6.0 思维导图

画板

6.1 Service

1、Service和Pod通过标签关联

6、k8s网络 - 图2

2、service通过IPtables或IPvs提供负载

ClusterIP

默认,分配一个稳定的IP地址,即VIP,只能集群内部访问

NodePort

每个节点上启用一个相同的port来暴露服务,可以在集群外部访问,也会分配一个稳定的集群内部IP地址(可定义的)

默认端口范围:30000~32767

LoadBalance

基于云平台(利用云平台的负载均衡器进行负载均衡),类似NodePort,每个节点启用一个port暴露服务

6.2 Service代理模式

6、k8s网络 - 图3

流量包流程:客户端 —-> NodePort/ClusterIP(iptables/IPvs) —-> 一组Pod

Iptables

  • 灵活、功能强大
  • 规则臃肿,遍历匹配和更新,呈线性时延
  • 极限情况下会存在规则丢失,不易排查和处理

IPvs

  • 工作在内核态,性能好
  • 调度算法丰富:rr、wrr、lc(最小连接数)、wlc(加权最小连接数)、ip hash

6.3 Service CoreDNS

k8s默认采用的DNS服务,以Pod部署在集群中,CoreDNS监视k8s集群的API,为每个service创建DNS记录,用于域名解析

ClusterIPA记录格式:..svc.cluster.local

6.4 Ingress

6、k8s网络 - 图4

  • 公开了从集群外部到集群内服务的HTTP和HTTPS路由的规则集合,而具体实现流量路 由则是由Ingress Controller负责
  • Ingress:K8s中的一个抽象资源,给管理员 提供一个暴露应用的入口定义方法
  • Ingress Controller:根据Ingress生成具体 的路由规则,并对Pod负载均衡器

https://github.com/kubernetes/ingress-nginx

6、k8s网络 - 图5

Ingress控制器部署(0.30.0)-ingress-controller.yaml

  1. apiVersion: v1
  2. kind: Namespace
  3. metadata:
  4.   name: ingress-nginx
  5.   labels:
  6.     app.kubernetes.io/name: ingress-nginx
  7.     app.kubernetes.io/part-of: ingress-nginx
  8. ---
  9. kind: ConfigMap
  10. apiVersion: v1
  11. metadata:
  12.   name: nginx-configuration
  13.   namespace: ingress-nginx
  14.   labels:
  15.     app.kubernetes.io/name: ingress-nginx
  16.     app.kubernetes.io/part-of: ingress-nginx
  17. ---
  18. kind: ConfigMap
  19. apiVersion: v1
  20. metadata:
  21.   name: tcp-services
  22.   namespace: ingress-nginx
  23.   labels:
  24.     app.kubernetes.io/name: ingress-nginx
  25.     app.kubernetes.io/part-of: ingress-nginx
  27. ---
  28. kind: ConfigMap
  29. apiVersion: v1
  30. metadata:
  31.   name: udp-services
  32.   namespace: ingress-nginx
  33.   labels:
  34.     app.kubernetes.io/name: ingress-nginx
  35.     app.kubernetes.io/part-of: ingress-nginx
  37. ---
  38. apiVersion: v1
  39. kind: ServiceAccount
  40. metadata:
  41.   name: nginx-ingress-serviceaccount
  42.   namespace: ingress-nginx
  43.   labels:
  44.     app.kubernetes.io/name: ingress-nginx
  45.     app.kubernetes.io/part-of: ingress-nginx
  46. ---
  47. #apiVersion: rbac.authorization.k8s.io/v1beta1 # 高版本已被弃用
  48. apiVersion: rbac.authorization.k8s.io/v1
  49. kind: ClusterRole
  50. metadata:
  51.   name: nginx-ingress-clusterrole
  52.   labels:
  53.     app.kubernetes.io/name: ingress-nginx
  54.     app.kubernetes.io/part-of: ingress-nginx
  55. rules:
  56.   - apiGroups:
  57.       - ""
  58.     resources:
  59.       - configmaps
  60.       - endpoints
  61.       - nodes
  62.       - pods
  63.       - secrets
  64.     verbs:
  65.       - list
  66.       - watch
  67.   - apiGroups:
  68.       - ""
  69.     resources:
  70.       - nodes
  71.     verbs:
  72.       - get
  73.   - apiGroups:
  74.       - ""
  75.     resources:
  76.       - services
  77.     verbs:
  78.       - get
  79.       - list
  80.       - watch
  81.   - apiGroups:
  82.       - ""
  83.     resources:
  84.       - events
  85.     verbs:
  86.       - create
  87.       - patch
  88.   - apiGroups:
  89.       - "extensions"
  90.       - "networking.k8s.io"
  91.     resources:
  92.       - ingresses
  93.     verbs:
  94.       - get
  95.       - list
  96.       - watch
  97.   - apiGroups:
  98.       - "extensions"
  99.       - "networking.k8s.io"
  100.     resources:
  101.       - ingresses/status
  102.     verbs:
  103.       - update
  104. ---
  105. apiVersion: rbac.authorization.k8s.io/v1
  106. # apiVersion: rbac.authorization.k8s.io/v1beta1 # 高版本已被弃用
  107. kind: Role
  108. metadata:
  109.   name: nginx-ingress-role
  110.   namespace: ingress-nginx
  111.   labels:
  112.     app.kubernetes.io/name: ingress-nginx
  113.     app.kubernetes.io/part-of: ingress-nginx
  114. rules:
  115.   - apiGroups:
  116.       - ""
  117.     resources:
  118.       - configmaps
  119.       - pods
  120.       - secrets
  121.       - namespaces
  122.     verbs:
  123.       - get
  124.   - apiGroups:
  125.       - ""
  126.     resources:
  127.       - configmaps
  128.     resourceNames:
  129.       # Defaults to "<election-id>-<ingress-class>"
  130.       # Here: "<ingress-controller-leader>-<nginx>"
  131.       # This has to be adapted if you change either parameter
  132.       # when launching the nginx-ingress-controller.
  133.       - "ingress-controller-leader-nginx"
  134.     verbs:
  135.       - get
  136.       - update
  137.   - apiGroups:
  138.       - ""
  139.     resources:
  140.       - configmaps
  141.     verbs:
  142.       - create
  143.   - apiGroups:
  144.       - ""
  145.     resources:
  146.       - endpoints
  147.     verbs:
  148.       - get
  149. ---
  150. apiVersion: rbac.authorization.k8s.io/v1
  151. # apiVersion: rbac.authorization.k8s.io/v1beta1
  152. kind: RoleBinding
  153. metadata:
  154.   name: nginx-ingress-role-nisa-binding
  155.   namespace: ingress-nginx
  156.   labels:
  157.     app.kubernetes.io/name: ingress-nginx
  158.     app.kubernetes.io/part-of: ingress-nginx
  159. roleRef:
  160.   apiGroup: rbac.authorization.k8s.io
  161.   kind: Role
  162.   name: nginx-ingress-role
  163. subjects:
  164.   - kind: ServiceAccount
  165.     name: nginx-ingress-serviceaccount
  166.     namespace: ingress-nginx
  167. ---
  168. apiVersion: rbac.authorization.k8s.io/v1
  169. # apiVersion: rbac.authorization.k8s.io/v1beta1
  170. kind: ClusterRoleBinding
  171. metadata:
  172.   name: nginx-ingress-clusterrole-nisa-binding
  173.   labels:
  174.     app.kubernetes.io/name: ingress-nginx
  175.     app.kubernetes.io/part-of: ingress-nginx
  176. roleRef:
  177.   apiGroup: rbac.authorization.k8s.io
  178.   kind: ClusterRole
  179.   name: nginx-ingress-clusterrole
  180. subjects:
  181.   - kind: ServiceAccount
  182.     name: nginx-ingress-serviceaccount
  183.     namespace: ingress-nginx
  184. ---
  185. apiVersion: apps/v1
  186. kind: DaemonSet
  187. metadata:
  188.   name: nginx-ingress-controller
  189.   namespace: ingress-nginx
  190.   labels:
  191.     app.kubernetes.io/name: ingress-nginx
  192.     app.kubernetes.io/part-of: ingress-nginx
  193. spec:
  194.   selector:
  195.     matchLabels:
  196.       app.kubernetes.io/name: ingress-nginx
  197.       app.kubernetes.io/part-of: ingress-nginx
  198.   template:
  199.     metadata:
  200.       labels:
  201.         app.kubernetes.io/name: ingress-nginx
  202.         app.kubernetes.io/part-of: ingress-nginx
  203.       annotations:
  204.         prometheus.io/port: "10254"
  205.         prometheus.io/scrape: "true"
  206.     spec:
  207.       hostNetwork: true
  208.       # wait up to five minutes for the drain of connections
  209.       terminationGracePeriodSeconds: 300
  210.       serviceAccountName: nginx-ingress-serviceaccount
  211.       nodeSelector:
  212.         kubernetes.io/os: linux
  213.       containers:
  214.         - name: nginx-ingress-controller
  215.           image: geray/nginx-ingress-controller:0.30.0
  216.           args:
  217.             - /nginx-ingress-controller
  218.             - --configmap=$(POD_NAMESPACE)/nginx-configuration
  219.             - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
  220.             - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
  221.             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
  222.             - --annotations-prefix=nginx.ingress.kubernetes.io
  223.           securityContext:
  224.             allowPrivilegeEscalation: true
  225.             capabilities:
  226.               drop:
  227.                 - ALL
  228.               add:
  229.                 - NET_BIND_SERVICE
  230.             # www-data -> 101
  231.             runAsUser: 101
  232.           env:
  233.             - name: POD_NAME
  234.               valueFrom:
  235.                 fieldRef:
  236.                   fieldPath: metadata.name
  237.             - name: POD_NAMESPACE
  238.               valueFrom:
  239.                 fieldRef:
  240.                   fieldPath: metadata.namespace
  241.           ports:
  242.             - name: http
  243.               containerPort: 80
  244.               protocol: TCP
  245.             - name: https
  246.               containerPort: 443
  247.               protocol: TCP
  248.           livenessProbe:
  249.             failureThreshold: 3
  250.             httpGet:
  251.               path: /healthz
  252.               port: 10254
  253.               scheme: HTTP
  254.             initialDelaySeconds: 10
  255.             periodSeconds: 10
  256.             successThreshold: 1
  257.             timeoutSeconds: 10
  258.           readinessProbe:
  259.             failureThreshold: 3
  260.             httpGet:
  261.               path: /healthz
  262.               port: 10254
  263.               scheme: HTTP
  264.             periodSeconds: 10
  265.             successThreshold: 1
  266.             timeoutSeconds: 10
  267.           lifecycle:
  268.             preStop:
  269.               exec:
  270.                 command:
  271.                   - /wait-shutdown
  272. ---
  273. apiVersion: v1
  274. kind: LimitRange
  275. metadata:
  276.   name: ingress-nginx
  277.   namespace: ingress-nginx
  278.   labels:
  279.     app.kubernetes.io/name: ingress-nginx
  280.     app.kubernetes.io/part-of: ingress-nginx
  281. spec:
  282.   limits:
  283.   - min:
  284.       memory: 90Mi
  285.       cpu: 100m
  286.     type: Container

1.0.0

Kubernetes-v1.22+ 需要使用 ingress-nginx>=1.0,因为 networking.k8s.io/v1beta 已经移除

作者:cnsre运维博客
链接:https://www.imooc.com/article/320464
来源:慕课网 
  1. curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/baremetal/deploy.yaml > deploy.yaml 
  3. sed -i 's@k8s.gcr.io/ingress-nginx/controller:v1.0.0\(.*\)@willdockerhub/ingress-nginx-controller:v1.0.0@' deploy.yaml
  5. sed -i 's@k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0\(.*\)$@hzde0128/kube-webhook-certgen:v1.0@' deploy.yaml
  7. kubectl apply -f ingress-nginx.yaml
  • geray/kube-webhook-certgen:v1.0
  • geray/ingress-nginx-controller:v1.0.0
  1. apiVersion: v1
  2. kind: Namespace
  3. metadata:
  4.   name: ingress-nginx
  5.   labels:
  6.     app.kubernetes.io/name: ingress-nginx
  7.     app.kubernetes.io/instance: ingress-nginx
  9. ---
  10. # Source: ingress-nginx/templates/controller-serviceaccount.yaml
  11. apiVersion: v1
  12. kind: ServiceAccount
  13. metadata:
  14.   labels:
  15.     helm.sh/chart: ingress-nginx-4.0.1
  16.     app.kubernetes.io/name: ingress-nginx
  17.     app.kubernetes.io/instance: ingress-nginx
  18.     app.kubernetes.io/version: 1.0.0
  19.     app.kubernetes.io/managed-by: Helm
  20.     app.kubernetes.io/component: controller
  21.   name: ingress-nginx
  22.   namespace: ingress-nginx
  23. automountServiceAccountToken: true
  24. ---
  25. # Source: ingress-nginx/templates/controller-configmap.yaml
  26. apiVersion: v1
  27. kind: ConfigMap
  28. metadata:
  29.   labels:
  30.     helm.sh/chart: ingress-nginx-4.0.1
  31.     app.kubernetes.io/name: ingress-nginx
  32.     app.kubernetes.io/instance: ingress-nginx
  33.     app.kubernetes.io/version: 1.0.0
  34.     app.kubernetes.io/managed-by: Helm
  35.     app.kubernetes.io/component: controller
  36.   name: ingress-nginx-controller
  37.   namespace: ingress-nginx
  38. data:
  39. ---
  40. # Source: ingress-nginx/templates/clusterrole.yaml
  41. apiVersion: rbac.authorization.k8s.io/v1
  42. kind: ClusterRole
  43. metadata:
  44.   labels:
  45.     helm.sh/chart: ingress-nginx-4.0.1
  46.     app.kubernetes.io/name: ingress-nginx
  47.     app.kubernetes.io/instance: ingress-nginx
  48.     app.kubernetes.io/version: 1.0.0
  49.     app.kubernetes.io/managed-by: Helm
  50.   name: ingress-nginx
  51. rules:
  52.   - apiGroups:
  53.       - ''
  54.     resources:
  55.       - configmaps
  56.       - endpoints
  57.       - nodes
  58.       - pods
  59.       - secrets
  60.     verbs:
  61.       - list
  62.       - watch
  63.   - apiGroups:
  64.       - ''
  65.     resources:
  66.       - nodes
  67.     verbs:
  68.       - get
  69.   - apiGroups:
  70.       - ''
  71.     resources:
  72.       - services
  73.     verbs:
  74.       - get
  75.       - list
  76.       - watch
  77.   - apiGroups:
  78.       - networking.k8s.io
  79.     resources:
  80.       - ingresses
  81.     verbs:
  82.       - get
  83.       - list
  84.       - watch
  85.   - apiGroups:
  86.       - ''
  87.     resources:
  88.       - events
  89.     verbs:
  90.       - create
  91.       - patch
  92.   - apiGroups:
  93.       - networking.k8s.io
  94.     resources:
  95.       - ingresses/status
  96.     verbs:
  97.       - update
  98.   - apiGroups:
  99.       - networking.k8s.io
  100.     resources:
  101.       - ingressclasses
  102.     verbs:
  103.       - get
  104.       - list
  105.       - watch
  106. ---
  107. # Source: ingress-nginx/templates/clusterrolebinding.yaml
  108. apiVersion: rbac.authorization.k8s.io/v1
  109. kind: ClusterRoleBinding
  110. metadata:
  111.   labels:
  112.     helm.sh/chart: ingress-nginx-4.0.1
  113.     app.kubernetes.io/name: ingress-nginx
  114.     app.kubernetes.io/instance: ingress-nginx
  115.     app.kubernetes.io/version: 1.0.0
  116.     app.kubernetes.io/managed-by: Helm
  117.   name: ingress-nginx
  118. roleRef:
  119.   apiGroup: rbac.authorization.k8s.io
  120.   kind: ClusterRole
  121.   name: ingress-nginx
  122. subjects:
  123.   - kind: ServiceAccount
  124.     name: ingress-nginx
  125.     namespace: ingress-nginx
  126. ---
  127. # Source: ingress-nginx/templates/controller-role.yaml
  128. apiVersion: rbac.authorization.k8s.io/v1
  129. kind: Role
  130. metadata:
  131.   labels:
  132.     helm.sh/chart: ingress-nginx-4.0.1
  133.     app.kubernetes.io/name: ingress-nginx
  134.     app.kubernetes.io/instance: ingress-nginx
  135.     app.kubernetes.io/version: 1.0.0
  136.     app.kubernetes.io/managed-by: Helm
  137.     app.kubernetes.io/component: controller
  138.   name: ingress-nginx
  139.   namespace: ingress-nginx
  140. rules:
  141.   - apiGroups:
  142.       - ''
  143.     resources:
  144.       - namespaces
  145.     verbs:
  146.       - get
  147.   - apiGroups:
  148.       - ''
  149.     resources:
  150.       - configmaps
  151.       - pods
  152.       - secrets
  153.       - endpoints
  154.     verbs:
  155.       - get
  156.       - list
  157.       - watch
  158.   - apiGroups:
  159.       - ''
  160.     resources:
  161.       - services
  162.     verbs:
  163.       - get
  164.       - list
  165.       - watch
  166.   - apiGroups:
  167.       - networking.k8s.io
  168.     resources:
  169.       - ingresses
  170.     verbs:
  171.       - get
  172.       - list
  173.       - watch
  174.   - apiGroups:
  175.       - networking.k8s.io
  176.     resources:
  177.       - ingresses/status
  178.     verbs:
  179.       - update
  180.   - apiGroups:
  181.       - networking.k8s.io
  182.     resources:
  183.       - ingressclasses
  184.     verbs:
  185.       - get
  186.       - list
  187.       - watch
  188.   - apiGroups:
  189.       - ''
  190.     resources:
  191.       - configmaps
  192.     resourceNames:
  193.       - ingress-controller-leader
  194.     verbs:
  195.       - get
  196.       - update
  197.   - apiGroups:
  198.       - ''
  199.     resources:
  200.       - configmaps
  201.     verbs:
  202.       - create
  203.   - apiGroups:
  204.       - ''
  205.     resources:
  206.       - events
  207.     verbs:
  208.       - create
  209.       - patch
  210. ---
  211. # Source: ingress-nginx/templates/controller-rolebinding.yaml
  212. apiVersion: rbac.authorization.k8s.io/v1
  213. kind: RoleBinding
  214. metadata:
  215.   labels:
  216.     helm.sh/chart: ingress-nginx-4.0.1
  217.     app.kubernetes.io/name: ingress-nginx
  218.     app.kubernetes.io/instance: ingress-nginx
  219.     app.kubernetes.io/version: 1.0.0
  220.     app.kubernetes.io/managed-by: Helm
  221.     app.kubernetes.io/component: controller
  222.   name: ingress-nginx
  223.   namespace: ingress-nginx
  224. roleRef:
  225.   apiGroup: rbac.authorization.k8s.io
  226.   kind: Role
  227.   name: ingress-nginx
  228. subjects:
  229.   - kind: ServiceAccount
  230.     name: ingress-nginx
  231.     namespace: ingress-nginx
  232. ---
  233. # Source: ingress-nginx/templates/controller-service-webhook.yaml
  234. apiVersion: v1
  235. kind: Service
  236. metadata:
  237.   labels:
  238.     helm.sh/chart: ingress-nginx-4.0.1
  239.     app.kubernetes.io/name: ingress-nginx
  240.     app.kubernetes.io/instance: ingress-nginx
  241.     app.kubernetes.io/version: 1.0.0
  242.     app.kubernetes.io/managed-by: Helm
  243.     app.kubernetes.io/component: controller
  244.   name: ingress-nginx-controller-admission
  245.   namespace: ingress-nginx
  246. spec:
  247.   type: ClusterIP
  248.   ports:
  249.     - name: https-webhook
  250.       port: 443
  251.       targetPort: webhook
  252.       appProtocol: https
  253.   selector:
  254.     app.kubernetes.io/name: ingress-nginx
  255.     app.kubernetes.io/instance: ingress-nginx
  256.     app.kubernetes.io/component: controller
  257. ---
  258. # Source: ingress-nginx/templates/controller-service.yaml
  259. apiVersion: v1
  260. kind: Service
  261. metadata:
  262.   annotations:
  263.   labels:
  264.     helm.sh/chart: ingress-nginx-4.0.1
  265.     app.kubernetes.io/name: ingress-nginx
  266.     app.kubernetes.io/instance: ingress-nginx
  267.     app.kubernetes.io/version: 1.0.0
  268.     app.kubernetes.io/managed-by: Helm
  269.     app.kubernetes.io/component: controller
  270.   name: ingress-nginx-controller
  271.   namespace: ingress-nginx
  272. spec:
  273.   type: NodePort
  274.   ports:
  275.     - name: http
  276.       port: 80
  277.       protocol: TCP
  278.       targetPort: http
  279.       appProtocol: http
  280.     - name: https
  281.       port: 443
  282.       protocol: TCP
  283.       targetPort: https
  284.       appProtocol: https
  285.   selector:
  286.     app.kubernetes.io/name: ingress-nginx
  287.     app.kubernetes.io/instance: ingress-nginx
  288.     app.kubernetes.io/component: controller
  289. ---
  290. # Source: ingress-nginx/templates/controller-deployment.yaml
  291. apiVersion: apps/v1
  292. kind: Deployment
  293. metadata:
  294.   labels:
  295.     helm.sh/chart: ingress-nginx-4.0.1
  296.     app.kubernetes.io/name: ingress-nginx
  297.     app.kubernetes.io/instance: ingress-nginx
  298.     app.kubernetes.io/version: 1.0.0
  299.     app.kubernetes.io/managed-by: Helm
  300.     app.kubernetes.io/component: controller
  301.   name: ingress-nginx-controller
  302.   namespace: ingress-nginx
  303. spec:
  304.   selector:
  305.     matchLabels:
  306.       app.kubernetes.io/name: ingress-nginx
  307.       app.kubernetes.io/instance: ingress-nginx
  308.       app.kubernetes.io/component: controller
  309.   revisionHistoryLimit: 10
  310.   minReadySeconds: 0
  311.   template:
  312.     metadata:
  313.       labels:
  314.         app.kubernetes.io/name: ingress-nginx
  315.         app.kubernetes.io/instance: ingress-nginx
  316.         app.kubernetes.io/component: controller
  317.     spec:
  318.       dnsPolicy: ClusterFirst
  319.       containers:
  320.         - name: controller
  321.           image: geray/ingress-nginx-controller:v1.0.0
  322.           imagePullPolicy: IfNotPresent
  323.           lifecycle:
  324.             preStop:
  325.               exec:
  326.                 command:
  327.                   - /wait-shutdown
  328.           args:
  329.             - /nginx-ingress-controller
  330.             - --election-id=ingress-controller-leader
  331.             - --controller-class=k8s.io/ingress-nginx
  332.             - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  333.             - --validating-webhook=:8443
  334.             - --validating-webhook-certificate=/usr/local/certificates/cert
  335.             - --validating-webhook-key=/usr/local/certificates/key
  336.           securityContext:
  337.             capabilities:
  338.               drop:
  339.                 - ALL
  340.               add:
  341.                 - NET_BIND_SERVICE
  342.             runAsUser: 101
  343.             allowPrivilegeEscalation: true
  344.           env:
  345.             - name: POD_NAME
  346.               valueFrom:
  347.                 fieldRef:
  348.                   fieldPath: metadata.name
  349.             - name: POD_NAMESPACE
  350.               valueFrom:
  351.                 fieldRef:
  352.                   fieldPath: metadata.namespace
  353.             - name: LD_PRELOAD
  354.               value: /usr/local/lib/libmimalloc.so
  355.           livenessProbe:
  356.             failureThreshold: 5
  357.             httpGet:
  358.               path: /healthz
  359.               port: 10254
  360.               scheme: HTTP
  361.             initialDelaySeconds: 10
  362.             periodSeconds: 10
  363.             successThreshold: 1
  364.             timeoutSeconds: 1
  365.           readinessProbe:
  366.             failureThreshold: 3
  367.             httpGet:
  368.               path: /healthz
  369.               port: 10254
  370.               scheme: HTTP
  371.             initialDelaySeconds: 10
  372.             periodSeconds: 10
  373.             successThreshold: 1
  374.             timeoutSeconds: 1
  375.           ports:
  376.             - name: http
  377.               containerPort: 80
  378.               protocol: TCP
  379.             - name: https
  380.               containerPort: 443
  381.               protocol: TCP
  382.             - name: webhook
  383.               containerPort: 8443
  384.               protocol: TCP
  385.           volumeMounts:
  386.             - name: webhook-cert
  387.               mountPath: /usr/local/certificates/
  388.               readOnly: true
  389.           resources:
  390.             requests:
  391.               cpu: 100m
  392.               memory: 90Mi
  393.       nodeSelector:
  394.         kubernetes.io/os: linux
  395.       serviceAccountName: ingress-nginx
  396.       terminationGracePeriodSeconds: 300
  397.       volumes:
  398.         - name: webhook-cert
  399.           secret:
  400.             secretName: ingress-nginx-admission
  401. ---
  402. # Source: ingress-nginx/templates/controller-ingressclass.yaml
  403. # We don't support namespaced ingressClass yet
  404. # So a ClusterRole and a ClusterRoleBinding is required
  405. apiVersion: networking.k8s.io/v1
  406. kind: IngressClass
  407. metadata:
  408.   labels:
  409.     helm.sh/chart: ingress-nginx-4.0.1
  410.     app.kubernetes.io/name: ingress-nginx
  411.     app.kubernetes.io/instance: ingress-nginx
  412.     app.kubernetes.io/version: 1.0.0
  413.     app.kubernetes.io/managed-by: Helm
  414.     app.kubernetes.io/component: controller
  415.   name: nginx
  416.   namespace: ingress-nginx
  417. spec:
  418.   controller: k8s.io/ingress-nginx
  419. ---
  420. # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
  421. # before changing this value, check the required kubernetes version
  422. # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
  423. apiVersion: admissionregistration.k8s.io/v1
  424. kind: ValidatingWebhookConfiguration
  425. metadata:
  426.   labels:
  427.     helm.sh/chart: ingress-nginx-4.0.1
  428.     app.kubernetes.io/name: ingress-nginx
  429.     app.kubernetes.io/instance: ingress-nginx
  430.     app.kubernetes.io/version: 1.0.0
  431.     app.kubernetes.io/managed-by: Helm
  432.     app.kubernetes.io/component: admission-webhook
  433.   name: ingress-nginx-admission
  434. webhooks:
  435.   - name: validate.nginx.ingress.kubernetes.io
  436.     matchPolicy: Equivalent
  437.     rules:
  438.       - apiGroups:
  439.           - networking.k8s.io
  440.         apiVersions:
  441.           - v1
  442.         operations:
  443.           - CREATE
  444.           - UPDATE
  445.         resources:
  446.           - ingresses
  447.     failurePolicy: Fail
  448.     sideEffects: None
  449.     admissionReviewVersions:
  450.       - v1
  451.     clientConfig:
  452.       service:
  453.         namespace: ingress-nginx
  454.         name: ingress-nginx-controller-admission
  455.         path: /networking/v1/ingresses
  456. ---
  457. # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
  458. apiVersion: v1
  459. kind: ServiceAccount
  460. metadata:
  461.   name: ingress-nginx-admission
  462.   namespace: ingress-nginx
  463.   annotations:
  464.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  465.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  466.   labels:
  467.     helm.sh/chart: ingress-nginx-4.0.1
  468.     app.kubernetes.io/name: ingress-nginx
  469.     app.kubernetes.io/instance: ingress-nginx
  470.     app.kubernetes.io/version: 1.0.0
  471.     app.kubernetes.io/managed-by: Helm
  472.     app.kubernetes.io/component: admission-webhook
  473. ---
  474. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
  475. apiVersion: rbac.authorization.k8s.io/v1
  476. kind: ClusterRole
  477. metadata:
  478.   name: ingress-nginx-admission
  479.   annotations:
  480.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  481.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  482.   labels:
  483.     helm.sh/chart: ingress-nginx-4.0.1
  484.     app.kubernetes.io/name: ingress-nginx
  485.     app.kubernetes.io/instance: ingress-nginx
  486.     app.kubernetes.io/version: 1.0.0
  487.     app.kubernetes.io/managed-by: Helm
  488.     app.kubernetes.io/component: admission-webhook
  489. rules:
  490.   - apiGroups:
  491.       - admissionregistration.k8s.io
  492.     resources:
  493.       - validatingwebhookconfigurations
  494.     verbs:
  495.       - get
  496.       - update
  497. ---
  498. # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
  499. apiVersion: rbac.authorization.k8s.io/v1
  500. kind: ClusterRoleBinding
  501. metadata:
  502.   name: ingress-nginx-admission
  503.   annotations:
  504.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  505.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  506.   labels:
  507.     helm.sh/chart: ingress-nginx-4.0.1
  508.     app.kubernetes.io/name: ingress-nginx
  509.     app.kubernetes.io/instance: ingress-nginx
  510.     app.kubernetes.io/version: 1.0.0
  511.     app.kubernetes.io/managed-by: Helm
  512.     app.kubernetes.io/component: admission-webhook
  513. roleRef:
  514.   apiGroup: rbac.authorization.k8s.io
  515.   kind: ClusterRole
  516.   name: ingress-nginx-admission
  517. subjects:
  518.   - kind: ServiceAccount
  519.     name: ingress-nginx-admission
  520.     namespace: ingress-nginx
  521. ---
  522. # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
  523. apiVersion: rbac.authorization.k8s.io/v1
  524. kind: Role
  525. metadata:
  526.   name: ingress-nginx-admission
  527.   namespace: ingress-nginx
  528.   annotations:
  529.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  530.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  531.   labels:
  532.     helm.sh/chart: ingress-nginx-4.0.1
  533.     app.kubernetes.io/name: ingress-nginx
  534.     app.kubernetes.io/instance: ingress-nginx
  535.     app.kubernetes.io/version: 1.0.0
  536.     app.kubernetes.io/managed-by: Helm
  537.     app.kubernetes.io/component: admission-webhook
  538. rules:
  539.   - apiGroups:
  540.       - ''
  541.     resources:
  542.       - secrets
  543.     verbs:
  544.       - get
  545.       - create
  546. ---
  547. # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
  548. apiVersion: rbac.authorization.k8s.io/v1
  549. kind: RoleBinding
  550. metadata:
  551.   name: ingress-nginx-admission
  552.   namespace: ingress-nginx
  553.   annotations:
  554.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  555.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  556.   labels:
  557.     helm.sh/chart: ingress-nginx-4.0.1
  558.     app.kubernetes.io/name: ingress-nginx
  559.     app.kubernetes.io/instance: ingress-nginx
  560.     app.kubernetes.io/version: 1.0.0
  561.     app.kubernetes.io/managed-by: Helm
  562.     app.kubernetes.io/component: admission-webhook
  563. roleRef:
  564.   apiGroup: rbac.authorization.k8s.io
  565.   kind: Role
  566.   name: ingress-nginx-admission
  567. subjects:
  568.   - kind: ServiceAccount
  569.     name: ingress-nginx-admission
  570.     namespace: ingress-nginx
  571. ---
  572. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
  573. apiVersion: batch/v1
  574. kind: Job
  575. metadata:
  576.   name: ingress-nginx-admission-create
  577.   namespace: ingress-nginx
  578.   annotations:
  579.     helm.sh/hook: pre-install,pre-upgrade
  580.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  581.   labels:
  582.     helm.sh/chart: ingress-nginx-4.0.1
  583.     app.kubernetes.io/name: ingress-nginx
  584.     app.kubernetes.io/instance: ingress-nginx
  585.     app.kubernetes.io/version: 1.0.0
  586.     app.kubernetes.io/managed-by: Helm
  587.     app.kubernetes.io/component: admission-webhook
  588. spec:
  589.   template:
  590.     metadata:
  591.       name: ingress-nginx-admission-create
  592.       labels:
  593.         helm.sh/chart: ingress-nginx-4.0.1
  594.         app.kubernetes.io/name: ingress-nginx
  595.         app.kubernetes.io/instance: ingress-nginx
  596.         app.kubernetes.io/version: 1.0.0
  597.         app.kubernetes.io/managed-by: Helm
  598.         app.kubernetes.io/component: admission-webhook
  599.     spec:
  600.       containers:
  601.         - name: create
  602.           image: geray/kube-webhook-certgen:v1.0
  603.           imagePullPolicy: IfNotPresent
  604.           args:
  605.             - create
  606.             - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
  607.             - --namespace=$(POD_NAMESPACE)
  608.             - --secret-name=ingress-nginx-admission
  609.           env:
  610.             - name: POD_NAMESPACE
  611.               valueFrom:
  612.                 fieldRef:
  613.                   fieldPath: metadata.namespace
  614.       restartPolicy: OnFailure
  615.       serviceAccountName: ingress-nginx-admission
  616.       nodeSelector:
  617.         kubernetes.io/os: linux
  618.       securityContext:
  619.         runAsNonRoot: true
  620.         runAsUser: 2000
  621. ---
  622. # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
  623. apiVersion: batch/v1
  624. kind: Job
  625. metadata:
  626.   name: ingress-nginx-admission-patch
  627.   namespace: ingress-nginx
  628.   annotations:
  629.     helm.sh/hook: post-install,post-upgrade
  630.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  631.   labels:
  632.     helm.sh/chart: ingress-nginx-4.0.1
  633.     app.kubernetes.io/name: ingress-nginx
  634.     app.kubernetes.io/instance: ingress-nginx
  635.     app.kubernetes.io/version: 1.0.0
  636.     app.kubernetes.io/managed-by: Helm
  637.     app.kubernetes.io/component: admission-webhook
  638. spec:
  639.   template:
  640.     metadata:
  641.       name: ingress-nginx-admission-patch
  642.       labels:
  643.         helm.sh/chart: ingress-nginx-4.0.1
  644.         app.kubernetes.io/name: ingress-nginx
  645.         app.kubernetes.io/instance: ingress-nginx
  646.         app.kubernetes.io/version: 1.0.0
  647.         app.kubernetes.io/managed-by: Helm
  648.         app.kubernetes.io/component: admission-webhook
  649.     spec:
  650.       containers:
  651.         - name: patch
  652.           image: geray/kube-webhook-certgen:v1.0
  653.           imagePullPolicy: IfNotPresent
  654.           args:
  655.             - patch
  656.             - --webhook-name=ingress-nginx-admission
  657.             - --namespace=$(POD_NAMESPACE)
  658.             - --patch-mutating=false
  659.             - --secret-name=ingress-nginx-admission
  660.             - --patch-failure-policy=Fail
  661.           env:
  662.             - name: POD_NAMESPACE
  663.               valueFrom:
  664.                 fieldRef:
  665.                   fieldPath: metadata.namespace
  666.       restartPolicy: OnFailure
  667.       serviceAccountName: ingress-nginx-admission
  668.       nodeSelector:
  669.         kubernetes.io/os: linux
  670.       securityContext:
  671.         runAsNonRoot: true
  672.         runAsUser: 2000

1.2.1

ingress-nginx-1.2.1-deploy.yaml

https://github.com/kubernetes/ingress-nginx/blob/controller-v1.2.1/docs/deploy/index.md