[ingress-nginx] upgrade to 1.13.3 (#12604)

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2

@@ -31,13 +31,18 @@ spec:
         name: create
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
   ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
 ---
@@ -75,12 +80,17 @@ spec:
         name: patch
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
       serviceAccountName: ingress-nginx-admission
   ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2

@@ -22,7 +22,7 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]
-  - apiGroups: ["extensions","networking.k8s.io"]
+  - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses/status"]
     verbs: ["update"]
   - apiGroups: ["networking.k8s.io"]

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2

@@ -95,14 +95,18 @@ spec:
             - --validating-webhook-key=/usr/local/certificates/key
 {% endif %}
           securityContext:
+            allowPrivilegeEscalation: false
             capabilities:
-                drop:
-                  - ALL
-                add:
-                  - NET_BIND_SERVICE
-            # www-data -> 101
+              add:
+              - NET_BIND_SERVICE
+              drop:
+              - ALL
+            readOnlyRootFilesystem: false
+            runAsGroup: 82
+            runAsNonRoot: true
             runAsUser: 101
-            allowPrivilegeEscalation: true
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: POD_NAME
               valueFrom:

roles/kubespray_defaults/defaults/main/download.yml

@@ -306,13 +306,13 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}"
 local_path_provisioner_version: "0.0.32"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
-ingress_nginx_version: "1.12.1"
+ingress_nginx_version: "1.13.3"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
-ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2"
+ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "1.15.3"