diff --git a/hack/ingress-nginx/kustomization.yaml b/hack/ingress-nginx/kustomization.yaml index 72fe6b30..8ddf09ad 100644 --- a/hack/ingress-nginx/kustomization.yaml +++ b/hack/ingress-nginx/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml patches: - path: deployment-ingress-nginx.yaml diff --git a/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml b/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml index 8c94540d..a68932bc 100644 --- a/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml +++ b/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml @@ -17,11 +17,12 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx --- apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: @@ -29,7 +30,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -41,7 +42,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx rules: @@ -131,7 +132,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -150,7 +151,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx rules: - apiGroups: @@ -232,7 +233,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission rules: - apiGroups: @@ -251,7 +252,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -271,7 +272,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -290,7 +291,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -309,7 +310,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -332,7 +333,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +345,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -367,7 +368,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -416,7 +417,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -461,22 +462,34 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst nodeSelector: + ingress-ready: "true" kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 0 + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Equal + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Equal volumes: - name: webhook-cert secret: @@ -490,7 +503,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -501,7 +514,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-create spec: containers: @@ -515,18 +528,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -537,7 +554,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -548,7 +565,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission-patch spec: containers: @@ -564,18 +581,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407@sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -586,7 +607,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: nginx spec: controller: k8s.io/ingress-nginx @@ -599,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.11.2 name: ingress-nginx-admission webhooks: - admissionReviewVersions: