. kind: Deployment
  297. metadata:
  298.   labels:
  299.     helm.sh/chart: ingress-nginx-3.33.0
  300.     app.kubernetes.io/name: ingress-nginx
  301.     app.kubernetes.io/instance: ingress-nginx
  302.     app.kubernetes.io/version: 0.47.0
  303.     app.kubernetes.io/managed-by: Helm
  304.     app.kubernetes.io/component: controller
  305.   name: ingress-nginx-controller
  306.   namespace: ingress-nginx
  307. spec:
  308.   selector:
  309.     matchLabels:
  310.       app.kubernetes.io/name: ingress-nginx
  311.       app.kubernetes.io/instance: ingress-nginx
  312.       app.kubernetes.io/component: controller
  313.   revisionHistoryLimit: 10
  314.   minReadySeconds: 0
  315.   template:
  316.     metadata:
  317.       labels:
  318.         app.kubernetes.io/name: ingress-nginx
  319.         app.kubernetes.io/instance: ingress-nginx
  320.         app.kubernetes.io/component: controller
  321.     spec:
  322.       dnsPolicy: ClusterFirst
  323.       containers:
  324.         - name: controller
  325.           image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
  326.           imagePullPolicy: IfNotPresent
  327.           lifecycle:
  328.             preStop:
  329.               exec:
  330.                 command:
  331.                   - /wait-shutdown
  332.           args:
  333.             - /nginx-ingress-controller
  334.             - --election-id=ingress-controller-leader
  335.             - --ingress-class=nginx
  336.             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  337.             - --validating-webhook=:8443
  338.             - --validating-webhook-certificate=/usr/local/certificates/cert
  339.             - --validating-webhook-key=/usr/local/certificates/key
  340.           securityContext:
  341.             capabilities:
  342.               drop:
  343.                 - ALL
  344.               add:
  345.                 - NET_BIND_SERVICE
  346.             runAsUser: 101
  347.             allowPrivilegeEscalation: true
  348.           env:
  349.             - name: POD_NAME
  350.               valueFrom:
  351.                 fieldRef:
  352.                   fieldPath: metadata.name
  353.             - name: POD_NAMESPACE
  354.               valueFrom:
  355.                 fieldRef:
  356.                   fieldPath: metadata.namespace
  357.             - name: LD_PRELOAD
  358.               value: /usr/local/lib/libmimalloc.so
  359.           livenessProbe:
  360.             failureThreshold: 5
  361.             httpGet:
  362.               path: /healthz
  363.               port: 10254
  364.               scheme: HTTP
  365.             initialDelaySeconds: 10
  366.             periodSeconds: 10
  367.             successThreshold: 1
  368.             timeoutSeconds: 1
  369.           readinessProbe:
  370.             failureThreshold: 3
  371.             httpGet:
  372.               path: /healthz
  373.               port: 10254
  374.               scheme: HTTP
  375.             initialDelaySeconds: 10
  376.             periodSeconds: 10
  377.             successThreshold: 1
  378.             timeoutSeconds: 1
  379.           ports:
  380.             - name: http
  381.               containerPort: 80
  382.               protocol: TCP
  383.             - name: https
  384.               containerPort: 443
  385.               protocol: TCP
  386.             - name: webhook
  387.               containerPort: 8443
  388.               protocol: TCP
  389.           volumeMounts:
  390.             - name: webhook-cert
  391.               mountPath: /usr/local/certificates/
  392.               readOnly: true
  393.           resources:
  394.             requests:
  395.               cpu: 100m
  396.               memory: 90Mi
  397.       nodeSelector:
  398.         kubernetes.io/os: linux
  399.         node-role.kubernetes.io/ingress: true
  400.       serviceAccountName: ingress-nginx
  401.       terminationGracePeriodSeconds: 300
  402.       volumes:
  403.         - name: webhook-cert
  404.           secret:
  405.             secretName: ingress-nginx-admission
  406. ---
  407. # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
  408. # before changing this value, check the required kubernetes version
  409. # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
  410. apiVersion: admissionregistration.k8s.io/v1
  411. kind: ValidatingWebhookConfiguration
  412. metadata:
  413.   labels:
  414.     helm.sh/chart: ingress-nginx-3.33.0
  415.     app.kubernetes.io/name: ingress-nginx
  416.     app.kubernetes.io/instance: ingress-nginx
  417.     app.kubernetes.io/version: 0.47.0
  418.     app.kubernetes.io/managed-by: Helm
  419.     app.kubernetes.io/component: admission-webhook
  420.   name: ingress-nginx-admission
  421. webhooks:
  422.   - name: validate.nginx.ingress.kubernetes.io
  423.     matchPolicy: Equivalent
  424.     rules:
  425.       - apiGroups:
  426.           - networking.k8s.io
  427.         apiVersions:
  428.           - v1beta1
  429.         operations:
  430.           - CREATE
  431.           - UPDATE
  432.         resources:
  433.           - ingresses
  434.     failurePolicy: Fail
  435.     sideEffects: None
  436.     admissionReviewVersions:
  437.       - v1
  438.       - v1beta1
  439.     clientConfig:
  440.       service:
  441.         namespace: ingress-nginx
  442.         name: ingress-nginx-controller-admission
  443.         path: /networking/v1beta1/ingresses
  444. ---
  445. # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
  446. apiVersion: v1
  447. kind: ServiceAccount
  448. metadata:
  449.   name: ingress-nginx-admission
  450.   annotations:
  451.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  452.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  453.   labels:
  454.     helm.sh/chart: ingress-nginx-3.33.0
  455.     app.kubernetes.io/name: ingress-nginx
  456.     app.kubernetes.io/instance: ingress-nginx
  457.     app.kubernetes.io/version: 0.47.0
  458.     app.kubernetes.io/managed-by: Helm
  459.     app.kubernetes.io/component: admission-webhook
  460.   namespace: ingress-nginx
  461. ---
  462. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
  463. apiVersion: rbac.authorization.k8s.io/v1
  464. kind: ClusterRole
  465. metadata:
  466.   name: ingress-nginx-admission
  467.   annotations:
  468.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  469.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  470.   labels:
  471.     helm.sh/chart: ingress-nginx-3.33.0
  472.     app.kubernetes.io/name: ingress-nginx
  473.     app.kubernetes.io/instance: ingress-nginx
  474.     app.kubernetes.io/version: 0.47.0
  475.     app.kubernetes.io/managed-by: Helm
  476.     app.kubernetes.io/component: admission-webhook
  477. rules:
  478.   - apiGroups:
  479.       - admissionregistration.k8s.io
  480.     resources:
  481.       - validatingwebhookconfigurations
  482.     verbs:
  483.       - get
  484.       - update
  485. ---
  486. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
  487. apiVersion: rbac.authorization.k8s.io/v1
  488. kind: ClusterRoleBinding
  489. metadata:
  490.   name: ingress-nginx-admission
  491.   annotations:
  492.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  493.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  494.   labels:
  495.     helm.sh/chart: ingress-nginx-3.33.0
  496.     app.kubernetes.io/name: ingress-nginx
  497.     app.kubernetes.io/instance: ingress-nginx
  498.     app.kubernetes.io/version: 0.47.0
  499.     app.kubernetes.io/managed-by: Helm
  500.     app.kubernetes.io/component: admission-webhook
  501. roleRef:
  502.   apiGroup: rbac.authorization.k8s.io
  503.   kind: ClusterRole
  504.   name: ingress-nginx-admission
  505. subjects:
  506.   - kind: ServiceAccount
  507.     name: ingress-nginx-admission
  508.     namespace: ingress-nginx
  509. ---
  510. # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
  511. apiVersion: rbac.authorization.k8s.io/v1
  512. kind: Role
  513. metadata:
  514.   name: ingress-nginx-admission
  515.   annotations:
  516.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  517.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  518.   labels:
  519.     helm.sh/chart: ingress-nginx-3.33.0
  520.     app.kubernetes.io/name: ingress-nginx
  521.     app.kubernetes.io/instance: ingress-nginx
  522.     app.kubernetes.io/version: 0.47.0
  523.     app.kubernetes.io/managed-by: Helm
  524.     app.kubernetes.io/component: admission-webhook
  525.   namespace: ingress-nginx
  526. rules:
  527.   - apiGroups:
  528.       - ''
  529.     resources:
  530.       - secrets
  531.     verbs:
  532.       - get
  533.       - create
  534. ---
  535. # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
  536. apiVersion: rbac.authorization.k8s.io/v1
  537. kind: RoleBinding
  538. metadata:
  539.   name: ingress-nginx-admission
  540.   annotations:
  541.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  542.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  543.   labels:
  544.     helm.sh/chart: ingress-nginx-3.33.0
  545.     app.kubernetes.io/name: ingress-nginx
  546.     app.kubernetes.io/instance: ingress-nginx
  547.     app.kubernetes.io/version: 0.47.0
  548.     app.kubernetes.io/managed-by: Helm
  549.     app.kubernetes.io/component: admission-webhook
  550.   namespace: ingress-nginx
  551. roleRef:
  552.   apiGroup: rbac.authorization.k8s.io
  553.   kind: Role
  554.   name: ingress-nginx-admission
  555. subjects:
  556.   - kind: ServiceAccount
  557.     name: ingress-nginx-admission
  558.     namespace: ingress-nginx
  559. ---
  560. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
  561. apiVersion: batch/v1
  562. kind: Job
  563. metadata:
  564.   name: ingress-nginx-admission-create
  565.   annotations:
  566.     helm.sh/hook: pre-install,pre-upgrade
  567.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  568.   labels:
  569.     helm.sh/chart: ingress-nginx-3.33.0
  570.     app.kubernetes.io/name: ingress-nginx
  571.     app.kubernetes.io/instance: ingress-nginx
  572.     app.kubernetes.io/version: 0.47.0
  573.     app.kubernetes.io/managed-by: Helm
  574.     app.kubernetes.io/component: admission-webhook
  575.   namespace: ingress-nginx
  576. spec:
  577.   template:
  578.     metadata:
  579.       name: ingress-nginx-admission-create
  580.       labels:
  581.         helm.sh/chart: ingress-nginx-3.33.0
  582.         app.kubernetes.io/name: ingress-nginx
  583.         app.kubernetes.io/instance: ingress-nginx
  584.         app.kubernetes.io/version: 0.47.0
  585.         app.kubernetes.io/managed-by: Helm
  586.         app.kubernetes.io/component: admission-webhook
  587.     spec:
  588.       containers:
  589.         - name: create
  590.           image: docker.io/jettech/kube-webhook-certgen:v1.5.1
  591.           imagePullPolicy: IfNotPresent
  592.           args:
  593.             - create
  594.             - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
  595.             - --namespace=$(POD_NAMESPACE)
  596.             - --secret-name=ingress-nginx-admission
  597.           env:
  598.             - name: POD_NAMESPACE
  599.               valueFrom:
  600.                 fieldRef:
  601.                   fieldPath: metadata.namespace
  602.       restartPolicy: OnFailure
  603.       serviceAccountName: ingress-nginx-admission
  604.       securityContext:
  605.         runAsNonRoot: true
  606.         runAsUser: 2000
  607. ---
  608. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
  609. apiVersion: batch/v1
  610. kind: Job
  611. metadata:
  612.   name: ingress-nginx-admission-patch
  613.   annotations:
  614.     helm.sh/hook: post-install,post-upgrade
  615.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  616.   labels:
  617.     helm.sh/chart: ingress-nginx-3.33.0
  618.     app.kubernetes.io/name: ingress-nginx
  619.     app.kubernetes.io/instance: ingress-nginx
  620.     app.kubernetes.io/version: 0.47.0
  621.     app.kubernetes.io/managed-by: Helm
  622.     app.kubernetes.io/component: admission-webhook
  623.   namespace: ingress-nginx
  624. spec:
  625.   template:
  626.     metadata:
  627.       name: ingress-nginx-admission-patch
  628.       labels:
  629.         helm.sh/chart: ingress-nginx-3.33.0
  630.         app.kubernetes.io/name: ingress-nginx
  631.         app.kubernetes.io/instance: ingress-nginx
  632.         app.kubernetes.io/version: 0.47.0
  633.         app.kubernetes.io/managed-by: Helm
  634.         app.kubernetes.io/component: admission-webhook
  635.     spec:
  636.       containers:
  637.         - name: patch
  638.           image: docker.io/jettech/kube-webhook-certgen:v1.5.1
  639.           imagePullPolicy: IfNotPresent
  640.           args:
  641.             - patch
  642.             - --webhook-name=ingress-nginx-admission
  643.             - --namespace=$(POD_NAMESPACE)
  644.             - --patch-mutating=false
  645.             - --secret-name=ingress-nginx-admission
  646.             - --patch-failure-policy=Fail
  647.           env:
  648.             - name: POD_NAMESPACE
  649.               valueFrom:
  650.                 fieldRef:
  651.                   fieldPath: metadata.namespace
  652.       restartPolicy: OnFailure
  653.       serviceAccountName: ingress-nginx-admission
  654.       securityContext:
  655.         runAsNonRoot: true
  656.         runAsUser: 2000