From fd7f39043bbcbcf264f1b49a62ffb39541d3dd37 Mon Sep 17 00:00:00 2001 From: Mohamed Omar Zaian <1049820+mzaian@users.noreply.github.com> Date: Thu, 9 Oct 2025 04:04:59 +0200 Subject: [PATCH] [ingress-nginx] upgrade to 1.13.3 (#12604) --- README.md | 2 +- docs/ingress/ingress_nginx.md | 2 +- .../templates/admission-webhook-job.yml.j2 | 26 +++++++++++++------ .../clusterrole-ingress-nginx.yml.j2 | 2 +- .../ds-ingress-nginx-controller.yml.j2 | 16 +++++++----- .../defaults/main/download.yml | 4 +-- 6 files changed, 33 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index ecf62da99..ddcbcef21 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ Note: - Application - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3 - [coredns](https://github.com/coredns/coredns) 1.12.0 - - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.1 + - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3 - [argocd](https://argoproj.github.io/) 2.14.5 - [helm](https://helm.sh/) 3.18.4 - [metallb](https://metallb.universe.tf/) 0.13.9 diff --git a/docs/ingress/ingress_nginx.md b/docs/ingress/ingress_nginx.md index c17cd847f..3d908d4a9 100644 --- a/docs/ingress/ingress_nginx.md +++ b/docs/ingress/ingress_nginx.md @@ -35,7 +35,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml ``` ### Provider Specific Steps diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 index 258a7a166..21e420664 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2 @@ -31,13 +31,18 @@ spec: name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }} --- @@ -75,12 +80,17 @@ spec: name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }} diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 index 38118bf49..2f3558aaa 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 @@ -22,7 +22,7 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - - apiGroups: ["extensions","networking.k8s.io"] + - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: ["update"] - apiGroups: ["networking.k8s.io"] diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 index 4c1334a17..12dd44ac4 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 @@ -95,14 +95,18 @@ spec: - --validating-webhook-key=/usr/local/certificates/key {% endif %} securityContext: + allowPrivilegeEscalation: false capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 101 + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsGroup: 82 + runAsNonRoot: true runAsUser: 101 - allowPrivilegeEscalation: true + seccompProfile: + type: RuntimeDefault env: - name: POD_NAME valueFrom: diff --git a/roles/kubespray_defaults/defaults/main/download.yml b/roles/kubespray_defaults/defaults/main/download.yml index 38d12f191..b1185b30e 100644 --- a/roles/kubespray_defaults/defaults/main/download.yml +++ b/roles/kubespray_defaults/defaults/main/download.yml @@ -306,13 +306,13 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}" local_path_provisioner_version: "0.0.32" local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner" local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}" -ingress_nginx_version: "1.12.1" +ingress_nginx_version: "1.13.3" ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller" ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry" ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}" ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5" ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen" -ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2" +ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3" alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller" alb_ingress_image_tag: "v1.1.9" cert_manager_version: "1.15.3"