DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2020-02-09 23:53:05 +00:00
parent ec2af1dbc3
commit 006cda8fee
62 changed files with 1885 additions and 1843 deletions
Download patch file Download diff file Expand all files Collapse all files

183
deploy/baremetal/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#bare-metal-considerations" tabindex="1" class="md-skip">
<a href="#bare-metal-considerations" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1263,7 +1263,7 @@ Kubernetes cluster running on bare-metal.</p>
supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster.</p>
<p>This section demonstrates how to use the <a href="https://metallb.universe.tf/tutorial/layer2/">Layer 2 configuration mode</a> of MetalLB together with the NGINX
Ingress controller in a Kubernetes cluster that has <strong>publicly accessible nodes</strong>. In this mode, one node attracts all
the traffic for the <code class="codehilite">ingress-nginx</code> Service IP. See <a href="https://metallb.universe.tf/usage/#traffic-policies">Traffic policies</a> for more details.</p>
the traffic for the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service IP. See <a href="https://metallb.universe.tf/usage/#traffic-policies">Traffic policies</a> for more details.</p>
<p><img alt="MetalLB in L2 mode" src="../../images/baremetal/metallb.jpg" /></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
@ -1276,22 +1276,22 @@ yourself by reading the official documentation thoroughly.</p>
</div>
<p>MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB
was deployed following the <a href="https://metallb.universe.tf/installation/">Installation</a> instructions.</p>
<p>MetalLB requires a pool of IP addresses in order to be able to take ownership of the <code class="codehilite">ingress-nginx</code> Service. This pool
can be defined in a ConfigMap named <code class="codehilite">config</code> located in the same namespace as the MetalLB controller. This pool of IPs <strong>must</strong> be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.</p>
<p>MetalLB requires a pool of IP addresses in order to be able to take ownership of the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service. This pool
can be defined in a ConfigMap named <code class="codehilite"><span class="err">config</span></code> located in the same namespace as the MetalLB controller. This pool of IPs <strong>must</strong> be dedicated to MetalLB's use, you can't reuse the Kubernetes node IPs or IPs handed out by a DHCP server.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get node
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>After creating the following ConfigMap, MetalLB takes ownership of one of the IP addresses in the pool and updates
the <em>loadBalancer</em> IP field of the <code class="codehilite">ingress-nginx</code> Service accordingly.</p>
<div class="codehilite"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
the <em>loadBalancer</em> IP field of the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service accordingly.</p>
<div class="codehilite"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">metallb-system</span>
@ -1303,26 +1303,26 @@ the <em>loadBalancer</em> IP field of the <code class="codehilite">ingress-nginx
<span class="no">protocol: layer2</span>
<span class="no">addresses:</span>
<span class="no">- 203.0.113.10-203.0.113.15</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)</span>
<span class="go">default-http-backend ClusterIP 10.0.64.249 &lt;none&gt; 80/TCP</span>
<span class="go">ingress-nginx LoadBalancer 10.0.220.217 203.0.113.10 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</code></pre></div>
</div>
<p>As soon as MetalLB sets the external IP address of the <code class="codehilite">ingress-nginx</code> LoadBalancer Service, the corresponding entries
<p>As soon as MetalLB sets the external IP address of the <code class="codehilite"><span class="err">ingress-nginx</span></code> LoadBalancer Service, the corresponding entries
are created in the iptables NAT table and the node with the selected IP address starts responding to HTTP requests on
the ports configured in the LoadBalancer Service:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://203.0.113.3 -H <span class="s1">&#39;Host: myapp.example.com&#39;</span>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> curl -D- http://203.0.113.3 -H <span class="s1">&#39;Host: myapp.example.com&#39;</span>
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
</pre></div>
</code></pre></div>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>In order to preserve the source IP address in HTTP requests sent to NGINX, it is necessary to use the <code class="codehilite">Local</code>
<p>In order to preserve the source IP address in HTTP requests sent to NGINX, it is necessary to use the <code class="codehilite"><span class="err">Local</span></code>
traffic policy. Traffic policies are described in more details in <a href="https://metallb.universe.tf/usage/#traffic-policies">Traffic policies</a> as
well as in the next section.</p>
</div>
@ -1331,42 +1331,42 @@ well as in the next section.</p>
<a href="../#bare-metal">installation guide</a>.</p>
<div class="admonition info">
<p class="admonition-title">Info</p>
<p>A Service of type <code class="codehilite">NodePort</code> exposes, via the <code class="codehilite">kube-proxy</code> component, the <strong>same unprivileged</strong> port (default:
<p>A Service of type <code class="codehilite"><span class="err">NodePort</span></code> exposes, via the <code class="codehilite"><span class="err">kube-proxy</span></code> component, the <strong>same unprivileged</strong> port (default:
30000-32767) on every Kubernetes node, masters included. For more information, see <a href="https://kubernetes.io/docs/concepts/services-networking/service/#nodeport">Services</a>.</p>
</div>
<p>In this configuration, the NGINX container remains isolated from the host network. As a result, it can safely bind to
any port, including the standard HTTP ports 80 and 443. However, due to the container namespace isolation, a client
located outside the cluster network (e.g. on the public internet) is not able to access Ingress hosts directly on ports
80 and 443. Instead, the external client must append the NodePort allocated to the <code class="codehilite">ingress-nginx</code> Service to HTTP
80 and 443. Instead, the external client must append the NodePort allocated to the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service to HTTP
requests.</p>
<p><img alt="NodePort request flow" src="../../images/baremetal/nodeport.jpg" /></p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given the NodePort <code class="codehilite">30100</code> allocated to the <code class="codehilite">ingress-nginx</code> Service</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<p>Given the NodePort <code class="codehilite"><span class="err">30100</span></code> allocated to the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP PORT(S)</span>
<span class="go">default-http-backend ClusterIP 10.0.64.249 80/TCP</span>
<span class="go">ingress-nginx NodePort 10.0.220.217 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</code></pre></div>
<p>and a Kubernetes node with the public IP address <code class="codehilite">203.0.113.2</code> (the external IP is added as an example, in most
<p>and a Kubernetes node with the public IP address <code class="codehilite"><span class="err">203.0.113.2</span></code> (the external IP is added as an example, in most
bare-metal environments this value is &lt;None>)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get node
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>a client would reach an Ingress with <code class="codehilite"><span class="n">host</span><span class="o">:</span> <span class="n">myapp</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span></code> at <code class="codehilite">http://myapp.example.com:30100</code>, where the
<p>a client would reach an Ingress with <code class="codehilite"><span class="n">host</span><span class="o">:</span> <span class="n">myapp</span><span class="o">.</span><span class="na">example</span><span class="o">.</span><span class="na">com</span></code> at <code class="codehilite"><span class="c">http://myapp.example.com:30100</span></code>, where the
myapp.example.com subdomain resolves to the 203.0.113.2 IP address.</p>
</div>
<div class="admonition danger">
<p class="admonition-title">Impact on the host system</p>
<p>While it may sound tempting to reconfigure the NodePort range using the <code class="codehilite">--service-node-port-range</code> API server flag
<p>While it may sound tempting to reconfigure the NodePort range using the <code class="codehilite"><span class="err">--service-node-port-range</span></code> API server flag
to include unprivileged ports and be able to expose ports 80 and 443, doing so may result in unexpected issues
including (but not limited to) the use of ports otherwise reserved to system daemons and the necessity to grant
<code class="codehilite">kube-proxy</code> privileges it may otherwise not require.</p>
<code class="codehilite"><span class="err">kube-proxy</span></code> privileges it may otherwise not require.</p>
<p>This practice is therefore <strong>discouraged</strong>. See the other approaches proposed in this page for alternatives.</p>
</div>
<p>This approach has a few other limitations one ought to be aware of:</p>
@ -1376,8 +1376,8 @@ including (but not limited to) the use of ports otherwise reserved to system dae
<p>Services of type NodePort perform <a href="https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport">source address translation</a> by default. This means the source IP of a
HTTP request is always <strong>the IP address of the Kubernetes node that received the request</strong> from the perspective of
NGINX.</p>
<p>The recommended way to preserve the source IP in a NodePort setup is to set the value of the <code class="codehilite">externalTrafficPolicy</code>
field of the <code class="codehilite">ingress-nginx</code> Service spec to <code class="codehilite">Local</code> (<a href="https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14">example</a>).</p>
<p>The recommended way to preserve the source IP in a NodePort setup is to set the value of the <code class="codehilite"><span class="err">externalTrafficPolicy</span></code>
field of the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service spec to <code class="codehilite"><span class="err">Local</span></code> (<a href="https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14">example</a>).</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>This setting effectively <strong>drops packets</strong> sent to Kubernetes nodes which are not running any instance of the NGINX
@ -1388,40 +1388,40 @@ the NGINX Ingress controller should be scheduled or not scheduled.</p>
<p class="admonition-title">Example</p>
<p>In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments
this value is &lt;None>)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get node
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>with a <code class="codehilite">nginx-ingress-controller</code> Deployment composed of 2 replicas</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<p>with a <code class="codehilite"><span class="err">nginx-ingress-controller</span></code> Deployment composed of 2 replicas</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-cf9ff8c96-8vvf8 1/1 Running 172.17.0.3 host-3</span>
<span class="go">nginx-ingress-controller-cf9ff8c96-pxsds 1/1 Running 172.17.1.4 host-2</span>
</pre></div>
</code></pre></div>
<p>Requests sent to <code class="codehilite">host-2</code> and <code class="codehilite">host-3</code> would be forwarded to NGINX and original client's IP would be preserved,
while requests to <code class="codehilite">host-1</code> would get dropped because there is no NGINX replica running on that node.</p>
<p>Requests sent to <code class="codehilite"><span class="err">host-2</span></code> and <code class="codehilite"><span class="err">host-3</span></code> would be forwarded to NGINX and original client's IP would be preserved,
while requests to <code class="codehilite"><span class="err">host-1</span></code> would get dropped because there is no NGINX replica running on that node.</p>
</div>
<ul>
<li><strong>Ingress status</strong></li>
</ul>
<p>Because NodePort Services do not get a LoadBalancerIP assigned by definition, the NGINX Ingress controller <strong>does not
update the status of Ingress objects it manages</strong>.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get ingress
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 80</span>
</pre></div>
</code></pre></div>
<p>Despite the fact there is no load balancer providing a public IP address to the NGINX Ingress controller, it is possible
to force the status update of all managed Ingress objects by setting the <code class="codehilite">externalIPs</code> field of the <code class="codehilite">ingress-nginx</code>
to force the status update of all managed Ingress objects by setting the <code class="codehilite"><span class="err">externalIPs</span></code> field of the <code class="codehilite"><span class="err">ingress-nginx</span></code>
Service.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>There is more to setting <code class="codehilite">externalIPs</code> than just enabling the NGINX Ingress controller to update the status of
<p>There is more to setting <code class="codehilite"><span class="err">externalIPs</span></code> than just enabling the NGINX Ingress controller to update the status of
Ingress objects. Please read about this option in the <a href="https://kubernetes.io/docs/concepts/services-networking/service/#external-ips">Services</a> page of official Kubernetes
documentation as well as the section about <a href="#external-ips">External IPs</a> in this document for more information.</p>
</div>
@ -1429,26 +1429,26 @@ documentation as well as the section about <a href="#external-ips">External IPs<
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get node
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>one could edit the <code class="codehilite">ingress-nginx</code> Service and add the following field to the object spec</p>
<div class="codehilite"><pre><span></span><span class="nt">spec</span><span class="p">:</span>
<p>one could edit the <code class="codehilite"><span class="err">ingress-nginx</span></code> Service and add the following field to the object spec</p>
<div class="codehilite"><pre><span></span><code><span class="nt">spec</span><span class="p">:</span>
<span class="nt">externalIPs</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.1</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>which would in turn be reflected on Ingress objects as follows:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get ingress -o wide
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80</span>
</pre></div>
</code></pre></div>
</div>
<ul>
@ -1458,30 +1458,30 @@ environments this value is &lt;None>)</p>
for generating redirect URLs that take into account the URL used by external clients, including the NodePort.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Redirects generated by NGINX, for instance HTTP to HTTPS or <code class="codehilite">domain</code> to <code class="codehilite">www.domain</code>, are generated without
<p>Redirects generated by NGINX, for instance HTTP to HTTPS or <code class="codehilite"><span class="err">domain</span></code> to <code class="codehilite"><span class="err">www.domain</span></code>, are generated without
NodePort:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100<span class="sb">`</span>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> curl -D- http://myapp.example.com:30100<span class="sb">`</span>
<span class="go">HTTP/1.1 308 Permanent Redirect</span>
<span class="go">Server: nginx/1.15.2</span>
<span class="go">Location: https://myapp.example.com/ #-&gt; missing NodePort in HTTPS redirect</span>
</pre></div>
</code></pre></div>
</div>
<h2 id="via-the-host-network">Via the host network<a class="headerlink" href="#via-the-host-network" title="Permanent link"></a></h2>
<p>In a setup where there is no external load balancer available but using NodePorts is not an option, one can configure
<code class="codehilite">ingress-nginx</code> Pods to use the network of the host they run on instead of a dedicated network namespace. The benefit of
<code class="codehilite"><span class="err">ingress-nginx</span></code> Pods to use the network of the host they run on instead of a dedicated network namespace. The benefit of
this approach is that the NGINX Ingress controller can bind ports 80 and 443 directly to Kubernetes nodes' network
interfaces, without the extra network translation imposed by NodePort Services.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>This approach does not leverage any Service object to expose the NGINX Ingress controller. If the <code class="codehilite">ingress-nginx</code>
<p>This approach does not leverage any Service object to expose the NGINX Ingress controller. If the <code class="codehilite"><span class="err">ingress-nginx</span></code>
Service exists in the target cluster, it is <strong>recommended to delete it</strong>.</p>
</div>
<p>This can be achieved by enabling the <code class="codehilite">hostNetwork</code> option in the Pods' spec.</p>
<div class="codehilite"><pre><span></span><span class="nt">template</span><span class="p">:</span>
<p>This can be achieved by enabling the <code class="codehilite"><span class="err">hostNetwork</span></code> option in the Pods' spec.</p>
<div class="codehilite"><pre><span></span><code><span class="nt">template</span><span class="p">:</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">hostNetwork</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">true</span>
</pre></div>
</code></pre></div>
<div class="admonition danger">
<p class="admonition-title">Security considerations</p>
@ -1490,26 +1490,26 @@ including the host's loopback. Please evaluate the impact this may have on the s
</div>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Consider this <code class="codehilite">nginx-ingress-controller</code> Deployment composed of 2 replicas, NGINX Pods inherit from the IP address
<p>Consider this <code class="codehilite"><span class="err">nginx-ingress-controller</span></code> Deployment composed of 2 replicas, NGINX Pods inherit from the IP address
of their host instead of an internal Pod IP.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-7lg6c 1/1 Running 203.0.113.3 host-3</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2</span>
</pre></div>
</code></pre></div>
</div>
<p>One major limitation of this deployment approach is that only <strong>a single NGINX Ingress controller Pod</strong> may be scheduled
on each cluster node, because binding the same port multiple times on the same network interface is technically
impossible. Pods that are unschedulable due to such situation fail with the following event:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx describe pod &lt;unschedulable-nginx-ingress-controller-pod&gt;
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx describe pod &lt;unschedulable-nginx-ingress-controller-pod&gt;
<span class="go">...</span>
<span class="go">Events:</span>
<span class="go"> Type Reason From Message</span>
<span class="go"> ---- ------ ---- -------</span>
<span class="go"> Warning FailedScheduling default-scheduler 0/3 nodes are available: 3 node(s) didn&#39;t have free ports for the requested pod ports.</span>
</pre></div>
</code></pre></div>
<p>One way to ensure only schedulable Pods are created is to deploy the NGINX Ingress controller as a <em>DaemonSet</em> instead
of a traditional Deployment.</p>
@ -1526,43 +1526,43 @@ configuration of the corresponding manifest at the user's discretion.</p>
<li><strong>DNS resolution</strong></li>
</ul>
<p>Pods configured with <code class="codehilite"><span class="n">hostNetwork</span><span class="o">:</span> <span class="kc">true</span></code> do not use the internal DNS resolver (i.e. <em>kube-dns</em> or <em>CoreDNS</em>), unless
their <code class="codehilite">dnsPolicy</code> spec field is set to <a href="https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy"><code class="codehilite">ClusterFirstWithHostNet</code></a>. Consider using this setting if NGINX is
their <code class="codehilite"><span class="err">dnsPolicy</span></code> spec field is set to <a href="https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy"><code class="codehilite"><span class="err">ClusterFirstWithHostNet</span></code></a>. Consider using this setting if NGINX is
expected to resolve internal names for any reason.</p>
<ul>
<li><strong>Ingress status</strong></li>
</ul>
<p>Because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default
<code class="codehilite">--publish-service</code> flag used in standard cloud setups <strong>does not apply</strong> and the status of all Ingress objects remains
<code class="codehilite"><span class="err">--publish-service</span></code> flag used in standard cloud setups <strong>does not apply</strong> and the status of all Ingress objects remains
blank.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get ingress
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 80</span>
</pre></div>
</code></pre></div>
<p>Instead, and because bare-metal nodes usually don't have an ExternalIP, one has to enable the
<a href="../../user-guide/cli-arguments/"><code class="codehilite">--report-node-internal-ip-address</code></a> flag, which sets the status of all Ingress objects to the internal IP
<a href="../../user-guide/cli-arguments/"><code class="codehilite"><span class="err">--report-node-internal-ip-address</span></code></a> flag, which sets the status of all Ingress objects to the internal IP
address of all nodes running the NGINX Ingress controller.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given a <code class="codehilite">nginx-ingress-controller</code> DaemonSet composed of 2 replicas</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<p>Given a <code class="codehilite"><span class="err">nginx-ingress-controller</span></code> DaemonSet composed of 2 replicas</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get pod -o wide
<span class="go">NAME READY STATUS IP NODE</span>
<span class="go">default-http-backend-7c5bc89cc9-p86md 1/1 Running 172.17.1.1 host-2</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-7lg6c 1/1 Running 203.0.113.3 host-3</span>
<span class="go">nginx-ingress-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2</span>
</pre></div>
</code></pre></div>
<p>the controller sets the status of all Ingress objects it manages to the following value:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get ingress -o wide
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get ingress -o wide
<span class="go">NAME HOSTS ADDRESS PORTS</span>
<span class="go">test-ingress myapp.example.com 203.0.113.2,203.0.113.3 80</span>
</pre></div>
</code></pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Alternatively, it is possible to override the address written to Ingress objects using the
<code class="codehilite">--publish-status-address</code> flag. See <a href="../../user-guide/cli-arguments/">Command line arguments</a>.</p>
<code class="codehilite"><span class="err">--publish-status-address</span></code> flag. See <a href="../../user-guide/cli-arguments/">Command line arguments</a>.</p>
</div>
<h2 id="using-a-self-provisioned-edge">Using a self-provisioned edge<a class="headerlink" href="#using-a-self-provisioned-edge" title="Permanent link"></a></h2>
<p>Similarly to cloud environments, this deployment approach requires an edge network component providing a public
@ -1581,49 +1581,50 @@ on the target nodes as shown in the diagram below:</p>
<p>This method does not allow preserving the source IP of HTTP requests in any manner, it is therefore <strong>not
recommended</strong> to use it despite its apparent simplicity.</p>
</div>
<p>The <code class="codehilite">externalIPs</code> Service option was previously mentioned in the <a href="#over-a-nodeport-service">NodePort</a> section.</p>
<p>As per the <a href="https://kubernetes.io/docs/concepts/services-networking/service/#external-ips">Services</a> page of the official Kubernetes documentation, the <code class="codehilite">externalIPs</code> option causes
<code class="codehilite">kube-proxy</code> to route traffic sent to arbitrary IP addresses <strong>and on the Service ports</strong> to the endpoints of that
<p>The <code class="codehilite"><span class="err">externalIPs</span></code> Service option was previously mentioned in the <a href="#over-a-nodeport-service">NodePort</a> section.</p>
<p>As per the <a href="https://kubernetes.io/docs/concepts/services-networking/service/#external-ips">Services</a> page of the official Kubernetes documentation, the <code class="codehilite"><span class="err">externalIPs</span></code> option causes
<code class="codehilite"><span class="err">kube-proxy</span></code> to route traffic sent to arbitrary IP addresses <strong>and on the Service ports</strong> to the endpoints of that
Service. These IP addresses <strong>must belong to the target node</strong>.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>Given the following 3-node Kubernetes cluster (the external IP is added as an example, in most bare-metal
environments this value is &lt;None>)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get node
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get node
<span class="go">NAME STATUS ROLES EXTERNAL-IP</span>
<span class="go">host-1 Ready master 203.0.113.1</span>
<span class="go">host-2 Ready node 203.0.113.2</span>
<span class="go">host-3 Ready node 203.0.113.3</span>
</pre></div>
</code></pre></div>
<p>and the following <code class="codehilite">ingress-nginx</code> NodePort Service</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl -n ingress-nginx get svc
<p>and the following <code class="codehilite"><span class="err">ingress-nginx</span></code> NodePort Service</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl -n ingress-nginx get svc
<span class="go">NAME TYPE CLUSTER-IP PORT(S)</span>
<span class="go">ingress-nginx NodePort 10.0.220.217 80:30100/TCP,443:30101/TCP</span>
</pre></div>
</code></pre></div>
<p>One could set the following external IPs in the Service spec, and NGINX would become available on both the NodePort
and the Service port:</p>
<div class="codehilite"><pre><span></span><span class="nt">spec</span><span class="p">:</span>
<div class="codehilite"><pre><span></span><code><span class="nt">spec</span><span class="p">:</span>
<span class="nt">externalIPs</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.2</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">203.0.113.3</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -D- http://myapp.example.com:30100
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> curl -D- http://myapp.example.com:30100
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
<span class="gp">$</span> curl -D- http://myapp.example.com
<span class="go">HTTP/1.1 200 OK</span>
<span class="go">Server: nginx/1.15.2</span>
</pre></div>
</code></pre></div>
<p>We assume the myapp.example.com subdomain above resolves to both 203.0.113.2 and 203.0.113.3 IP addresses.</p>
</div>
@ -1678,9 +1679,9 @@ and the Service port:</p>
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1690,7 +1691,7 @@ and the Service port:</p>
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>

127
deploy/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../assets/javascripts/modernizr.74668098.js"></script>
<script src="../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#installation-guide" tabindex="1" class="md-skip">
<a href="#installation-guide" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1446,7 +1446,7 @@
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>The default configuration watches Ingress object from <em>all the namespaces</em>.
To change this behavior use the flag <code class="codehilite">--watch-namespace</code> to limit the scope to a particular namespace.</p>
To change this behavior use the flag <code class="codehilite"><span class="err">--watch-namespace</span></code> to limit the scope to a particular namespace.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
@ -1455,51 +1455,51 @@ To change this behavior use the flag <code class="codehilite">--watch-namespace<
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>If you're using GKE you need to initialize your user as a cluster-admin with the following command:
<div class="codehilite"><pre><span></span><span class="go">kubectl create clusterrolebinding cluster-admin-binding \</span>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl create clusterrolebinding cluster-admin-binding \</span>
<span class="go"> --clusterrole cluster-admin \</span>
<span class="go"> --user $(gcloud config get-value account)</span>
</pre></div></p>
</code></pre></div></p>
</div>
<p>The following <strong>Mandatory Command</strong> is required for all deployments.</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/mandatory.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/mandatory.yaml</span>
</code></pre></div>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>If you are using a Kubernetes version previous to 1.14, you need to change <code class="codehilite">kubernetes.io/os</code> to <code class="codehilite">beta.kubernetes.io/os</code> at line 217 of <a href="https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/mandatory.yaml#L217">mandatory.yaml</a>, see <a href="https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/">Labels details</a>.</p>
<p>If you are using a Kubernetes version previous to 1.14, you need to change <code class="codehilite"><span class="err">kubernetes.io/os</span></code> to <code class="codehilite"><span class="err">beta.kubernetes.io/os</span></code> at line 217 of <a href="https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/mandatory.yaml#L217">mandatory.yaml</a>, see <a href="https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/">Labels details</a>.</p>
</div>
<h3 id="provider-specific-steps">Provider Specific Steps<a class="headerlink" href="#provider-specific-steps" title="Permanent link"></a></h3>
<p>There are cloud provider specific yaml files.</p>
<h4 id="docker-for-mac">Docker for Mac<a class="headerlink" href="#docker-for-mac" title="Permanent link"></a></h4>
<p>Kubernetes is available in Docker for Mac (from <a href="https://docs.docker.com/docker-for-mac/release-notes/#stable-releases-of-2018">version 18.06.0-ce</a>)</p>
<p>Create a service</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</code></pre></div>
<h4 id="minikube">minikube<a class="headerlink" href="#minikube" title="Permanent link"></a></h4>
<p>For standard usage:</p>
<div class="codehilite"><pre><span></span><span class="go">minikube addons enable ingress</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">minikube addons enable ingress</span>
</code></pre></div>
<p>For development:</p>
<ol>
<li>Disable the ingress addon:</li>
</ol>
<div class="codehilite"><pre><span></span><span class="go">minikube addons disable ingress</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">minikube addons disable ingress</span>
</code></pre></div>
<ol>
<li>Execute <code class="codehilite">make dev-env</code></li>
<li>Confirm the <code class="codehilite">nginx-ingress-controller</code> deployment exists:</li>
<li>Execute <code class="codehilite"><span class="err">make dev-env</span></code></li>
<li>Confirm the <code class="codehilite"><span class="err">nginx-ingress-controller</span></code> deployment exists:</li>
</ol>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get pods -n ingress-nginx
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get pods -n ingress-nginx
<span class="go">NAME READY STATUS RESTARTS AGE</span>
<span class="go">default-http-backend-66b447d9cf-rrlf9 1/1 Running 0 12s</span>
<span class="go">nginx-ingress-controller-fdcdcd6dd-vvpgs 1/1 Running 0 11s</span>
</pre></div>
</code></pre></div>
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link"></a></h4>
<p>In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of <code class="codehilite">Type=LoadBalancer</code>.
<p>In AWS we use an Elastic Load Balancer (ELB) to expose the NGINX Ingress controller behind a Service of <code class="codehilite"><span class="err">Type=LoadBalancer</span></code>.
Since Kubernetes v1.9.0 it is possible to use a classic load balancer (ELB) or network load balancer (NLB)
Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">elastic load balancing AWS details page</a></p>
<h5 id="elastic-load-balancer-elb">Elastic Load Balancer - ELB<a class="headerlink" href="#elastic-load-balancer-elb" title="Permanent link"></a></h5>
@ -1509,45 +1509,45 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
<li><a href="https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer">Layer 7</a>: use HTTP as the listener protocol for port 80 and terminate TLS in the ELB</li>
</ul>
<p>For L4:</p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> in <code class="codehilite">provider/aws/service-l4.yaml</code></p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite"><span class="err">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</span></code> in <code class="codehilite"><span class="err">provider/aws/service-l4.yaml</span></code></p>
<p>Then execute:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-l4.yaml</span>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-l4.yaml</span>
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/patch-configmap-l4.yaml</span>
</pre></div>
</code></pre></div>
<p>For L7:</p>
<p>Change line of the file <code class="codehilite">provider/aws/service-l7.yaml</code> replacing the dummy id with a valid one <code class="codehilite">&quot;arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX&quot;</code></p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> in <code class="codehilite">provider/aws/service-l7.yaml</code></p>
<p>Change line of the file <code class="codehilite"><span class="err">provider/aws/service-l7.yaml</span></code> replacing the dummy id with a valid one <code class="codehilite"><span class="err">&quot;arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX&quot;</span></code></p>
<p>Check that no change is necessary with regards to the ELB idle timeout. In some scenarios, users may want to modify the ELB idle timeout, so please check the <a href="#elb-idle-timeouts">ELB Idle Timeouts section</a> for additional information. If a change is required, users will need to update the value of <code class="codehilite"><span class="err">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</span></code> in <code class="codehilite"><span class="err">provider/aws/service-l7.yaml</span></code></p>
<p>Then execute:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-l7.yaml</span>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-l7.yaml</span>
<span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/patch-configmap-l7.yaml</span>
</pre></div>
</code></pre></div>
<p>This example creates an ELB with just two listeners, one in port 80 and another in port 443</p>
<p><img alt="Listeners" src="../images/elb-l7-listener.png" /></p>
<h5 id="elb-idle-timeouts">ELB Idle Timeouts<a class="headerlink" href="#elb-idle-timeouts" title="Permanent link"></a></h5>
<p>In some scenarios users will need to modify the value of the ELB idle timeout. Users need to ensure the idle timeout is less than the <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> that is configured for NGINX. By default NGINX <code class="codehilite">keepalive_timeout</code> is set to <code class="codehilite">75s</code>.</p>
<p>The default ELB idle timeout will work for most scenarios, unless the NGINX <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> has been modified, in which case <code class="codehilite">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</code> will need to be modified to ensure it is less than the <code class="codehilite">keepalive_timeout</code> the user has configured.</p>
<p><em>Please Note: An idle timeout of <code class="codehilite">3600s</code> is recommended when using WebSockets.</em></p>
<p>In some scenarios users will need to modify the value of the ELB idle timeout. Users need to ensure the idle timeout is less than the <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> that is configured for NGINX. By default NGINX <code class="codehilite"><span class="err">keepalive_timeout</span></code> is set to <code class="codehilite"><span class="err">75s</span></code>.</p>
<p>The default ELB idle timeout will work for most scenarios, unless the NGINX <a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout">keepalive_timeout</a> has been modified, in which case <code class="codehilite"><span class="err">service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout</span></code> will need to be modified to ensure it is less than the <code class="codehilite"><span class="err">keepalive_timeout</span></code> the user has configured.</p>
<p><em>Please Note: An idle timeout of <code class="codehilite"><span class="err">3600s</span></code> is recommended when using WebSockets.</em></p>
<p>More information with regards to idle timeouts for your Load Balancer can be found in the <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-idle-timeout.html">official AWS documentation</a>.</p>
<h5 id="network-load-balancer-nlb">Network Load Balancer (NLB)<a class="headerlink" href="#network-load-balancer-nlb" title="Permanent link"></a></h5>
<p>This type of load balancer is supported since v1.10.0 as an ALPHA feature.</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-nlb.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/aws/service-nlb.yaml</span>
</code></pre></div>
<h4 id="gce-gke">GCE-GKE<a class="headerlink" href="#gce-gke" title="Permanent link"></a></h4>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</code></pre></div>
<p><strong>Important Note:</strong> proxy protocol is not supported in GCE/GKE</p>
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link"></a></h4>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/cloud-generic.yaml</span>
</code></pre></div>
<h4 id="bare-metal">Bare-metal<a class="headerlink" href="#bare-metal" title="Permanent link"></a></h4>
<p>Using <a href="https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport">NodePort</a>:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/baremetal/service-nodeport.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/baremetal/service-nodeport.yaml</span>
</code></pre></div>
<div class="admonition tip">
<p class="admonition-title">Tip</p>
@ -1555,42 +1555,43 @@ Please check the <a href="https://aws.amazon.com/elasticloadbalancing/details/">
</div>
<h3 id="verify-installation">Verify installation<a class="headerlink" href="#verify-installation" title="Permanent link"></a></h3>
<p>To check if the ingress controller pods have started, run the following command:</p>
<div class="codehilite"><pre><span></span><span class="go">kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch</span>
</code></pre></div>
<p>Once the operator pods are running, you can cancel the above command by typing <code class="codehilite">Ctrl+C</code>.
<p>Once the operator pods are running, you can cancel the above command by typing <code class="codehilite"><span class="err">Ctrl+C</span></code>.
Now, you are ready to create your first ingress.</p>
<h3 id="detect-installed-version">Detect installed version<a class="headerlink" href="#detect-installed-version" title="Permanent link"></a></h3>
<p>To detect which version of the ingress controller is running, exec into the pod and run <code class="codehilite">nginx-ingress-controller version</code> command.</p>
<div class="codehilite"><pre><span></span><span class="go">POD_NAMESPACE=ingress-nginx</span>
<p>To detect which version of the ingress controller is running, exec into the pod and run <code class="codehilite"><span class="err">nginx-ingress-controller version</span></code> command.</p>
<div class="codehilite"><pre><span></span><code><span class="go">POD_NAMESPACE=ingress-nginx</span>
<span class="go">POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<span class="go">kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version</span>
</pre></div>
</code></pre></div>
<h2 id="using-helm">Using Helm<a class="headerlink" href="#using-helm" title="Permanent link"></a></h2>
<p>NGINX Ingress controller can be installed via <a href="https://helm.sh/">Helm</a> using the chart <a href="https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress">stable/nginx-ingress</a> from the official charts repository.
To install the chart with the release name <code class="codehilite">my-nginx</code>:</p>
<div class="codehilite"><pre><span></span><span class="go">helm install my-nginx stable/nginx-ingress</span>
</pre></div>
To install the chart with the release name <code class="codehilite"><span class="err">my-nginx</span></code>:</p>
<div class="codehilite"><pre><span></span><code><span class="go">helm install my-nginx stable/nginx-ingress</span>
</code></pre></div>
<p>If the kubernetes cluster has RBAC enabled, then run:</p>
<div class="codehilite"><pre><span></span><span class="go">helm install my-nginx stable/nginx-ingress --set rbac.create=true</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">helm install my-nginx stable/nginx-ingress --set rbac.create=true</span>
</code></pre></div>
<p>If you are using <a href="https://v2.helm.sh/">Helm 2</a> then specify release name using <code class="codehilite">--name</code> flag</p>
<p><div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
</pre></div>
<p>If you are using <a href="https://v2.helm.sh/">Helm 2</a> then specify release name using <code class="codehilite"><span class="err">--name</span></code> flag</p>
<p><div class="codehilite"><pre><span></span><code><span class="go">helm install stable/nginx-ingress --name my-nginx</span>
</code></pre></div>
or
<div class="codehilite"><pre><span></span><span class="go">helm install stable/nginx-ingress --name my-nginx --set rbac.create=true</span>
</pre></div></p>
<div class="codehilite"><pre><span></span><code><span class="go">helm install stable/nginx-ingress --name my-nginx --set rbac.create=true</span>
</code></pre></div></p>
<p>Detect installed version:</p>
<div class="codehilite"><pre><span></span><span class="go">POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<div class="codehilite"><pre><span></span><code><span class="go">POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=ingress-nginx -o jsonpath=&#39;{.items[0].metadata.name}&#39;)</span>
<span class="go">kubectl exec -it $POD_NAME -- /nginx-ingress-controller --version</span>
</pre></div>
</code></pre></div>
@ -1645,9 +1646,9 @@ or
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1657,7 +1658,7 @@ or
</div>
<script src="../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:".."}})</script>

77
deploy/rbac/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#role-based-access-control-rbac" tabindex="1" class="md-skip">
<a href="#role-based-access-control-rbac" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1280,40 +1280,40 @@
<p>This example applies to nginx-ingress-controllers being deployed in an environment with RBAC enabled.</p>
<p>Role Based Access Control is comprised of four layers:</p>
<ol>
<li><code class="codehilite">ClusterRole</code> - permissions assigned to a role that apply to an entire cluster</li>
<li><code class="codehilite">ClusterRoleBinding</code> - binding a ClusterRole to a specific account</li>
<li><code class="codehilite">Role</code> - permissions assigned to a role that apply to a specific namespace</li>
<li><code class="codehilite">RoleBinding</code> - binding a Role to a specific account</li>
<li><code class="codehilite"><span class="err">ClusterRole</span></code> - permissions assigned to a role that apply to an entire cluster</li>
<li><code class="codehilite"><span class="err">ClusterRoleBinding</span></code> - binding a ClusterRole to a specific account</li>
<li><code class="codehilite"><span class="err">Role</span></code> - permissions assigned to a role that apply to a specific namespace</li>
<li><code class="codehilite"><span class="err">RoleBinding</span></code> - binding a Role to a specific account</li>
</ol>
<p>In order for RBAC to be applied to an nginx-ingress-controller, that controller
should be assigned to a <code class="codehilite">ServiceAccount</code>. That <code class="codehilite">ServiceAccount</code> should be
bound to the <code class="codehilite">Role</code>s and <code class="codehilite">ClusterRole</code>s defined for the nginx-ingress-controller.</p>
should be assigned to a <code class="codehilite"><span class="err">ServiceAccount</span></code>. That <code class="codehilite"><span class="err">ServiceAccount</span></code> should be
bound to the <code class="codehilite"><span class="err">Role</span></code>s and <code class="codehilite"><span class="err">ClusterRole</span></code>s defined for the nginx-ingress-controller.</p>
<h2 id="service-accounts-created-in-this-example">Service Accounts created in this example<a class="headerlink" href="#service-accounts-created-in-this-example" title="Permanent link"></a></h2>
<p>One ServiceAccount is created in this example, <code class="codehilite">nginx-ingress-serviceaccount</code>.</p>
<p>One ServiceAccount is created in this example, <code class="codehilite"><span class="err">nginx-ingress-serviceaccount</span></code>.</p>
<h2 id="permissions-granted-in-this-example">Permissions Granted in this example<a class="headerlink" href="#permissions-granted-in-this-example" title="Permanent link"></a></h2>
<p>There are two sets of permissions defined in this example. Cluster-wide
permissions defined by the <code class="codehilite">ClusterRole</code> named <code class="codehilite">nginx-ingress-clusterrole</code>, and
namespace specific permissions defined by the <code class="codehilite">Role</code> named <code class="codehilite">nginx-ingress-role</code>.</p>
permissions defined by the <code class="codehilite"><span class="err">ClusterRole</span></code> named <code class="codehilite"><span class="err">nginx-ingress-clusterrole</span></code>, and
namespace specific permissions defined by the <code class="codehilite"><span class="err">Role</span></code> named <code class="codehilite"><span class="err">nginx-ingress-role</span></code>.</p>
<h3 id="cluster-permissions">Cluster Permissions<a class="headerlink" href="#cluster-permissions" title="Permanent link"></a></h3>
<p>These permissions are granted in order for the nginx-ingress-controller to be
able to function as an ingress across the cluster. These permissions are
granted to the ClusterRole named <code class="codehilite">nginx-ingress-clusterrole</code></p>
granted to the ClusterRole named <code class="codehilite"><span class="err">nginx-ingress-clusterrole</span></code></p>
<ul>
<li><code class="codehilite">configmaps</code>, <code class="codehilite">endpoints</code>, <code class="codehilite">nodes</code>, <code class="codehilite">pods</code>, <code class="codehilite">secrets</code>: list, watch</li>
<li><code class="codehilite">nodes</code>: get</li>
<li><code class="codehilite">services</code>, <code class="codehilite">ingresses</code>: get, list, watch</li>
<li><code class="codehilite">events</code>: create, patch</li>
<li><code class="codehilite">ingresses/status</code>: update</li>
<li><code class="codehilite"><span class="err">configmaps</span></code>, <code class="codehilite"><span class="err">endpoints</span></code>, <code class="codehilite"><span class="err">nodes</span></code>, <code class="codehilite"><span class="err">pods</span></code>, <code class="codehilite"><span class="err">secrets</span></code>: list, watch</li>
<li><code class="codehilite"><span class="err">nodes</span></code>: get</li>
<li><code class="codehilite"><span class="err">services</span></code>, <code class="codehilite"><span class="err">ingresses</span></code>: get, list, watch</li>
<li><code class="codehilite"><span class="err">events</span></code>: create, patch</li>
<li><code class="codehilite"><span class="err">ingresses/status</span></code>: update</li>
</ul>
<h3 id="namespace-permissions">Namespace Permissions<a class="headerlink" href="#namespace-permissions" title="Permanent link"></a></h3>
<p>These permissions are granted specific to the nginx-ingress namespace. These
permissions are granted to the Role named <code class="codehilite">nginx-ingress-role</code></p>
permissions are granted to the Role named <code class="codehilite"><span class="err">nginx-ingress-role</span></code></p>
<ul>
<li><code class="codehilite">configmaps</code>, <code class="codehilite">pods</code>, <code class="codehilite">secrets</code>: get</li>
<li><code class="codehilite">endpoints</code>: get</li>
<li><code class="codehilite"><span class="err">configmaps</span></code>, <code class="codehilite"><span class="err">pods</span></code>, <code class="codehilite"><span class="err">secrets</span></code>: get</li>
<li><code class="codehilite"><span class="err">endpoints</span></code>: get</li>
</ul>
<p>Furthermore to support leader-election, the nginx-ingress-controller needs to
have access to a <code class="codehilite">configmap</code> using the resourceName <code class="codehilite">ingress-controller-leader-nginx</code></p>
have access to a <code class="codehilite"><span class="err">configmap</span></code> using the resourceName <code class="codehilite"><span class="err">ingress-controller-leader-nginx</span></code></p>
<blockquote>
<p>Note that resourceNames can NOT be used to limit requests using the “create”
verb because authorizers only have access to information that can be obtained
@ -1321,27 +1321,28 @@ from the request URL, method, and headers (resource names in a “create” requ
are part of the request body).</p>
</blockquote>
<ul>
<li><code class="codehilite">configmaps</code>: get, update (for resourceName <code class="codehilite">ingress-controller-leader-nginx</code>)</li>
<li><code class="codehilite">configmaps</code>: create</li>
<li><code class="codehilite"><span class="err">configmaps</span></code>: get, update (for resourceName <code class="codehilite"><span class="err">ingress-controller-leader-nginx</span></code>)</li>
<li><code class="codehilite"><span class="err">configmaps</span></code>: create</li>
</ul>
<p>This resourceName is the concatenation of the <code class="codehilite">election-id</code> and the
<code class="codehilite">ingress-class</code> as defined by the ingress-controller, which defaults to:</p>
<p>This resourceName is the concatenation of the <code class="codehilite"><span class="err">election-id</span></code> and the
<code class="codehilite"><span class="err">ingress-class</span></code> as defined by the ingress-controller, which defaults to:</p>
<ul>
<li><code class="codehilite">election-id</code>: <code class="codehilite">ingress-controller-leader</code></li>
<li><code class="codehilite">ingress-class</code>: <code class="codehilite">nginx</code></li>
<li><code class="codehilite">resourceName</code> : <code class="codehilite">&lt;election-id&gt;-&lt;ingress-class&gt;</code></li>
<li><code class="codehilite"><span class="err">election-id</span></code>: <code class="codehilite"><span class="err">ingress-controller-leader</span></code></li>
<li><code class="codehilite"><span class="err">ingress-class</span></code>: <code class="codehilite"><span class="err">nginx</span></code></li>
<li><code class="codehilite"><span class="err">resourceName</span></code> : <code class="codehilite"><span class="err">&lt;election-id&gt;-&lt;ingress-class&gt;</span></code></li>
</ul>
<p>Please adapt accordingly if you overwrite either parameter when launching the
nginx-ingress-controller.</p>
<h3 id="bindings">Bindings<a class="headerlink" href="#bindings" title="Permanent link"></a></h3>
<p>The ServiceAccount <code class="codehilite">nginx-ingress-serviceaccount</code> is bound to the Role
<code class="codehilite">nginx-ingress-role</code> and the ClusterRole <code class="codehilite">nginx-ingress-clusterrole</code>.</p>
<p>The ServiceAccount <code class="codehilite"><span class="err">nginx-ingress-serviceaccount</span></code> is bound to the Role
<code class="codehilite"><span class="err">nginx-ingress-role</span></code> and the ClusterRole <code class="codehilite"><span class="err">nginx-ingress-clusterrole</span></code>.</p>
<p>The serviceAccountName associated with the containers in the deployment must
match the serviceAccount. The namespace references in the Deployment metadata,
container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.</p>
@ -1396,9 +1397,9 @@ container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1408,7 +1409,7 @@ container arguments, and POD_NAMESPACE should be in the nginx-ingress namespace.
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>

41
deploy/upgrade/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#upgrading" tabindex="1" class="md-skip">
<a href="#upgrading" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1217,7 +1217,7 @@ make sure your templates are compatible with the new version of ingress-nginx</e
<p>To upgrade your ingress-nginx installation, it should be enough to change the version of the image
in the controller Deployment.</p>
<p>I.e. if your deployment resource looks like (partial example):</p>
<div class="codehilite"><pre><span></span><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<div class="codehilite"><pre><span></span><code><span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-ingress-controller</span>
<span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-nginx</span>
@ -1231,23 +1231,24 @@ in the controller Deployment.</p>
<span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-ingress-controller</span>
<span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0</span>
<span class="nt">args</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">...</span>
</pre></div>
</code></pre></div>
<p>simply change the <code class="codehilite">0.9.0</code> tag to the version you wish to upgrade to.
<p>simply change the <code class="codehilite"><span class="err">0.9.0</span></code> tag to the version you wish to upgrade to.
The easiest way to do this is e.g. (do note you may need to change the name parameter according to your installation):</p>
<div class="codehilite"><pre><span></span>kubectl set image deployment/nginx-ingress-controller \
nginx-ingress-controller=quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.28.0
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="err">kubectl set image deployment/nginx-ingress-controller \</span>
<span class="err"> nginx-ingress-controller=quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.28.0</span>
</code></pre></div>
<p>For interactive editing, use <code class="codehilite">kubectl edit deployment nginx-ingress-controller</code>.</p>
<p>For interactive editing, use <code class="codehilite"><span class="err">kubectl edit deployment nginx-ingress-controller</span></code>.</p>
<h2 id="with-helm">With Helm<a class="headerlink" href="#with-helm" title="Permanent link"></a></h2>
<p>If you installed ingress-nginx using the Helm command in the deployment docs so its name is <code class="codehilite">ngx-ingress</code>,
<p>If you installed ingress-nginx using the Helm command in the deployment docs so its name is <code class="codehilite"><span class="err">ngx-ingress</span></code>,
you should be able to upgrade using</p>
<div class="codehilite"><pre><span></span>helm upgrade --reuse-values ngx-ingress stable/nginx-ingress
</pre></div>
<div class="codehilite"><pre><span></span><code>helm upgrade --reuse-values ngx-ingress stable/nginx-ingress
</code></pre></div>
@ -1302,9 +1303,9 @@ you should be able to upgrade using</p>
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1314,7 +1315,7 @@ you should be able to upgrade using</p>
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>

51
deploy/validating-webhook/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#validating-webhook-admission-controller" tabindex="1" class="md-skip">
<a href="#validating-webhook-admission-controller" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1352,16 +1352,16 @@
<p>Validating webhook must be served using TLS, you need to generate a certificate. Note that kube API server is checking the hostname of the certificate, the common name of your certificate will need to match the service name.</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<p>To run the validating webhook with a service named <code class="codehilite">ingress-validation-webhook</code> in the namespace <code class="codehilite">ingress-nginx</code>, run</p>
<div class="codehilite"><pre><span></span>openssl req -x509 -newkey rsa:2048 -keyout certificate.pem -out key.pem -days <span class="m">365</span> -nodes -subj <span class="s2">&quot;/CN=ingress-validation-webhook.ingress-nginx.svc&quot;</span>
</pre></div>
<p>To run the validating webhook with a service named <code class="codehilite"><span class="err">ingress-validation-webhook</span></code> in the namespace <code class="codehilite"><span class="err">ingress-nginx</span></code>, run</p>
<div class="codehilite"><pre><span></span><code>openssl req -x509 -newkey rsa:2048 -keyout certificate.pem -out key.pem -days <span class="m">365</span> -nodes -subj <span class="s2">&quot;/CN=ingress-validation-webhook.ingress-nginx.svc&quot;</span>
</code></pre></div>
</div>
<h5 id="using-kubernetes-ca">Using Kubernetes CA<a class="headerlink" href="#using-kubernetes-ca" title="Permanent link"></a></h5>
<p>Kubernetes also provides primitives to sign a certificate request. Here is an example on how to use it</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/bash</span>
<div class="codehilite"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="nv">SERVICE_NAME</span><span class="o">=</span>ingress-nginx
<span class="nv">NAMESPACE</span><span class="o">=</span>ingress-nginx
@ -1423,17 +1423,17 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
--from-file<span class="o">=</span>key.pem<span class="o">=</span><span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-key.pem <span class="se">\</span>
--from-file<span class="o">=</span>cert.pem<span class="o">=</span><span class="si">${</span><span class="nv">TEMP_DIRECTORY</span><span class="si">}</span>/server-cert.pem <span class="se">\</span>
-n <span class="si">${</span><span class="nv">NAMESPACE</span><span class="si">}</span>
</pre></div>
</code></pre></div>
</div>
<h4 id="using-helm">Using helm<a class="headerlink" href="#using-helm" title="Permanent link"></a></h4>
<p>To generate the certificate using helm, you can use the following snippet</p>
<div class="admonition example">
<p class="admonition-title">Example</p>
<div class="codehilite"><pre><span></span><span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">cn</span> <span class="o">:=</span> <span class="nv">printf</span> <span class="s2">&quot;%s.%s.svc&quot;</span> <span class="o">(</span> <span class="nv">include</span> <span class="s2">&quot;nginx-ingress.validatingWebhook.fullname&quot;</span> <span class="err">.</span> <span class="o">)</span> <span class="nv">.Release.Namespace</span> <span class="cp">}}</span><span class="x"></span>
<div class="codehilite"><pre><span></span><code><span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">cn</span> <span class="o">:=</span> <span class="nv">printf</span> <span class="s2">&quot;%s.%s.svc&quot;</span> <span class="o">(</span> <span class="nv">include</span> <span class="s2">&quot;nginx-ingress.validatingWebhook.fullname&quot;</span> <span class="err">.</span> <span class="o">)</span> <span class="nv">.Release.Namespace</span> <span class="cp">}}</span><span class="x"></span>
<span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">ca</span> <span class="o">:=</span> <span class="nv">genCA</span> <span class="o">(</span><span class="nv">printf</span> <span class="s2">&quot;%s-ca&quot;</span> <span class="o">(</span> <span class="nv">include</span> <span class="s2">&quot;nginx-ingress.validatingWebhook.fullname&quot;</span> <span class="err">.</span> <span class="o">))</span> <span class="nv">.Values.validatingWebhook.certificateValidity</span> -<span class="cp">}}</span><span class="x"></span>
<span class="cp">{{</span><span class="o">-</span> <span class="err">$</span><span class="nv">cert</span> <span class="o">:=</span> <span class="nv">genSignedCert</span> <span class="err">$</span><span class="nv">cn</span> <span class="nv">nil</span> <span class="nv">nil</span> <span class="nv">.Values.validatingWebhook.certificateValidity</span> <span class="err">$</span><span class="nv">ca</span> -<span class="cp">}}</span><span class="x"></span>
</pre></div>
</code></pre></div>
</div>
<h3 id="ingress-controller-flags">Ingress controller flags<a class="headerlink" href="#ingress-controller-flags" title="Permanent link"></a></h3>
@ -1448,19 +1448,19 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
</thead>
<tbody>
<tr>
<td><code class="codehilite">--validating-webhook</code></td>
<td><code class="codehilite"><span class="err">--validating-webhook</span></code></td>
<td>The address to start an admission controller on</td>
<td><code class="codehilite">:8080</code></td>
<td><code class="codehilite"><span class="err">:8080</span></code></td>
</tr>
<tr>
<td><code class="codehilite">--validating-webhook-certificate</code></td>
<td><code class="codehilite"><span class="err">--validating-webhook-certificate</span></code></td>
<td>The certificate the webhook is using for its TLS handling</td>
<td><code class="codehilite">/usr/local/certificates/validating-webhook.pem</code></td>
<td><code class="codehilite"><span class="err">/usr/local/certificates/validating-webhook.pem</span></code></td>
</tr>
<tr>
<td><code class="codehilite">--validating-webhook-key</code></td>
<td><code class="codehilite"><span class="err">--validating-webhook-key</span></code></td>
<td>The key the webhook is using for its TLS handling</td>
<td><code class="codehilite">/usr/local/certificates/validating-webhook-key.pem</code></td>
<td><code class="codehilite"><span class="err">/usr/local/certificates/validating-webhook-key.pem</span></code></td>
</tr>
</tbody>
</table>
@ -1469,7 +1469,7 @@ kubectl create secret generic ingress-nginx.svc <span class="se">\</span>
To check that your kube API server runs with the required flags, please refer to the <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">kubernetes</a> documentation.</p>
<h3 id="additional-kubernetes-objects">Additional kubernetes objects<a class="headerlink" href="#additional-kubernetes-objects" title="Permanent link"></a></h3>
<p>Once both the ingress controller and the kube API server are configured to serve the webhook, add the you can configure the webhook with the following objects:</p>
<div class="codehilite"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<div class="codehilite"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Service</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-validation-webhook</span>
@ -1507,10 +1507,11 @@ To check that your kube API server runs with the required flags, please refer to
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ingress-validation-webhook</span>
<span class="nt">path</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/networking.k8s.io/v1beta1/ingress</span>
<span class="nt">caBundle</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">&lt;pem encoded ca cert that signs the server cert used by the webhook&gt;</span>
</pre></div>
</code></pre></div>
@ -1565,9 +1566,9 @@ To check that your kube API server runs with the required flags, please refer to
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1577,7 +1578,7 @@ To check that your kube API server runs with the required flags, please refer to
</div>
<script src="../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../.."}})</script>