github.com/alibaba/sealer@v0.8.6-0.20220430115802-37a2bdaa8173/applications/ingress/ingress-nginx-manifest.yaml (about) 1 apiVersion: v1 2 kind: Namespace 3 metadata: 4 name: ingress-system 5 labels: 6 app.kubernetes.io/name: ingress-nginx 7 app.kubernetes.io/instance: ingress-nginx 8 --- 9 # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml 10 apiVersion: v1 11 kind: ServiceAccount 12 metadata: 13 name: ingress-nginx-admission 14 namespace: ingress-system 15 labels: 16 app.kubernetes.io/name: ingress-nginx 17 app.kubernetes.io/instance: ingress-nginx 18 app.kubernetes.io/component: admission-webhook 19 --- 20 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml 21 apiVersion: rbac.authorization.k8s.io/v1 22 kind: ClusterRole 23 metadata: 24 name: ingress-nginx-admission 25 labels: 26 app.kubernetes.io/name: ingress-nginx 27 app.kubernetes.io/instance: ingress-nginx 28 app.kubernetes.io/component: admission-webhook 29 rules: 30 - apiGroups: 31 - admissionregistration.k8s.io 32 resources: 33 - validatingwebhookconfigurations 34 verbs: 35 - get 36 - update 37 --- 38 # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml 39 apiVersion: rbac.authorization.k8s.io/v1 40 kind: ClusterRoleBinding 41 metadata: 42 name: ingress-nginx-admission 43 labels: 44 app.kubernetes.io/name: ingress-nginx 45 app.kubernetes.io/instance: ingress-nginx 46 app.kubernetes.io/component: admission-webhook 47 roleRef: 48 apiGroup: rbac.authorization.k8s.io 49 kind: ClusterRole 50 name: ingress-nginx-admission 51 subjects: 52 - kind: ServiceAccount 53 name: ingress-nginx-admission 54 namespace: "ingress-system" 55 --- 56 # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml 57 apiVersion: rbac.authorization.k8s.io/v1 58 kind: Role 59 metadata: 60 name: ingress-nginx-admission 61 namespace: ingress-system 62 labels: 63 app.kubernetes.io/name: ingress-nginx 64 app.kubernetes.io/instance: ingress-nginx 65 app.kubernetes.io/component: admission-webhook 66 rules: 67 - apiGroups: 68 - "" 69 resources: 70 - secrets 71 verbs: 72 - get 73 - create 74 --- 75 # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml 76 apiVersion: rbac.authorization.k8s.io/v1 77 kind: RoleBinding 78 metadata: 79 name: ingress-nginx-admission 80 namespace: ingress-system 81 labels: 82 app.kubernetes.io/name: ingress-nginx 83 app.kubernetes.io/instance: ingress-nginx 84 app.kubernetes.io/component: admission-webhook 85 roleRef: 86 apiGroup: rbac.authorization.k8s.io 87 kind: Role 88 name: ingress-nginx-admission 89 subjects: 90 - kind: ServiceAccount 91 name: ingress-nginx-admission 92 namespace: "ingress-system" 93 --- 94 # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml 95 apiVersion: batch/v1 96 kind: Job 97 metadata: 98 name: ingress-nginx-admission-create 99 namespace: ingress-system 100 labels: 101 app.kubernetes.io/name: ingress-nginx 102 app.kubernetes.io/instance: ingress-nginx 103 app.kubernetes.io/component: admission-webhook 104 spec: 105 template: 106 metadata: 107 name: ingress-nginx-admission-create 108 labels: 109 app.kubernetes.io/name: ingress-nginx 110 app.kubernetes.io/instance: ingress-nginx 111 app.kubernetes.io/component: admission-webhook 112 spec: 113 containers: 114 - name: create 115 image: "k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068" 116 imagePullPolicy: IfNotPresent 117 args: 118 - create 119 - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc 120 - --namespace=$(POD_NAMESPACE) 121 - --secret-name=ingress-nginx-admission 122 env: 123 - name: POD_NAMESPACE 124 valueFrom: 125 fieldRef: 126 fieldPath: metadata.namespace 127 restartPolicy: OnFailure 128 serviceAccountName: ingress-nginx-admission 129 nodeSelector: 130 kubernetes.io/os: linux 131 securityContext: 132 runAsNonRoot: true 133 runAsUser: 2000 134 --- 135 # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml 136 apiVersion: batch/v1 137 kind: Job 138 metadata: 139 name: ingress-nginx-admission-patch 140 namespace: ingress-system 141 labels: 142 app.kubernetes.io/name: ingress-nginx 143 app.kubernetes.io/instance: ingress-nginx 144 app.kubernetes.io/component: admission-webhook 145 spec: 146 template: 147 metadata: 148 name: ingress-nginx-admission-patch 149 labels: 150 app.kubernetes.io/name: ingress-nginx 151 app.kubernetes.io/instance: ingress-nginx 152 app.kubernetes.io/component: admission-webhook 153 spec: 154 containers: 155 - name: patch 156 image: "k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068" 157 imagePullPolicy: IfNotPresent 158 args: 159 - patch 160 - --webhook-name=ingress-nginx-admission 161 - --namespace=$(POD_NAMESPACE) 162 - --patch-mutating=false 163 - --secret-name=ingress-nginx-admission 164 - --patch-failure-policy=Fail 165 env: 166 - name: POD_NAMESPACE 167 valueFrom: 168 fieldRef: 169 fieldPath: metadata.namespace 170 restartPolicy: OnFailure 171 serviceAccountName: ingress-nginx-admission 172 nodeSelector: 173 kubernetes.io/os: linux 174 securityContext: 175 runAsNonRoot: true 176 runAsUser: 2000 177 --- 178 # Source: ingress-nginx/templates/controller-serviceaccount.yaml 179 apiVersion: v1 180 kind: ServiceAccount 181 metadata: 182 labels: 183 app.kubernetes.io/name: ingress-nginx 184 app.kubernetes.io/instance: ingress-nginx 185 app.kubernetes.io/component: controller 186 name: ingress-nginx 187 namespace: ingress-system 188 automountServiceAccountToken: true 189 --- 190 # Source: ingress-nginx/templates/controller-configmap.yaml 191 apiVersion: v1 192 kind: ConfigMap 193 metadata: 194 labels: 195 app.kubernetes.io/name: ingress-nginx 196 app.kubernetes.io/instance: ingress-nginx 197 app.kubernetes.io/component: controller 198 name: ingress-nginx-controller 199 namespace: ingress-system 200 --- 201 # Source: ingress-nginx/templates/clusterrole.yaml 202 apiVersion: rbac.authorization.k8s.io/v1 203 kind: ClusterRole 204 metadata: 205 labels: 206 app.kubernetes.io/name: ingress-nginx 207 app.kubernetes.io/instance: ingress-nginx 208 name: ingress-nginx 209 rules: 210 - apiGroups: 211 - "" 212 resources: 213 - configmaps 214 - endpoints 215 - nodes 216 - pods 217 - secrets 218 verbs: 219 - list 220 - watch 221 - apiGroups: 222 - "" 223 resources: 224 - nodes 225 verbs: 226 - get 227 - apiGroups: 228 - "" 229 resources: 230 - services 231 verbs: 232 - get 233 - list 234 - watch 235 - apiGroups: 236 - networking.k8s.io 237 resources: 238 - ingresses 239 verbs: 240 - get 241 - list 242 - watch 243 - apiGroups: 244 - "" 245 resources: 246 - events 247 verbs: 248 - create 249 - patch 250 - apiGroups: 251 - networking.k8s.io 252 resources: 253 - ingresses/status 254 verbs: 255 - update 256 - apiGroups: 257 - networking.k8s.io 258 resources: 259 - ingressclasses 260 verbs: 261 - get 262 - list 263 - watch 264 --- 265 # Source: ingress-nginx/templates/clusterrolebinding.yaml 266 apiVersion: rbac.authorization.k8s.io/v1 267 kind: ClusterRoleBinding 268 metadata: 269 labels: 270 app.kubernetes.io/name: ingress-nginx 271 app.kubernetes.io/instance: ingress-nginx 272 name: ingress-nginx 273 roleRef: 274 apiGroup: rbac.authorization.k8s.io 275 kind: ClusterRole 276 name: ingress-nginx 277 subjects: 278 - kind: ServiceAccount 279 name: ingress-nginx 280 namespace: "ingress-system" 281 --- 282 # Source: ingress-nginx/templates/controller-role.yaml 283 apiVersion: rbac.authorization.k8s.io/v1 284 kind: Role 285 metadata: 286 labels: 287 app.kubernetes.io/name: ingress-nginx 288 app.kubernetes.io/instance: ingress-nginx 289 app.kubernetes.io/component: controller 290 name: ingress-nginx 291 namespace: ingress-system 292 rules: 293 - apiGroups: 294 - "" 295 resources: 296 - namespaces 297 verbs: 298 - get 299 - apiGroups: 300 - "" 301 resources: 302 - configmaps 303 - pods 304 - secrets 305 - endpoints 306 verbs: 307 - get 308 - list 309 - watch 310 - apiGroups: 311 - "" 312 resources: 313 - services 314 verbs: 315 - get 316 - list 317 - watch 318 - apiGroups: 319 - networking.k8s.io 320 resources: 321 - ingresses 322 verbs: 323 - get 324 - list 325 - watch 326 - apiGroups: 327 - networking.k8s.io 328 resources: 329 - ingresses/status 330 verbs: 331 - update 332 - apiGroups: 333 - networking.k8s.io 334 resources: 335 - ingressclasses 336 verbs: 337 - get 338 - list 339 - watch 340 - apiGroups: 341 - "" 342 resources: 343 - configmaps 344 resourceNames: 345 - ingress-controller-leader 346 verbs: 347 - get 348 - update 349 - apiGroups: 350 - "" 351 resources: 352 - configmaps 353 verbs: 354 - create 355 - apiGroups: 356 - "" 357 resources: 358 - events 359 verbs: 360 - create 361 - patch 362 --- 363 # Source: ingress-nginx/templates/controller-rolebinding.yaml 364 apiVersion: rbac.authorization.k8s.io/v1 365 kind: RoleBinding 366 metadata: 367 labels: 368 app.kubernetes.io/name: ingress-nginx 369 app.kubernetes.io/instance: ingress-nginx 370 app.kubernetes.io/component: controller 371 name: ingress-nginx 372 namespace: ingress-system 373 roleRef: 374 apiGroup: rbac.authorization.k8s.io 375 kind: Role 376 name: ingress-nginx 377 subjects: 378 - kind: ServiceAccount 379 name: ingress-nginx 380 namespace: "ingress-system" 381 --- 382 # Source: ingress-nginx/templates/controller-service-webhook.yaml 383 apiVersion: v1 384 kind: Service 385 metadata: 386 labels: 387 app.kubernetes.io/name: ingress-nginx 388 app.kubernetes.io/instance: ingress-nginx 389 app.kubernetes.io/component: controller 390 name: ingress-nginx-controller-admission 391 namespace: ingress-system 392 spec: 393 type: ClusterIP 394 ports: 395 - name: https-webhook 396 port: 443 397 targetPort: webhook 398 selector: 399 app.kubernetes.io/name: ingress-nginx 400 app.kubernetes.io/instance: ingress-nginx 401 app.kubernetes.io/component: controller 402 --- 403 # Source: ingress-nginx/templates/controller-service.yaml 404 apiVersion: v1 405 kind: Service 406 metadata: 407 labels: 408 app.kubernetes.io/name: ingress-nginx 409 app.kubernetes.io/instance: ingress-nginx 410 app.kubernetes.io/component: controller 411 name: ingress-nginx-controller 412 namespace: ingress-system 413 spec: 414 type: LoadBalancer 415 ports: 416 - name: http 417 port: 80 418 protocol: TCP 419 targetPort: http 420 - name: https 421 port: 443 422 protocol: TCP 423 targetPort: https 424 selector: 425 app.kubernetes.io/name: ingress-nginx 426 app.kubernetes.io/instance: ingress-nginx 427 app.kubernetes.io/component: controller 428 --- 429 # Source: ingress-nginx/templates/controller-deployment.yaml 430 apiVersion: apps/v1 431 kind: DaemonSet 432 metadata: 433 labels: 434 app.kubernetes.io/name: ingress-nginx 435 app.kubernetes.io/instance: ingress-nginx 436 app.kubernetes.io/component: controller 437 name: ingress-nginx-controller 438 namespace: ingress-system 439 spec: 440 selector: 441 matchLabels: 442 app.kubernetes.io/name: ingress-nginx 443 app.kubernetes.io/instance: ingress-nginx 444 app.kubernetes.io/component: controller 445 revisionHistoryLimit: 10 446 minReadySeconds: 0 447 template: 448 metadata: 449 labels: 450 app.kubernetes.io/name: ingress-nginx 451 app.kubernetes.io/instance: ingress-nginx 452 app.kubernetes.io/component: controller 453 spec: 454 dnsPolicy: ClusterFirst 455 containers: 456 - name: controller 457 image: "k8s.gcr.io/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6" 458 imagePullPolicy: IfNotPresent 459 lifecycle: 460 preStop: 461 exec: 462 command: 463 - /wait-shutdown 464 args: 465 - /nginx-ingress-controller 466 - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller 467 - --election-id=ingress-controller-leader 468 - --controller-class=k8s.io/ingress-nginx 469 - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller 470 - --validating-webhook=:8443 471 - --validating-webhook-certificate=/usr/local/certificates/cert 472 - --validating-webhook-key=/usr/local/certificates/key 473 securityContext: 474 capabilities: 475 drop: 476 - ALL 477 add: 478 - NET_BIND_SERVICE 479 runAsUser: 101 480 allowPrivilegeEscalation: true 481 env: 482 - name: POD_NAME 483 valueFrom: 484 fieldRef: 485 fieldPath: metadata.name 486 - name: POD_NAMESPACE 487 valueFrom: 488 fieldRef: 489 fieldPath: metadata.namespace 490 - name: LD_PRELOAD 491 value: /usr/local/lib/libmimalloc.so 492 livenessProbe: 493 failureThreshold: 5 494 httpGet: 495 path: /healthz 496 port: 10254 497 scheme: HTTP 498 initialDelaySeconds: 10 499 periodSeconds: 10 500 successThreshold: 1 501 timeoutSeconds: 1 502 readinessProbe: 503 failureThreshold: 3 504 httpGet: 505 path: /healthz 506 port: 10254 507 scheme: HTTP 508 initialDelaySeconds: 10 509 periodSeconds: 10 510 successThreshold: 1 511 timeoutSeconds: 1 512 ports: 513 - name: http 514 containerPort: 80 515 protocol: TCP 516 - name: https 517 containerPort: 443 518 protocol: TCP 519 - name: webhook 520 containerPort: 8443 521 protocol: TCP 522 volumeMounts: 523 - name: webhook-cert 524 mountPath: /usr/local/certificates/ 525 readOnly: true 526 resources: 527 requests: 528 cpu: 100m 529 memory: 90Mi 530 nodeSelector: 531 kubernetes.io/os: linux 532 serviceAccountName: ingress-nginx 533 terminationGracePeriodSeconds: 300 534 hostNetwork: true 535 volumes: 536 - name: webhook-cert 537 secret: 538 secretName: ingress-nginx-admission 539 --- 540 # Source: ingress-nginx/templates/controller-ingressclass.yaml 541 # We don't support namespaced ingressClass yet 542 # So a ClusterRole and a ClusterRoleBinding is required 543 apiVersion: networking.k8s.io/v1 544 kind: IngressClass 545 metadata: 546 labels: 547 app.kubernetes.io/name: ingress-nginx 548 app.kubernetes.io/instance: ingress-nginx 549 app.kubernetes.io/component: controller 550 name: nginx 551 spec: 552 controller: k8s.io/ingress-nginx 553 --- 554 # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml 555 # before changing this value, check the required kubernetes version 556 # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites 557 apiVersion: admissionregistration.k8s.io/v1 558 kind: ValidatingWebhookConfiguration 559 metadata: 560 labels: 561 app.kubernetes.io/name: ingress-nginx 562 app.kubernetes.io/instance: ingress-nginx 563 app.kubernetes.io/component: admission-webhook 564 name: ingress-nginx-admission 565 webhooks: 566 - name: validate.nginx.ingress.kubernetes.io 567 matchPolicy: Equivalent 568 rules: 569 - apiGroups: 570 - networking.k8s.io 571 apiVersions: 572 - v1 573 operations: 574 - CREATE 575 - UPDATE 576 resources: 577 - ingresses 578 failurePolicy: Fail 579 sideEffects: None 580 admissionReviewVersions: 581 - v1 582 clientConfig: 583 service: 584 namespace: "ingress-system" 585 name: ingress-nginx-controller-admission 586 path: /networking/v1/ingresses