From b9fdda43c3f525844e7f6484710ed6c694a7150c Mon Sep 17 00:00:00 2001 From: Keita Mochizuki <37737691+mochizuki875@users.noreply.github.com> Date: Wed, 22 May 2024 19:11:57 +0900 Subject: [PATCH] [ingress-nginx] Fix nginx controller leader election RBAC permissions (#10569) (#11219) Co-authored-by: Mohamed Omar Zaian --- .../ds-ingress-nginx-controller.yml.j2 | 1 + .../templates/role-ingress-nginx.yml.j2 | 18 ++++++------------ 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 index 70e4ea0ea..7f419350b 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 @@ -48,6 +48,7 @@ spec: args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/ingress-nginx + - --election-id=ingress-controller-leader-{{ ingress_nginx_class }} - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --annotations-prefix=nginx.ingress.kubernetes.io diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 index 6c4b1c13f..427acbb76 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 @@ -28,23 +28,17 @@ rules: verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. + # Defaults to "", defined in + # ds-ingress-nginx-controller.yml.js + # by a command-line argument. + # + # This is the correct behaviour for ingress-controller + # version 1.8.1 resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"] verbs: ["get", "update"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class }}"] - verbs: ["get", "update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create"]