--- apiVersion: apps/v1 kind: DaemonSet metadata: name: ingress-nginx-controller namespace: {{ ingress_nginx_namespace }} labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: serviceAccountName: ingress-nginx terminationGracePeriodSeconds: {{ ingress_nginx_termination_grace_period_seconds }} {% if ingress_nginx_opentelemetry_enabled %} initContainers: - name: opentelemetry command: - /init_module image: {{ ingress_nginx_opentelemetry_image_repo }}:{{ ingress_nginx_opentelemetry_image_tag }} securityContext: runAsNonRoot: true runAsUser: 65532 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true volumeMounts: - mountPath: /modules_mount name: modules {% endif %} {% if ingress_nginx_host_network %} hostNetwork: true dnsPolicy: ClusterFirstWithHostNet {% endif %} {% if ingress_nginx_nodeselector %} nodeSelector: {{ ingress_nginx_nodeselector | to_nice_yaml | indent(width=8) }} {%- endif %} {% if ingress_nginx_tolerations %} tolerations: {{ ingress_nginx_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} {% endif %} priorityClassName: {% if ingress_nginx_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }} containers: - name: ingress-nginx-controller image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} lifecycle: preStop: exec: command: - /wait-shutdown args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/ingress-nginx - --election-id=ingress-controller-leader-{{ ingress_nginx_class }} - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --annotations-prefix=nginx.ingress.kubernetes.io - --ingress-class={{ ingress_nginx_class }} {% if ingress_nginx_without_class %} - --watch-ingress-without-class=true {% endif %} {% if ingress_nginx_host_network %} - --report-node-internal-ip-address {% endif %} {% if ingress_publish_status_address != "" %} - --publish-status-address={{ ingress_publish_status_address }} {% endif %} {% for extra_arg in ingress_nginx_extra_args %} - {{ extra_arg }} {% endfor %} {% if ingress_nginx_webhook_enabled %} - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key {% endif %} securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 101 runAsUser: 101 allowPrivilegeEscalation: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so ports: - name: http containerPort: 80 hostPort: {{ ingress_nginx_insecure_port }} - name: https containerPort: 443 hostPort: {{ ingress_nginx_secure_port }} - name: metrics containerPort: 10254 {% if not ingress_nginx_host_network %} hostPort: {{ ingress_nginx_metrics_port }} {% endif %} {% if ingress_nginx_webhook_enabled %} - name: webhook containerPort: 8443 protocol: TCP {% endif %} livenessProbe: httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }} periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 readinessProbe: httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: {{ ingress_nginx_probe_initial_delay_seconds }} periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 3 {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %} volumeMounts: {% if ingress_nginx_webhook_enabled %} - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true {% endif %} {% if ingress_nginx_opentelemetry_enabled %} - name: modules mountPath: /modules_mount {% endif %} {% endif %} {% if ingress_nginx_webhook_enabled or ingress_nginx_opentelemetry_enabled %} volumes: {% if ingress_nginx_webhook_enabled %} - name: webhook-cert secret: secretName: ingress-nginx-admission {% endif %} {% if ingress_nginx_opentelemetry_enabled %} - name: modules emptyDir: {} {% endif %} {% endif %}