Skip to content

Instantly share code, notes, and snippets.

@icicimov

icicimov/ingress-ns.yml

Last active October 25, 2018 10:06
Show Gist options
  • Save icicimov/316ebea363e98824ce7a9aa3d34ffbb4 to your computer and use it in GitHub Desktop.
Save icicimov/316ebea363e98824ce7a9aa3d34ffbb4 to your computer and use it in GitHub Desktop.
Download ZIP
Nginx ingress controller for external service access in K8S clusters in AWS. Includes RBAC, HPA, PDB and Prometheus ServiceMonitor.
Raw
ingress-ns.yml
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress
labels:
name: ingress
Raw
nginx-ingress-controller-external-sm.yml
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
k8s-app: nginx-ingress-external # the k8s-app is the label Prom selects ServiceMonitor's by
name: nginx-ingress-external
namespace: monitoring
spec:
endpoints:
- interval: 10s
path: /metrics
port: metrics
namespaceSelector:
matchNames:
- ingress
selector:
matchLabels:
app: nginx-ingress-external
component: controller
Raw
nginx-ingress-controller-external.yml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-external
namespace: ingress
labels:
app: nginx-ingress-external
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: nginx-ingress-external
name: nginx-ingress-external
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: nginx-ingress-external
name: nginx-ingress-external
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-external
subjects:
- kind: ServiceAccount
name: nginx-ingress-external
namespace: ingress
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
labels:
app: nginx-ingress-external
name: nginx-ingress-external
namespace: ingress
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
#- "ingress-controller-leader-nginx"
- ingress-controller-leader-nginx-ingress-external
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
labels:
app: nginx-ingress-external
name: nginx-ingress-external
namespace: ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-external
subjects:
- kind: ServiceAccount
name: nginx-ingress-external
namespace: ingress
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: nginx-ingress-external
component: "controller"
name: nginx-ingress-external-controller
namespace: ingress
data:
access-log-path: "/dev/stdout"
enable-vts-status: "true"
vts-default-filter-key: "$server_name"
error-log-level: "warn"
error-log-path: "/dev/stdout"
proxy-connect-timeout: "15"
proxy-read-timeout: "600"
proxy-send-timeout: "600"
proxy-request-buffering: "off"
use-proxy-protocol: "true"
hsts-include-subdomains: "false"
proxy-body-size: "1024m"
server-name-hash-bucket-size: "256"
upstream-keepalive-connections: "50"
use-http2: "false"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-configmap-nginx-external
namespace: ingress
labels:
app: nginx-ingress-external
component: "controller"
data:
#"5711": default/tcpservice-dev-svc:80
#"5712": default/tcpservice-prod-svc:80
---
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-configmap-nginx-external
namespace: ingress
labels:
app: nginx-ingress-external
component: "controller"
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress-external
component: "controller"
name: nginx-ingress-external-controller
namespace: ingress
annotations:
# Default is classic ELB
#service.beta.kubernetes.io/aws-load-balancer-type: 'nlb'
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' # enable if use-proxy-protocol=true in ConfigMap (L4/TCP mode)
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '1800'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'True'
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https'
#service.beta.kubernetes.io/external-traffic: "OnlyLocal" # (k8s < 1.7)
spec:
# Enable to preserve client source address and have only the nodes
# running nginx pods registered as InService to the fronting ELB
# (replaces the above external-traffic annotation for k8s >= 1.7)
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: metrics
port: 10254
protocol: TCP
targetPort: 10254
selector:
app: nginx-ingress-external
component: "controller"
type: "LoadBalancer"
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress-external
component: "default-backend"
name: nginx-ingress-external-default-backend
namespace: ingress
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: nginx-ingress-external
component: "default-backend"
type: "ClusterIP"
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: nginx-ingress-external
component: "controller"
name: nginx-ingress-external-controller
namespace: ingress
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress-external
component: "controller"
revisionHistoryLimit: 5
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
minReadySeconds: 0
template:
metadata:
labels:
app: nginx-ingress-external
component: "controller"
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
dnsPolicy: ClusterFirst
initContainers:
- command:
- sh
- -c
- sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range="1024 65535"
image: alpine:3.6
imagePullPolicy: IfNotPresent
name: sysctl
securityContext:
privileged: true
containers:
- name: nginx-ingress-controller
image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.14.0"
imagePullPolicy: "IfNotPresent"
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/nginx-ingress-external-default-backend
- --default-ssl-certificate=default/tls-secret
- --election-id=ingress-controller-leader
- --ingress-class=nginx-ingress-external
- --configmap=$(POD_NAMESPACE)/nginx-ingress-external-controller
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-configmap-nginx-external
- --udp-services-configmap=$(POD_NAMESPACE)/udp-configmap-nginx-external
- --annotations-prefix=nginx.ingress.kubernetes.io
- --publish-service=ingress/nginx-ingress-external-controller
- --sort-backends=true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
resources:
{}
hostNetwork: false
serviceAccountName: nginx-ingress-external
terminationGracePeriodSeconds: 60
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: nginx-ingress-external
component: "default-backend"
name: nginx-ingress-external-default-backend
namespace: ingress
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress-external
component: "default-backend"
revisionHistoryLimit: 5
template:
metadata:
labels:
app: nginx-ingress-external
component: "default-backend"
spec:
containers:
- name: nginx-ingress-default-backend
image: "k8s.gcr.io/defaultbackend:1.4"
imagePullPolicy: "IfNotPresent"
args:
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
protocol: TCP
resources:
{}
terminationGracePeriodSeconds: 60
---
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: nginx-ingress-external-hpa
namespace: ingress
labels:
app: nginx-ingress-external
component: "controller"
spec:
scaleTargetRef:
kind: Deployment
name: nginx-ingress-external
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 50
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app: nginx-ingress-external
component: "controller"
name: nginx-ingress-external-controller
namespace: ingress
spec:
selector:
matchLabels:
app: nginx-ingress-external
component: "controller"
minAvailable: 1
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app: nginx-ingress-external
component: "default-backend"
name: nginx-ingress-external-default-backend
namespace: ingress
spec:
selector:
matchLabels:
app: nginx-ingress-external
component: "default-backend"
minAvailable: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment