diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 index 3243e32c9..1df91ccd6 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2 @@ -15,7 +15,7 @@ rules: verbs: ["get"] - apiGroups: [""] resources: ["services"] - verbs: ["get", "list", "watch"] + verbs: ["get", "list", "update", "watch"] - apiGroups: ["extensions","networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch"] diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 index 2561de074..47f2f1e33 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 @@ -39,6 +39,11 @@ spec: - name: ingress-nginx-controller image: {{ ingress_nginx_controller_image_repo }}:{{ ingress_nginx_controller_image_tag }} imagePullPolicy: {{ k8s_image_pull_policy }} + lifecycle: + preStop: + exec: + command: + - /wait-shutdown args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/ingress-nginx @@ -84,16 +89,18 @@ spec: path: /healthz port: 10254 scheme: HTTP - initialDelaySeconds: 5 + initialDelaySeconds: 10 + periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 - failureThreshold: 10 - readinessProbe: failureThreshold: 3 + readinessProbe: httpGet: path: /healthz port: 10254 scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 - failureThreshold: 10 + failureThreshold: 3 diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 index f224fae2c..218b23747 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2 @@ -9,8 +9,20 @@ metadata: app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: [""] - resources: ["configmaps", "pods", "secrets", "namespaces"] + resources: ["namespaces"] verbs: ["get"] + - apiGroups: [""] + resources: ["configmaps", "pods", "secrets", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "update", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["update"] - apiGroups: [""] resources: ["configmaps"] # Defaults to "-" @@ -24,7 +36,10 @@ rules: verbs: ["create"] - apiGroups: [""] resources: ["endpoints"] - verbs: ["get"] + verbs: ["create", "get", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] - apiGroups: ["policy"] resourceNames: ["ingress-nginx"] resources: ["podsecuritypolicies"]