mirror of
https://github.com/rancher/rke.git
synced 2025-08-30 13:02:45 +00:00
Use initContainer for nginx ingress if it is old version
**Problem:** The nginx ingress daemonSet securityContext can not be applied to version before 0.16.0 **Solution:** When the nginx controller version is older than 0.16.0, we use the old way to set it up.
This commit is contained in:
orangedeng
Alena Prokharchyk
parent
3094ac132d
commit
642970feb2
@ -439,6 +439,16 @@ func (c *Cluster) deployIngress(ctx context.Context) error {
|
|||||||
IngressImage: c.SystemImages.Ingress,
|
IngressImage: c.SystemImages.Ingress,
|
||||||
IngressBackend: c.SystemImages.IngressBackend,
|
IngressBackend: c.SystemImages.IngressBackend,
|
||||||
}
|
}
|
||||||
|
// since nginx ingress controller 0.16.0, it can be run as non-root and doesn't require privileged anymore.
|
||||||
|
// So we can use securityContext instead of setting privileges via initContainer.
|
||||||
|
ingressSplits := strings.SplitN(c.SystemImages.Ingress, ":", 2)
|
||||||
|
if len(ingressSplits) == 2 {
|
||||||
|
version := strings.Split(ingressSplits[1], "-")[0]
|
||||||
|
if version < "0.16.0" {
|
||||||
|
ingressConfig.AlpineImage = c.SystemImages.Alpine
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Currently only deploying nginx ingress controller
|
// Currently only deploying nginx ingress controller
|
||||||
ingressYaml, err := addons.GetNginxIngressManifest(ingressConfig)
|
ingressYaml, err := addons.GetNginxIngressManifest(ingressConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@ -193,6 +193,18 @@ spec:
|
|||||||
{{if eq .RBACConfig "rbac"}}
|
{{if eq .RBACConfig "rbac"}}
|
||||||
serviceAccountName: nginx-ingress-serviceaccount
|
serviceAccountName: nginx-ingress-serviceaccount
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{- if ne .AlpineImage ""}}
|
||||||
|
initContainers:
|
||||||
|
- command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range="1024 65535"
|
||||||
|
image: {{.AlpineImage}}
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: sysctl
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: nginx-ingress-controller
|
- name: nginx-ingress-controller
|
||||||
image: {{.IngressImage}}
|
image: {{.IngressImage}}
|
||||||
@ -206,6 +218,7 @@ spec:
|
|||||||
{{ range $k, $v := .ExtraArgs }}
|
{{ range $k, $v := .ExtraArgs }}
|
||||||
- --{{ $k }}{{if ne $v "" }}={{ $v }}{{end}}
|
- --{{ $k }}{{if ne $v "" }}={{ $v }}{{end}}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
{{- if eq .AlpineImage ""}}
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
@ -213,6 +226,7 @@ spec:
|
|||||||
add:
|
add:
|
||||||
- NET_BIND_SERVICE
|
- NET_BIND_SERVICE
|
||||||
runAsUser: 33
|
runAsUser: 33
|
||||||
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
- name: POD_NAME
|
- name: POD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user