Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeadm using 1.6 - Ingess-Controller can't access API #575

Closed
lachlan-b opened this issue Apr 9, 2017 · 13 comments
Closed

Kubeadm using 1.6 - Ingess-Controller can't access API #575

lachlan-b opened this issue Apr 9, 2017 · 13 comments

Comments

@lachlan-b
Copy link

Just had quite a bit of difficulty getting the ingress controller running on 1.6 cluster using kubeadm, I would think the 1.6 default permission changes for service accounts will impact any deployment method though.
I0409 05:45:16.650042 6 launch.go:96] &{NGINX 0.9.0-beta.3 git-3dd7461 git@github.com:ixdy/kubernetes-ingress.git} I0409 05:45:16.650094 6 launch.go:99] Watching for ingress class: nginx I0409 05:45:16.650517 6 launch.go:245] Creating API server client for https://10.96.0.1:443 I0409 05:45:16.652130 6 nginx.go:127] starting NGINX process... F0409 05:45:18.211701 6 launch.go:113] no service with name kube-system/default-http-backend found: the server does not allow access to the requested resource (get services default-http-backend)

Got it working using host ports and RBAC role and cluster role and adding a service account so its not using default, I'll give it a test now.
Big thanks to whoever went through the effort of gathering permissions here, #266

Should I make a PR with updated 1.6 templates or add a standalone role with a link to RBAC doco and how to select the service account within the pod spec.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ingress
rules:
- apiGroups:
  - ""
  - "extensions"
  resources:
  - configmaps
  - secrets
  - services
  - endpoints
  - ingresses
  - nodes
  - pods
  verbs:
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
  - ingresses
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - events
  - services
  verbs:
  - create
  - list
  - update
  - get
- apiGroups:
  - "extensions"
  resources:
  - ingresses/status
  - ingresses
  verbs:
  - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: ingress-ns
  namespace: kube-system
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - create
  - update  
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: ingress-ns-binding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-ns
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ingress-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: default-http-backend
  labels:
    k8s-app: default-http-backend
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: default-http-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissable as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        image: gcr.io/google_containers/defaultbackend:1.0
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
  namespace: kube-system
  labels:
    k8s-app: default-http-backend
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    k8s-app: default-http-backend
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      hostNetwork: true
      terminationGracePeriodSeconds: 60
      serviceAccountName: ingress
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
@domino14
Copy link

domino14 commented Apr 9, 2017
edited
Loading

Thanks for figuring this out, but that's really quite something. I have no idea what is going on with this RBAC stuff. Why did it get so horribly complex? The nginxinc controller completely stopped working and I had to switch to this one. Your config seems to work fine.

@lachlan-b
Copy link
Author

lachlan-b commented Apr 9, 2017
edited
Loading

Yeah, I've been holding out for access control for a long time so very thankful... But it's taken me now a few hours to get all the default cluster tools working with RBAC on 1.6 like kube-lego, dashboard, heapster and weavescope.

here is a relatively basic policy that gets kube-lego (letsencrypt) going with this ingress controller, could be improved though

apiVersion: v1
kind: ServiceAccount
metadata:
  name: lego
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
    name: lego
    namespace: kube-system  
rules:
- apiGroups:
  - ""
  - "extensions"
  resources:
  - configmaps
  - secrets
  - services
  - endpoints
  - ingresses
  - nodes
  - pods
  verbs:
  - list
  - get
  - watch
- apiGroups:
  - "extensions"
  - ""
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - get
  - update
  - create
  - list
  - patch
  - delete
  - watch
- apiGroups:
  - "*"
  - ""
  resources:
  - events
  - certificates
  - secrets
  verbs:
  - create
  - list
  - update
  - get
  - patch
  - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: lego
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    namespace: kube-system
    name: lego
roleRef:
  kind: ClusterRole
  name: lego
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
metadata:
  name: kube-lego
  namespace: kube-system
data:
  # modify this to specify your address
  lego.email: "asdf@gmail.com"
  # configre letencrypt's production api
  lego.url: "https://acme-v01.api.letsencrypt.org/directory"
kind: ConfigMap
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kube-lego
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        # Required for the auto-create kube-lego-nginx service to work.
        app: kube-lego
    spec:
      serviceAccountName: lego
      containers:
      - name: kube-lego
        image: jetstack/kube-lego:0.1.3
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
        env:
        - name: LEGO_EMAIL
          valueFrom:
            configMapKeyRef:
              name: kube-lego
              key: lego.email
        - name: LEGO_URL
          valueFrom:
            configMapKeyRef:
              name: kube-lego
              key: lego.url
        - name: LEGO_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LEGO_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        readinessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 1

@domino14 domino14 mentioned this issue Apr 15, 2017
Closed
@songrijie
Copy link

To create DaemonSet of the controller, as of in nginx-ingress-daemonset.yaml.

  1. Create serviceAccount "ingress" and relevant roles&bindings as @lachlan-b pointed out. I gave additional "get" to resource "pods","services".... so that ingress is able to feedback with "ADDRESS" showing in cmd output.
  2. Add "serviceAccountName" and "hostNetwork" specs to DaemonSet, which is exactly the same as in deployment.

It works for me.

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: nginx-ingress-lb
  labels:
    name: nginx-ingress-lb
  namespace: kube-system
spec:
  template:
    metadata:
      labels:
        name: nginx-ingress-lb
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      hostNetwork: true
      terminationGracePeriodSeconds: 60
      serviceAccountName: ingress
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3
        name: nginx-ingress-lb
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend

@munnerz munnerz mentioned this issue Apr 24, 2017
Open
@xeor xeor mentioned this issue Apr 25, 2017
Open
@ghost
Copy link

ghost commented Apr 27, 2017
edited by ghost
Loading

Using the above spec file in first comment i am able to deploy ingress-controller. But when i create the ingress-rule endpoints for ingress-rule is not updates and it log file ingress backend successfully reloaded... is repeating regularly. Am i missing something can someone please help me

@weitzj
Copy link
Contributor

weitzj commented May 4, 2017
edited
Loading

The above spec file almost worked for me (Kubernetes 1.6.2) unless I installed Ingress in different namespaces.

I had these 5 errors left:

E0504 13:41:15.305715       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1191: Failed to list *v1.ConfigMap: User "system:serviceaccount:kube-system:ingress" cannot list configmaps at the cluster scope. (get configmaps)
E0504 13:41:15.355198       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1186: Failed to list *v1beta1.Ingress: User "system:serviceaccount:kube-system:ingress" cannot list ingresses.extensions at the cluster scope. (get ingresses.extensions)
E0504 13:41:15.406615       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1190: Failed to list *v1.Secret: User "system:serviceaccount:kube-system:ingress" cannot list secrets at the cluster scope. (get secrets)
E0504 13:41:15.445520       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1189: Failed to list *v1.Node: User "system:serviceaccount:kube-system:ingress" cannot list nodes at the cluster scope. (get nodes)
E0504 13:41:15.507225       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1187: Failed to list *v1.Endpoints: User "system:serviceaccount:kube-system:ingress" cannot list endpoints at the cluster scope. (get endpoints)
E0504 13:41:15.507373       1 reflector.go:201] k8s.io/ingress/core/pkg/ingress/controller/controller.go:1188: Failed to list *v1.Service: User "system:serviceaccount:kube-system:ingress" cannot list services at the cluster scope. (get services)

EDIT:

One more fix to get TLS working: events need patch permissions.

The following Ingress-DaemonSet works for me and the errors above are gone

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ingress
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  - services
  - endpoints
  - ingresses
  - nodes
  - pods
  verbs:
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  - services
  verbs:
  - create
  - list
  - update
  - get
  - patch
- apiGroups:
  - "extensions"
  resources:
  - ingresses/status
  - ingresses
  verbs:
  - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: ingress-ns
  namespace: kube-system
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - create
  - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: ingress-ns-binding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-ns
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ingress-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: nginx-ingress-lb
  labels:
    name: nginx-ingress-lb
  namespace: kube-system
spec:
  template:
    metadata:
      labels:
        name: nginx-ingress-lb
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      # hostNetwork is need, since we use CNI (Weave)
      # See: https://groups.google.com/forum/#!topic/kubernetes-users/arfGJnxlauU
      hostNetwork: true
      terminationGracePeriodSeconds: 60
      serviceAccountName: ingress
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.4
        name: nginx-ingress-lb
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend

@huangjiasingle
Copy link

@lachlan-b @domino14 @songrijie @chaitukopparthi @weitzj i use the cmd: kubectl apply -f nginx-ingress-controller.yaml ,it's also respone some err, so l read the errors and then l fix the err by the error message, the last ,l create a corrate controller, l hope this is useful to your. this is my yaml file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: system:ingress
rules:
- apiGroups:
  - ""
  resources: ["configmaps","secrets","endpoints","events","services"]
  verbs: ["list","watch","create","update","delete","get"]
- apiGroups:
  - ""
  - "extensions"
  resources: ["services","nodes","ingresses","pods"]
  verbs: ["list","watch","create","update","delete","get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system 

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      serviceAccountName: ingress
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.5
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend

@huangjiasingle
Copy link

@lachlan-b @domino14 @songrijie @chaitukopparthi @weitzj l forget write the k8s cluster version, in my cluster ,the k8s's version is v1.6.3. the v1.6.2 is also ok.

@prasenforu
Copy link

prasenforu commented May 23, 2017
edited
Loading

Created ingress controller based on above yml (huangjiasingle) then I created small test apps with namespace "testing" and getting following error ...

error updating ingress rule: User "system:serviceaccount:kube-system:ingress" cannot update ingresses.extensions/status in the namespace "testing". (put ingresses.extensions myemp)

NOTE: ALL containers running fine

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: myemp
spec:
  replicas: 1
  template:
    metadata:
      labels:
        name: myemp
    spec:
      containers:
      - name: myemp-dc-pod
        image: prasenforu/employee
        ports:
        - containerPort: 8888
---
apiVersion: v1
kind: Service
metadata:
  name: myemp
  labels:
    name: myemp
spec:
  ports:
  - name: 80-tcp
    port: 80
    protocol: TCP
    targetPort: 8888
  selector:
    name: myemp
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
  name: myemp
spec:
  rules:
    - host: sampleapp.cloudapps.cloud-cafe.in
      http:
        paths:
          - backend:
              serviceName: myemp
              servicePort: 80

@weitzj
Copy link
Contributor

weitzj commented May 23, 2017

@prasenforu You probably need to add:

- apiGroups:
  - "extensions"
  resources:
  - ingresses/status
  verbs:
  - put

@prasenforu
Copy link

prasenforu commented May 23, 2017
edited
Loading

@weitzj

Thanks for reply.

added in

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: system:ingress
rules:
- apiGroups:
  - ""
  resources: ["configmaps","secrets","endpoints","events","services"]
  verbs: ["list","watch","create","update","delete","get"]
- apiGroups:
  - ""
  - "extensions"
  resources: ["services","nodes","ingresses","pods"]
  verbs: ["list","watch","create","update","delete","get"]
- apiGroups:
  - "extensions"
  resources:
  - ingresses/status
  verbs:
  - put

but same error .... :(
error updating ingress rule: User "system:serviceaccount:kube-system:ingress" cannot update ingresses.extensions/status in the namespace "testing". (put ingresses.extensions myemp)

@aledbf
Copy link
Member

aledbf commented May 23, 2017

@prasenforu @weitzj please check #747

@huangjiasingle
Copy link

@prasenforu

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: system:ingress
rules:
- apiGroups:
  - ""
  resources: ["configmaps","secrets","endpoints","events","services"]
  verbs: ["list","watch","create","update","delete","get"]
- apiGroups:
  - ""
  - "extensions"
  resources: ["services","nodes","ingresses","pods","ingresses/status"]
  verbs: ["list","watch","create","update","delete","get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: nginx-ingress-controller
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      # hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
      # however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      # hostNetwork: true
      serviceAccountName: ingress
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.5
        name: nginx-ingress-controller
        readinessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
        livenessProbe:
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
        ports:
        - containerPort: 80
          hostPort: 80
        - containerPort: 443
          hostPort: 443
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        args:
        - /nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-http-backend

@weitzj weitzj mentioned this issue May 23, 2017
Merged
@aledbf
Copy link
Member

aledbf commented May 25, 2017

Closing. Please reopen if the issue persists after following https://github.com/nevetS/ingress/tree/master/examples/rbac/nginx

@aledbf aledbf closed this as completed May 25, 2017
@lbudai74 lbudai74 mentioned this issue Jun 11, 2017
Closed
2 tasks
@matsch01 matsch01 mentioned this issue Sep 13, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@aledbf @domino14 @weitzj @songrijie @huangjiasingle @lachlan-b @prasenforu