Last active
July 15, 2019 18:07
Star
You must be signed in to star a gist
Example of quay.io/kubernetes-ingress-controller deployed to amazon EKS. https://stackoverflow.com/q/56781123/953327
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: extensions/v1beta1 | |
kind: DaemonSet | |
metadata: | |
name: nginx-ingress-controller | |
namespace: ingress-nginx-sit | |
labels: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
spec: | |
minReadySeconds: 2 | |
updateStrategy: | |
type: RollingUpdate | |
rollingUpdate: | |
maxUnavailable: '50%' | |
selector: | |
matchLabels: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
template: | |
metadata: | |
labels: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
annotations: | |
prometheus.io/port: '10254' | |
prometheus.io/scrape: 'true' | |
spec: | |
serviceAccountName: nginx-ingress-serviceaccount | |
containers: | |
- name: nginx-ingress-controller | |
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1 | |
args: | |
- /nginx-ingress-controller | |
- --configmap=$(POD_NAMESPACE)/nginx-configuration | |
- --annotations-prefix=nginx.ingress.kubernetes.io | |
- --publish-service=$(POD_NAMESPACE)/ingress-nginx | |
- --ingress-class=$(POD_NAMESPACE) | |
- --election-id=leader | |
- --watch-namespace=$(POD_NAMESPACE) | |
securityContext: | |
allowPrivilegeEscalation: true | |
capabilities: | |
drop: | |
- ALL | |
add: | |
- NET_BIND_SERVICE | |
# www-data -> 33 | |
runAsUser: 33 | |
env: | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
ports: | |
- name: http | |
containerPort: 80 | |
- name: http-redirect | |
containerPort: 8080 | |
livenessProbe: | |
failureThreshold: 3 | |
httpGet: | |
path: /healthz | |
port: 10254 | |
scheme: HTTP | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 10 | |
readinessProbe: | |
failureThreshold: 6 | |
httpGet: | |
path: /healthz | |
port: 10254 | |
scheme: HTTP | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 10 | |
--- | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: nginx-configuration | |
namespace: ingress-nginx-sit | |
labels: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
data: | |
hsts: "true" | |
ssl-redirect: "true" | |
use-proxy-protocol: "false" | |
use-forwarded-headers: "true" | |
enable-access-log-for-default-backend: "true" | |
enable-owasp-modsecurity-crs: "true" | |
proxy-real-ip-cidr: "10.0.0.0/24,10.0.1.0/24" # restrict this to the IP addresses of ELB | |
http-snippet: | | |
server { | |
server_name _ ; | |
listen 8080 default_server reuseport backlog=511; | |
set $proxy_upstream_name "-"; | |
set $pass_access_scheme $scheme; | |
set $pass_server_port $server_port; | |
set $best_http_host $http_host; | |
set $pass_port $pass_server_port; | |
server_tokens off; | |
location / { | |
rewrite_by_lua_block { | |
lua_ingress.rewrite({ | |
force_ssl_redirect = true, | |
use_port_in_redirects = false, | |
}) | |
balancer.rewrite() | |
plugins.run() | |
} | |
} | |
location /healthz { | |
access_log off; | |
return 200; | |
} | |
} | |
server-snippet: | | |
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Service | |
apiVersion: v1 | |
metadata: | |
name: ingress-nginx | |
namespace: ingress-nginx-sit | |
labels: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
annotations: | |
# replace with the correct value of the generated certificate in the AWS console | |
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:xxxx:certificate/xxxx" | |
# Specify the ssl policy to apply to the ELB | |
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" | |
# the backend instances are HTTP | |
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" | |
# Terminate ssl on https port | |
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" | |
# Ensure the ELB idle timeout is less than nginx keep-alive timeout. By default, | |
# NGINX keep-alive is set to 75s. If using WebSockets, the value will need to be | |
# increased to '3600' to avoid any potential issues. | |
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" | |
# Security group used for the load balancer. | |
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: "sg-xxxxx" | |
spec: | |
type: LoadBalancer | |
selector: | |
app.kubernetes.io/name: ingress-nginx-sit | |
app.kubernetes.io/part-of: ingress-nginx-sit | |
loadBalancerSourceRanges: | |
- "192.168.1.0/16" | |
ports: | |
- name: http | |
port: 80 | |
targetPort: http-redirect | |
# The range of valid ports is 30000-32767 | |
nodePort: 30080 | |
- name: https | |
port: 443 | |
targetPort: http | |
# The range of valid ports is 30000-32767 | |
nodePort: 30443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment