[ingress-nginx] upgrade to 1.13.3 (#12604)

2025-12-14 05:45:06 +03:00 · 2025-10-09 04:04:59 +02:00
parent f8e74aafb9
commit fd7f39043b
6 changed files with 33 additions and 19 deletions
--- a/README.md
+++ b/README.md
@@ -128,7 +128,7 @@ Note:
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) 1.15.3
  - [coredns](https://github.com/coredns/coredns) 1.12.0
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.12.1
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) 1.13.3
  - [argocd](https://argoproj.github.io/) 2.14.5
  - [helm](https://helm.sh/) 3.18.4
  - [metallb](https://metallb.universe.tf/) 0.13.9
--- a/docs/ingress/ingress_nginx.md
+++ b/docs/ingress/ingress_nginx.md
@@ -35,7 +35,7 @@ kubectl create clusterrolebinding cluster-admin-binding \
 The following **Mandatory Command** is required for all deployments except for AWS. See below for the AWS version.

 ```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.3/deploy/static/provider/cloud/deploy.yaml
 ```

 ### Provider Specific Steps
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
@@ -31,13 +31,18 @@ spec:
        name: create
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
 ---
@@ -75,12 +80,17 @@ spec:
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
-      securityContext:
-        fsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
  ttlSecondsAfterFinished: {{ ingress_nginx_webhook_job_ttl }}
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
@@ -22,7 +22,7 @@ rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
-  - apiGroups: ["extensions","networking.k8s.io"]
+  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2
@@ -95,14 +95,18 @@ spec:
            - --validating-webhook-key=/usr/local/certificates/key
 {% endif %}
          securityContext:
+            allowPrivilegeEscalation: false
            capabilities:
-                drop:
-                  - ALL
              add:
              - NET_BIND_SERVICE
-            # www-data -> 101
+              drop:
+              - ALL
+            readOnlyRootFilesystem: false
+            runAsGroup: 82
+            runAsNonRoot: true
            runAsUser: 101
-            allowPrivilegeEscalation: true
+            seccompProfile:
+              type: RuntimeDefault
          env:
            - name: POD_NAME
              valueFrom:
--- a/roles/kubespray_defaults/defaults/main/download.yml
+++ b/roles/kubespray_defaults/defaults/main/download.yml
@@ -306,13 +306,13 @@ local_volume_provisioner_image_tag: "v{{ local_volume_provisioner_version }}"
 local_path_provisioner_version: "0.0.32"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "v{{ local_path_provisioner_version }}"
-ingress_nginx_version: "1.12.1"
+ingress_nginx_version: "1.13.3"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_opentelemetry_image_repo: "{{ kube_image_repo }}/ingress-nginx/opentelemetry"
 ingress_nginx_controller_image_tag: "v{{ ingress_nginx_version }}"
 ingress_nginx_opentelemetry_image_tag: "v20230721-3e2062ee5"
 ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
-ingress_nginx_kube_webhook_certgen_image_tag: "v1.5.2"
+ingress_nginx_kube_webhook_certgen_image_tag: "v1.6.3"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "1.15.3"