-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathingress-secure.yaml
85 lines (78 loc) · 2.16 KB
/
ingress-secure.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
image:
registry: docker.io
repository: public.ecr.aws/sshprivx/nginx-ingress
tag: latest
pullSecrets:
- docker-pull-secret
# Change the default ports 80 and 443 to be something > 1024
extraArgs:
http-port: 18080
https-port: 19443
containerPorts:
http: 18080
https: 19443
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
capabilities:
add: []
drop: ["ALL"]
# Volumes and volume mounts are needed because of the `readOnlyRootFilesystem`
# setting
extraVolumes:
- name: ingress-mount
persistentVolumeClaim:
claimName: ingress-claim
extraVolumeMounts:
- mountPath: /etc/ingress-controller/ssl/
name: ingress-mount
subPath: bitnamissl
- mountPath: /tmp
name: ingress-mount
subPath: bitnamitmp
- mountPath: /etc/nginx/
name: ingress-mount
subPath: bitnamietcnginx
# Copy all the files from the container to the volume mount and copy them
# back so that there is no writing to the container filesystem
initContainers:
- name: conf-copier-1
image: public.ecr.aws/sshprivx/nginx-ingress:latest
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c" ]
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
allowPrivilegeEscalation: false
args:
- echo copying nginx template;
cp -rf /etc/nginx/* /temporaryconf/;
volumeMounts:
- mountPath: /temporaryconf
name: ingress-mount
subPath: temporaryconf
- name: conf-copier-2
image: busybox
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "-c" ]
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
allowPrivilegeEscalation: false
args:
- echo copying temporaryconf to nginx template;
cp -rf /temporaryconf/* /etc/nginx/;
volumeMounts:
- mountPath: /temporaryconf
name: ingress-mount
subPath: temporaryconf
- mountPath: /etc/nginx
name: ingress-mount
subPath: bitnamietcnginx
# switch off the default backend so that it doesn't require any security contexts
defaultBackend:
enabled: false