Merge branch 'master' into add-sticky-path

This commit is contained in:
Daniel (Shijun) Qian 2017-09-01 09:10:46 +08:00 committed by GitHub
commit a5df624a47
37 changed files with 756 additions and 301 deletions

View file

@ -1,5 +1,165 @@
Changelog
Changelog
### 0.9-beta.12
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12`
*Breaking changes:*
- SSL passthrough is disabled by default. To enable the feature use `--enable-ssl-passthrough`
*New Features:*
- Support for arm64
- New flags to customize listen ports
- Per minute rate limiting
- Rate limit whitelist
- Configuration of nginx worker timeout (to avoid zombie nginx workers processes)
- Redirects from non-www to www
- Custom default backend (per Ingress)
- Graceful shutdown for NGINX
*Changes:*
- [X] [#977](https://github.com/kubernetes/ingress/pull/977) Add sort-backends command line option
- [X] [#981](https://github.com/kubernetes/ingress/pull/981) Add annotation to allow use of service ClusterIP for NGINX upstream.
- [X] [#991](https://github.com/kubernetes/ingress/pull/991) Remove secret sync loop
- [X] [#992](https://github.com/kubernetes/ingress/pull/992) Check errors generating pem files
- [X] [#993](https://github.com/kubernetes/ingress/pull/993) Fix the sed command to work on macOS
- [X] [#1013](https://github.com/kubernetes/ingress/pull/1013) The fields of vtsDate are unified in the form of plural
- [X] [#1025](https://github.com/kubernetes/ingress/pull/1025) Fix file watch
- [X] [#1027](https://github.com/kubernetes/ingress/pull/1027) Lint code
- [X] [#1031](https://github.com/kubernetes/ingress/pull/1031) Change missing secret name log level to V(3)
- [X] [#1032](https://github.com/kubernetes/ingress/pull/1032) Alternative syncSecret approach #1030
- [X] [#1042](https://github.com/kubernetes/ingress/pull/1042) Add function to allow custom values in Ingress status
- [X] [#1043](https://github.com/kubernetes/ingress/pull/1043) Return reference to object providing Endpoint
- [X] [#1046](https://github.com/kubernetes/ingress/pull/1046) Add field FileSHA in BasicDigest struct
- [X] [#1058](https://github.com/kubernetes/ingress/pull/1058) add per minute rate limiting
- [X] [#1060](https://github.com/kubernetes/ingress/pull/1060) Update fsnotify dependency to fix arm64 issue
- [X] [#1065](https://github.com/kubernetes/ingress/pull/1065) Add more descriptive steps in Dev Documentation
- [X] [#1073](https://github.com/kubernetes/ingress/pull/1073) Release nginx-slim 0.22
- [X] [#1074](https://github.com/kubernetes/ingress/pull/1074) Remove lua and use fastcgi to render errors
- [X] [#1075](https://github.com/kubernetes/ingress/pull/1075) (feat/ #374) support proxy timeout
- [X] [#1076](https://github.com/kubernetes/ingress/pull/1076) Add more ssl test cases
- [X] [#1078](https://github.com/kubernetes/ingress/pull/1078) fix the same udp port and tcp port, update nginx.conf error
- [X] [#1080](https://github.com/kubernetes/ingress/pull/1080) Disable platform s390x
- [X] [#1081](https://github.com/kubernetes/ingress/pull/1081) Spit Static check and Coverage in diff Stages of Travis CI
- [X] [#1082](https://github.com/kubernetes/ingress/pull/1082) Fix build tasks
- [X] [#1087](https://github.com/kubernetes/ingress/pull/1087) Release nginx-slim 0.23
- [X] [#1088](https://github.com/kubernetes/ingress/pull/1088) Configure nginx worker timeout
- [X] [#1089](https://github.com/kubernetes/ingress/pull/1089) Update nginx to 1.13.4
- [X] [#1098](https://github.com/kubernetes/ingress/pull/1098) Exposing the event recorder to allow other controllers to create events
- [X] [#1102](https://github.com/kubernetes/ingress/pull/1102) Fix lose SSL Passthrough
- [X] [#1104](https://github.com/kubernetes/ingress/pull/1104) Simplify verification of hostname in ssl certificates
- [X] [#1109](https://github.com/kubernetes/ingress/pull/1109) Cleanup remote address in nginx template
- [X] [#1110](https://github.com/kubernetes/ingress/pull/1110) Fix Endpoint comparison
- [X] [#1118](https://github.com/kubernetes/ingress/pull/1118) feat(#733)Support nginx bandwidth control
- [X] [#1124](https://github.com/kubernetes/ingress/pull/1124) check fields len in dns.go
- [X] [#1130](https://github.com/kubernetes/ingress/pull/1130) Update nginx.go
- [X] [#1134](https://github.com/kubernetes/ingress/pull/1134) replace deprecated interface with versioned ones
- [X] [#1136](https://github.com/kubernetes/ingress/pull/1136) Fix status update - changed in #1074
- [X] [#1138](https://github.com/kubernetes/ingress/pull/1138) update nginx.go: preformance improve
- [X] [#1139](https://github.com/kubernetes/ingress/pull/1139) Fix Todo:convert sequence to table
- [X] [#1162](https://github.com/kubernetes/ingress/pull/1162) Optimize CI build time
- [X] [#1164](https://github.com/kubernetes/ingress/pull/1164) Use variable request_uri as redirect after auth
- [X] [#1179](https://github.com/kubernetes/ingress/pull/1179) Fix sticky upstream not used when enable rewrite
- [X] [#1184](https://github.com/kubernetes/ingress/pull/1184) Add support for temporal and permanent redirects
- [X] [#1185](https://github.com/kubernetes/ingress/pull/1185) Add more info about Server-Alias usage
- [X] [#1186](https://github.com/kubernetes/ingress/pull/1186) Add annotation for client-body-buffer-size per location
- [X] [#1190](https://github.com/kubernetes/ingress/pull/1190) Add flag to disable SSL passthrough
- [X] [#1193](https://github.com/kubernetes/ingress/pull/1193) fix broken link
- [X] [#1198](https://github.com/kubernetes/ingress/pull/1198) Add option for specific scheme for base url
- [X] [#1202](https://github.com/kubernetes/ingress/pull/1202) formatIP issue
- [X] [#1203](https://github.com/kubernetes/ingress/pull/1203) NGINX not reloading correctly
- [X] [#1204](https://github.com/kubernetes/ingress/pull/1204) Fix template error
- [X] [#1205](https://github.com/kubernetes/ingress/pull/1205) Add initial sync of secrets
- [X] [#1206](https://github.com/kubernetes/ingress/pull/1206) Update ssl-passthrough docs
- [X] [#1207](https://github.com/kubernetes/ingress/pull/1207) delete broken link
- [X] [#1208](https://github.com/kubernetes/ingress/pull/1208) fix some typo
- [X] [#1210](https://github.com/kubernetes/ingress/pull/1210) add rate limit whitelist
- [X] [#1215](https://github.com/kubernetes/ingress/pull/1215) Replace base64 encoding with random uuid
- [X] [#1218](https://github.com/kubernetes/ingress/pull/1218) Trivial fixes in core/pkg/net
- [X] [#1219](https://github.com/kubernetes/ingress/pull/1219) keep zones unique per ingress resource
- [X] [#1221](https://github.com/kubernetes/ingress/pull/1221) Move certificate authentication from location to server
- [X] [#1223](https://github.com/kubernetes/ingress/pull/1223) Add doc for non-www to www annotation
- [X] [#1224](https://github.com/kubernetes/ingress/pull/1224) refactor rate limit whitelist
- [X] [#1226](https://github.com/kubernetes/ingress/pull/1226) Remove useless variable in nginx.tmpl
- [X] [#1227](https://github.com/kubernetes/ingress/pull/1227) Update annotations doc with base-url-scheme
- [X] [#1233](https://github.com/kubernetes/ingress/pull/1233) Fix ClientBodyBufferSize annotation
- [X] [#1234](https://github.com/kubernetes/ingress/pull/1234) Lint code
- [X] [#1235](https://github.com/kubernetes/ingress/pull/1235) Fix Equal comparison
- [X] [#1236](https://github.com/kubernetes/ingress/pull/1236) Add Validation for Client Body Buffer Size
- [X] [#1238](https://github.com/kubernetes/ingress/pull/1238) Add support for 'client_body_timeout' and 'client_header_timeout'
- [X] [#1239](https://github.com/kubernetes/ingress/pull/1239) Add flags to customize listen ports and detect port collisions
- [X] [#1243](https://github.com/kubernetes/ingress/pull/1243) Add support for access-log-path and error-log-path
- [X] [#1244](https://github.com/kubernetes/ingress/pull/1244) Add custom default backend annotation
- [X] [#1246](https://github.com/kubernetes/ingress/pull/1246) Add additional headers when custom default backend is used
- [X] [#1247](https://github.com/kubernetes/ingress/pull/1247) Make Ingress annotations available in template
- [X] [#1248](https://github.com/kubernetes/ingress/pull/1248) Improve nginx controller performance
- [X] [#1254](https://github.com/kubernetes/ingress/pull/1254) fix Type transform panic
- [X] [#1257](https://github.com/kubernetes/ingress/pull/1257) Graceful shutdown for Nginx
- [X] [#1261](https://github.com/kubernetes/ingress/pull/1261) Add support for 'worker-shutdown-timeout'
*Documentation:*
- [X] [#976](https://github.com/kubernetes/ingress/pull/976) Update annotations doc
- [X] [#979](https://github.com/kubernetes/ingress/pull/979) Missing auth example
- [X] [#980](https://github.com/kubernetes/ingress/pull/980) Add nginx basic auth example
- [X] [#1001](https://github.com/kubernetes/ingress/pull/1001) examples/nginx/rbac: Give access to own namespace
- [X] [#1005](https://github.com/kubernetes/ingress/pull/1005) Update configuration.md
- [X] [#1018](https://github.com/kubernetes/ingress/pull/1018) add docs for `proxy-set-headers` and `add-headers`
- [X] [#1038](https://github.com/kubernetes/ingress/pull/1038) typo / spelling in README.md
- [X] [#1039](https://github.com/kubernetes/ingress/pull/1039) typo in examples/tcp/nginx/README.md
- [X] [#1049](https://github.com/kubernetes/ingress/pull/1049) Fix config name in the example.
- [X] [#1054](https://github.com/kubernetes/ingress/pull/1054) Fix link to UDP example
- [X] [#1084](https://github.com/kubernetes/ingress/pull/1084) (issue #310)Fix some broken link
- [X] [#1103](https://github.com/kubernetes/ingress/pull/1103) Add GoDoc Widget
- [X] [#1105](https://github.com/kubernetes/ingress/pull/1105) Make Readme file more readable
- [X] [#1106](https://github.com/kubernetes/ingress/pull/1106) Update annotations.md
- [X] [#1107](https://github.com/kubernetes/ingress/pull/1107) Fix Broken Link
- [X] [#1119](https://github.com/kubernetes/ingress/pull/1119) fix typos in controllers/nginx/README.md
- [X] [#1122](https://github.com/kubernetes/ingress/pull/1122) Fix broken link
- [X] [#1131](https://github.com/kubernetes/ingress/pull/1131) Add short help doc in configuration for nginx limit rate
- [X] [#1143](https://github.com/kubernetes/ingress/pull/1143) Minor Typo Fix
- [X] [#1144](https://github.com/kubernetes/ingress/pull/1144) Minor Typo fix
- [X] [#1145](https://github.com/kubernetes/ingress/pull/1145) Minor Typo fix
- [X] [#1146](https://github.com/kubernetes/ingress/pull/1146) Fix Minor Typo in Readme
- [X] [#1147](https://github.com/kubernetes/ingress/pull/1147) Minor Typo Fix
- [X] [#1148](https://github.com/kubernetes/ingress/pull/1148) Minor Typo Fix in Getting-Started.md
- [X] [#1149](https://github.com/kubernetes/ingress/pull/1149) Fix Minor Typo in TLS authentication
- [X] [#1150](https://github.com/kubernetes/ingress/pull/1150) Fix Minor Typo in Customize the HAProxy configuration
- [X] [#1151](https://github.com/kubernetes/ingress/pull/1151) Fix Minor Typo in customization custom-template
- [X] [#1152](https://github.com/kubernetes/ingress/pull/1152) Fix minor typo in HAProxy Multi TLS certificate termination
- [X] [#1153](https://github.com/kubernetes/ingress/pull/1153) Fix minor typo in Multi TLS certificate termination
- [X] [#1154](https://github.com/kubernetes/ingress/pull/1154) Fix minor typo in Role Based Access Control
- [X] [#1155](https://github.com/kubernetes/ingress/pull/1155) Fix minor typo in TCP loadbalancing
- [X] [#1156](https://github.com/kubernetes/ingress/pull/1156) Fix minor typo in UDP loadbalancing
- [X] [#1157](https://github.com/kubernetes/ingress/pull/1157) Fix minor typos in Prerequisites
- [X] [#1158](https://github.com/kubernetes/ingress/pull/1158) Fix minor typo in Ingress examples
- [X] [#1159](https://github.com/kubernetes/ingress/pull/1159) Fix minor typos in Ingress admin guide
- [X] [#1160](https://github.com/kubernetes/ingress/pull/1160) Fix a broken href and typo in Ingress FAQ
- [X] [#1165](https://github.com/kubernetes/ingress/pull/1165) Update CONTRIBUTING.md
- [X] [#1168](https://github.com/kubernetes/ingress/pull/1168) finx link to running-locally.md
- [X] [#1170](https://github.com/kubernetes/ingress/pull/1170) Update dead link in nginx/HTTPS section
- [X] [#1172](https://github.com/kubernetes/ingress/pull/1172) Update README.md
- [X] [#1173](https://github.com/kubernetes/ingress/pull/1173) Update admin.md
- [X] [#1174](https://github.com/kubernetes/ingress/pull/1174) fix several titles
- [X] [#1177](https://github.com/kubernetes/ingress/pull/1177) fix typos
- [X] [#1188](https://github.com/kubernetes/ingress/pull/1188) Fix minor typo
- [X] [#1189](https://github.com/kubernetes/ingress/pull/1189) Fix sign in URL redirect parameter
- [X] [#1192](https://github.com/kubernetes/ingress/pull/1192) Update README.md
- [X] [#1195](https://github.com/kubernetes/ingress/pull/1195) Update troubleshooting.md
- [X] [#1196](https://github.com/kubernetes/ingress/pull/1196) Update README.md
- [X] [#1209](https://github.com/kubernetes/ingress/pull/1209) Update README.md
- [X] [#1085](https://github.com/kubernetes/ingress/pull/1085) Fix ConfigMap's namespace in custom configuration example for nginx
- [X] [#1142](https://github.com/kubernetes/ingress/pull/1142) Fix typo in multiple docs
- [X] [#1228](https://github.com/kubernetes/ingress/pull/1228) Update release doc in getting-started.md
- [X] [#1230](https://github.com/kubernetes/ingress/pull/1230) Update godep guide link
### 0.9-beta.11
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11`

View file

@ -3,7 +3,7 @@ all: push
BUILDTAGS=
# Use the 0.0 tag for testing, it shouldn't clobber any release builds
TAG?=0.9.0-beta.11
TAG?=0.9.0-beta.12
REGISTRY?=gcr.io/google_containers
GOOS?=linux
DOCKER?=gcloud docker --

View file

@ -95,14 +95,14 @@ $ ./rootfs/nginx-ingress-controller --running-in-cluster=false --default-backend
First create a default backend:
```
$ kubectl create -f examples/deployment/nginx/default-backend.yaml
$ kubectl create -f examples/default-backend.yaml
$ kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend
```
Loadbalancers are created via a ReplicationController or Daemonset:
```
$ kubectl create -f examples/default/rc-default.yaml
$ kubectl create -f examples/rc-default.yaml
```
## HTTP

View file

@ -0,0 +1,51 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: default-http-backend
labels:
k8s-app: default-http-backend
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: gcr.io/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: kube-system
labels:
k8s-app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
k8s-app: default-http-backend

View file

@ -0,0 +1,26 @@
# This is the Ingress resource that creates a HTTP Loadbalancer configured
# according to the Ingress rules.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echomap
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
backend:
serviceName: echoheaders-x
servicePort: 80
- host: bar.baz.com
http:
paths:
- path: /bar
backend:
serviceName: echoheaders-y
servicePort: 80
- path: /foo
backend:
serviceName: echoheaders-x
servicePort: 80

View file

@ -24,7 +24,7 @@ import (
)
const (
ngxStatusPath = "/internal_nginx_status"
ngxStatusPath = "/nginx_status"
ngxVtsPath = "/nginx_status/format/json"
)
@ -46,7 +46,7 @@ type statsCollector struct {
namespace string
watchClass string
healthPort int
port int
}
func (s *statsCollector) stop(sm statusModule) {
@ -63,18 +63,19 @@ func (s *statsCollector) stop(sm statusModule) {
func (s *statsCollector) start(sm statusModule) {
switch sm {
case defaultStatusModule:
s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.healthPort, ngxStatusPath)
s.basic = collector.NewNginxStatus(s.namespace, s.watchClass, s.port, ngxStatusPath)
prometheus.Register(s.basic)
break
case vtsStatusModule:
s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.healthPort, ngxVtsPath)
s.vts = collector.NewNGINXVTSCollector(s.namespace, s.watchClass, s.port, ngxVtsPath)
prometheus.Register(s.vts)
break
}
}
func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
func newStatsCollector(ns, class, binary string, port int) *statsCollector {
glog.Infof("starting new nginx stats collector for Ingress controller running in namespace %v (class %v)", ns, class)
glog.Infof("collector extracting information from port %v", port)
pc, err := collector.NewNamedProcess(true, collector.BinaryNameMatcher{
Name: "nginx",
Binary: binary,
@ -91,6 +92,6 @@ func newStatsCollector(ns, class, binary string, hz int) *statsCollector {
namespace: ns,
watchClass: class,
process: pc,
healthPort: hz,
port: port,
}
}

View file

@ -372,7 +372,11 @@ func (n *NGINXController) OverrideFlags(flags *pflag.FlagSet) {
}
flags.Set("ingress-class", ic)
n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Health)
h, _ := flags.GetInt("healthz-port")
n.ports.Health = h
n.stats = newStatsCollector(wc, ic, n.binary, n.ports.Status)
if n.isSSLPassthroughEnabled {
if !isPortAvailable(n.ports.SSLProxy) {

View file

@ -143,8 +143,8 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error {
return nil
}
func getNginxStatus(ngxHealthPort int, ngxStatusPath string) (*basicStatus, error) {
url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxStatusPath)
func getNginxStatus(port int, path string) (*basicStatus, error) {
url := fmt.Sprintf("http://localhost:%v%v", port, path)
glog.V(3).Infof("start scrapping url: %v", url)
data, err := httpBody(url)
@ -174,8 +174,8 @@ func httpBody(url string) ([]byte, error) {
return data, nil
}
func getNginxVtsMetrics(ngxHealthPort int, ngxVtsPath string) (*vts, error) {
url := fmt.Sprintf("http://localhost:%v%v", ngxHealthPort, ngxVtsPath)
func getNginxVtsMetrics(port int, path string) (*vts, error) {
url := fmt.Sprintf("http://localhost:%v%v", port, path)
glog.V(3).Infof("start scrapping url: %v", url)
data, err := httpBody(url)

View file

@ -28,8 +28,8 @@ const ns = "nginx"
type (
vtsCollector struct {
scrapeChan chan scrapeRequest
ngxHealthPort int
ngxVtsPath string
port int
path string
data *vtsData
watchNamespace string
ingressClass string
@ -57,12 +57,12 @@ type (
)
// NewNGINXVTSCollector returns a new prometheus collector for the VTS module
func NewNGINXVTSCollector(watchNamespace, ingressClass string, ngxHealthPort int, ngxVtsPath string) Stopable {
func NewNGINXVTSCollector(watchNamespace, ingressClass string, port int, path string) Stopable {
p := vtsCollector{
scrapeChan: make(chan scrapeRequest),
ngxHealthPort: ngxHealthPort,
ngxVtsPath: ngxVtsPath,
port: port,
path: path,
watchNamespace: watchNamespace,
ingressClass: ingressClass,
}
@ -201,7 +201,7 @@ func (p vtsCollector) Stop() {
// scrapeVts scrape nginx vts metrics
func (p vtsCollector) scrapeVts(ch chan<- prometheus.Metric) {
nginxMetrics, err := getNginxVtsMetrics(p.ngxHealthPort, p.ngxVtsPath)
nginxMetrics, err := getNginxVtsMetrics(p.port, p.path)
if err != nil {
glog.Warningf("unexpected error obtaining nginx status info: %v", err)
return

View file

@ -301,7 +301,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string {
return defProxyPass
}
if path != slash && !strings.HasSuffix(path, slash) {
if !strings.HasSuffix(path, slash) {
path = fmt.Sprintf("%s/", path)
}

View file

@ -387,7 +387,7 @@ http {
# Changing this value requires a change in:
# https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go
listen 127.0.0.1:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};
{{ if $IsIPV6Enabled }}listen [::1]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
{{ if $IsIPV6Enabled }}listen [::]:{{ $all.ListenPorts.Status }} default_server reuseport backlog={{ $all.BacklogSize }};{{ end }}
set $proxy_upstream_name "-";
location {{ $healthzURI }} {
@ -407,21 +407,6 @@ http {
{{ end }}
}
# this location is used to extract nginx metrics
# using prometheus.
# TODO: enable extraction for vts module.
location /internal_nginx_status {
set $proxy_upstream_name "internal";
allow 127.0.0.1;
{{ if not $cfg.DisableIpv6 }}allow ::1;{{ end }}
deny all;
access_log off;
stub_status on;
}
fastcgi_param HTTP_X_Code 404;
fastcgi_param HTTP_X_Format $http_accept;
fastcgi_param HTTP_X_Original_URI $request_uri;

View file

@ -259,7 +259,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: ingress-nginx
imagePullPolicy: Always
ports:

View file

@ -101,7 +101,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: ingress-nginx
imagePullPolicy: Always
ports:

View file

@ -19,7 +19,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -22,7 +22,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -16,7 +16,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-lb
imagePullPolicy: Always
readinessProbe:

View file

@ -19,7 +19,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -16,7 +16,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-lb
imagePullPolicy: Always
readinessProbe:

View file

@ -22,7 +22,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -19,7 +19,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE
default-http-backend-q5sb6 1/1 Running 0 30m
```
## RBAC Authorization
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
## Ingress DaemonSet
Deploy the daemonset as follows:

View file

@ -16,7 +16,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-lb
readinessProbe:
httpGet:

View file

@ -70,6 +70,11 @@ configmap can be edited or replaced later in order to apply new
configuration on a running ingress controller. All supported options
are [here](https://github.com/jcmoraisjr/haproxy-ingress#configmap).
## RBAC Authorization
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
## Controller
Deploy HAProxy Ingress:

View file

@ -71,7 +71,7 @@ spec:
hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -22,7 +22,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -0,0 +1,80 @@
# Role Based Access Control
This example demonstrates how to authorize an ingress controller on a cluster
with role based access control.
## Overview
This example applies to ingress controllers being deployed in an environment with
[RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled.
## Service Account created in this example
One ServiceAccount is created in this example, `ingress-controller`. See
[Using cert based authentication](#using-cert-based-authentication)
below if using client cert authentication.
## Permissions Granted in this example
There are two sets of permissions defined in this example. Cluster-wide
permissions defined by a `ClusterRole` and namespace specific permissions
defined by a `Role`, both named `ingress-controller`.
### Cluster Permissions
These permissions are granted in order for the ingress-controller to be
able to function as an ingress across the cluster. These permissions are
granted to the ClusterRole:
* `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
* `nodes`: get
* `services`, `ingresses`: get, list, watch
* `events`: create, patch
* `ingresses/status`: update
### Namespace Permissions
These permissions are granted specific to the `ingress-controller` namespace.
The Role permissions are:
* `configmaps`, `pods`, `secrets`: get
* `endpoints`: create, get, update
Furthermore to support leader-election, the ingress controller needs to
have access to a `configmap` in the `ingress-controller` namespace:
* `configmaps`: get, update, create
## Namespace created in this example
The `Namespace` named `ingress-controller` is defined in this example. The
namespace name can be changed arbitrarily as long as all of the references
change as well.
## Usage
1. Create the `Namespace`, `Service Account`, `ClusterRole`, `Role`,
`ClusterRoleBinding`, and `RoleBinding`:
```console
$ kubectl create -f ingress-controller-rbac.yml
```
2. Deploy the ingress controller. The deployment should be configured to use
the `ingress-controller` service account name if not using kubeconfig and
client cert based authentication. Add the `serviceAccountName` to the pod
template spec:
```yaml
spec:
template:
spec:
serviceAccountName: ingress-controller
```
## Using cert based authentication
A client certificate based authentication can also be used with the following changes:
1. No need to add the `serviceAccountName` to the pod template spec.
2. Sign a client certificate using `ingress-controller` as it's common name.

View file

@ -0,0 +1,133 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-controller
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-controller
namespace: ingress-controller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: ingress-controller
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: ingress-controller
namespace: ingress-controller
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-controller
subjects:
- kind: ServiceAccount
name: ingress-controller
namespace: ingress-controller
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ingress-controller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: ingress-controller
namespace: ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-controller
subjects:
- kind: ServiceAccount
name: ingress-controller
namespace: ingress-controller
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ingress-controller

View file

@ -16,7 +16,7 @@ spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
args:
- /nginx-ingress-controller
- --default-backend-service=default/default-http-backend

View file

@ -41,6 +41,11 @@ NAME READY STATUS RESTARTS AGE
default-http-backend-q5sb6 1/1 Running 0 30m
```
## RBAC Authorization
Check the [RBAC sample](/examples/rbac/haproxy) if deploying on a cluster with
[RBAC authorization](https://kubernetes.io/docs/admin/authorization/rbac/).
## Ingress Deployment
Deploy the Deployment of multi controllers as follows:

View file

@ -14,7 +14,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -18,7 +18,7 @@ spec:
# hostNetwork: true
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-ingress-controller
readinessProbe:
httpGet:

View file

@ -47,7 +47,7 @@ nginx-ingress-controller 1 1 1 3m
$ kubectl -n kube-system describe rc nginx-ingress-controller
Name: nginx-ingress-controller
Namespace: kube-system
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
Selector: k8s-app=nginx-tcp-ingress-lb
Labels: k8s-app=nginx-ingress-lb
Annotations: <none>

View file

@ -17,7 +17,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-tcp-ingress-lb
readinessProbe:
httpGet:

View file

@ -105,7 +105,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: ingress-nginx
imagePullPolicy: Always
ports:

View file

@ -53,7 +53,7 @@ nginx-udp-ingress-controller 1 1 1 13m
$ kubectl -n kube-system describe rc nginx-udp-ingress-controller
Name: nginx-udp-ingress-controller
Namespace: kube-system
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
Image(s): gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
Selector: k8s-app=nginx-udp-ingress-lb
Labels: k8s-app=nginx-udp-ingress-lb
Annotations: <none>

View file

@ -17,7 +17,7 @@ spec:
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.12
name: nginx-udp-ingress-lb
readinessProbe:
httpGet: