1、为什么使用ingress
优点 1:统一入口与极致的成本效益
这是 Ingress 最核心的价值。
- 工作方式:你只需要一个
LoadBalancerService(或者一个NodePort+ 外部负载均衡器)给 Ingress Controller 使用。这个唯一的入口将负责处理所有外部服务的流量。- 价值体现:
- 成本极低:你只需要为一个云负载均衡器付费,而不是为每个服务都付费。无论你内部有多少个服务,外部入口的成本都是固定的。
- IP 地址节约:整个集群对外只需要一个公网 IP 地址。
- 架构清晰:所有外部流量都经过这个统一的入口,便于监控、日志管理和安全策略的实施。
优点 2:基于域名的智能路由
Ingress 可以根据 HTTP 请求头中的
Host字段(也就是域名)来决定将流量转发给哪个后端服务。优点 3:基于路径的流量分发
在同一个域名下,Ingress 还可以根据 URL 的路径来转发流量。
优点 4:集中式的 TLS/SSL 管理
这是 Ingress 在运维上的一个巨大优势。
- 工作方式:你只需要在 Ingress 上配置一次 SSL 证书。Ingress Controller 会负责处理所有的 HTTPS 加密/解密工作(这个过程称为 TLS 终止)。
优点 5:丰富的扩展功能
Ingress 不仅仅做路由,它还是一个功能强大的流量网关。通过注解,你可以实现各种高级功能,例如:
- URL 重写:将
/external-path的请求重写为/internal-path再转发给后端。- 认证与授权:集成 OAuth2、Basic Auth 等,保护你的服务。
- 限流:防止恶意流量或突发流量打垮后端服务。
- 会话亲和性:确保来自同一用户的请求总是被转发到同一个 Pod。
- CORS 配置:解决跨域访问问题。
2、ingress部署
2.1 链接
以下链接是ingress-nginx的最新版,如果因外网问题拉取不道部署文件,可以在本文【附录】复制
https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
修改镜像地址
#不用digest标签
sed -i "s#registry.k8s.io#swr.cn-north-4.myhuaweicloud.com/ddn-k8s/registry.k8s.io#g" deploy.yaml && sed -i "s/@sha256:.*$//" deploy.yaml
#查看镜像地址
grep registry.k8s.io deploy.yaml
2.2 镜像列表
| ingress镜像列表 |
|---|
| swr.cn-north-4.myhuaweicloud.com/ddn-k8s/registry.k8s.io/ingress-nginx/controller:v1.14.1 |
| swr.cn-north-4.myhuaweicloud.com/ddn-k8s/registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5 |
2.3 部署ingress-nginx
kubectl apply -f deploy.yaml
稍后会成功运行ingress-controller
3、EXTERNAL-IP(外部ip)
查看ingress的svc,发现EXTERNAL-IP是pending,官方说明:It will be the field. If that field shows , this means that your Kubernetes cluster wasn't able to provision the load balancer (generally, this is because it doesn't support services of type ).意思是:如果该字段显示为 ,说明你的 Kubernetes 集群没有能够配置负载均衡器(通常是因为它不支持类型的服务)。
继续往下文找到解决方法
3.1 MetalLB
思路:这个请求由云提供商控制器(Cloud Provider Controller)或负载均衡器驱动程序来处理。
方法:MetalLB,它是一个专为裸机 Kubernetes 网络设计的负载均衡器实现。它能让你的集群“假装”自己有云提供商,从而响应LoadBalancer类型的 Service 请求。
3.1.1 安装MetalLB
最新版地址,如果因外网问题拉取不到部署文件,可以在本文【附录】复制
#链接
https://raw.githubusercontent.com/metallb/metallb/v0.15.3/config/manifests/metallb-native.yaml
metallb-configmap
cat > configmap.yaml << EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: first-pool
namespace: metallb-system
spec:
addresses:
#负载均衡ip,且需要填入自身实际的ip网段,每个ip可代表不同的后端服务
- 172.16.10.200-172.16.10.250
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: empty
namespace: metallb-system
EOF
3.1.2 镜像列表
| metalLB镜像列表 |
|---|
| quay.io/metallb/controller:v0.15.3 |
| quay.io/metallb/speaker:v0.15.3 |
3.1.3 部署metallb
kubectl apply -f metallb-native.yaml
kubectl apply -f configmap.yaml
3.1.4 检查external-ip
kubectl -n ingress-nginx get svc
可以看到外部负载均衡ip已经生成了,访问外部ip,存在页面代表成功了,而404也正常,因为还没有配置ingress规则,接着看下文第4章。
4、Ingress规则
4.1 dev-demo的deployment和svc配置
apiVersion: apps/v1
kind: Deployment
metadata:
name: dev-demo
namespace: devops
spec:
replicas: 1
selector:
matchLabels:
app: dev-demo
template:
metadata:
labels:
app: dev-demo
spec:
containers:
- name: dev-demo
image: harbor.test.com/java-dev/demo:v1.0
volumeMounts: []
volumes: []
restartPolicy: Always
dnsPolicy: ClusterFirst
---
apiVersion: v1
kind: Service
metadata:
name: dev-demo
namespace: devops
spec:
selector:
app: dev-demo
ports:
- name: dev-demo-8080
protocol: TCP
port: 8080
targetPort: 8080
4.2 ingress-rule
注意:ingress规则的class需要与ingress-controller配置的class name一致,否则就像学生找不到班级一样,无法进行调度
查看ingress-controller的class,通常不修改的话,默认是nginx
grep -A 8 'IngressClass' deploy.yaml
ingress-rule.yaml配置
cat > ingress-rule.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
#定义ingress的名称
name: dev-ingress
#ingress所在的命名空间,需要和后端服务一致
namespace: devops
spec:
#!!!加入到ingress-controller的class
ingressClassName: nginx
rules:
#统一入口的host,这里是自定义域名,需要写入到hosts文件里面
- host: mydevweb.local
http:
paths:
#需要转发到后端服务的前缀
- path: /
#前缀类型
pathType: Prefix
#后端svc配置,如名称、端口号
backend:
service:
name: dev-demo
port:
number: 8080
EOF
#应用
kubectl apply -f ingress.yaml
kubectl apply -f ingress.yaml
4.3 通过host访问后端
4.3.1 添加本地域名解析
linux添加解析
echo "172.16.10.200 mydevweb.local" >> /etc/hosts
windows添加解析,写入到本地bat,且用管理员权限运行
:: 写入实际的ip和host
set host=172.16.10.200 mydevweb.local
set tab=
set file=C:\Windows\System32\drivers\etc\hosts
echo.%tab% >> %file%
echo %host% >> %file%
4.3.2 访问host
ingress不需要为每个api接口重复写host和 path。Ingress的设计初衷就是为了让你能够高效地管理这种场景。由此可以匹配到所有通用诸如此类/或/api的前缀
4.3.2.1 通用匹配 /
#示例,匹配存在/开头的所有前缀,访问示例如下
- path: /
4.3.2.2 通用匹配/api
#示例
- path: /api
当匹配前缀/api,那么相对于同一个后端服务,带/前缀的就会匹配不了,正常就会404
而/api前缀的则会不影响
4.3.2.3 ingress重写注解
cat > ingress-rule.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dev-ingress
namespace: devops
#注解
annotations:
#所有path: /api的前缀均重写为/
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: mydevweb.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: dev-demo
port:
number: 8080
EOF
1、所有匹配/api的前缀都重写为匹配/,如果后端服务再存在/请求,相当于无/api,那么就会404了
2、其余无论前缀是什么,如/api,/api/end等,都默认重写到/
4.4 添加多条ingress规则
4.4.1 添加新hosts规则
1、通常一个后端服务会有多个api接口,而ingress也可以转发多个backend后端接口,如jenkins通过ingress规则暴露到外部
2、设置一个新的host,用于区别不同的后端服务--jenkins.mydevweb.local
cat > ingress-rule.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dev-ingress
namespace: devops
spec:
ingressClassName: nginx
rules:
- host: mydevweb.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dev-demo
port:
number: 8080
#这里填入jenkins的svc相关信息
- host: jenkins.mydevweb.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jenkins-master
port:
number: 8080
EOF
4.4.1.1 添加本地域名解析
linux
echo "172.16.10.200 jenkins.mydevweb.local" >> /etc/hosts
windows
:: 写入实际的ip和host
set host=172.16.10.200 jenkins.mydevweb.local
set tab=
set file=C:\Windows\System32\drivers\etc\hosts
echo.%tab% >> %file%
echo %host% >> %file%
4.4.1.2 请求新host访问jenkins
请求成功
4.4.2 不添加host规则
缺点就是可能会与后端服务存在/前缀冲突,因为jenkins默认请求是/,如下我忽略dev-demo的/,只匹配/api和匹配jenkins的/,配置如下
cat > ingress-rule.yaml << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dev-ingress
namespace: devops
spec:
ingressClassName: nginx
rules:
- host: mydevweb.local
http:
paths:
#dev-demo的svc信息和前缀
- path: /api
pathType: Prefix
backend:
service:
name: dev-demo
port:
number: 8080
#jenkins的svc信息和前缀
- path: /
pathType: Prefix
backend:
service:
name: jenkins-master
port:
number: 8080
EOF
4.4.2.1 请求原host访问jenkins
附录
ingress部署文件
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data: null
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
spec:
automountServiceAccountToken: true
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.14.1@sha256:f95a79b85fb93ac3de752c71a5c27d5ceae10a18b61904dec224c1c6a4581e47
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 82
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission-create
spec:
automountServiceAccountToken: true
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
ttlSecondsAfterFinished: 0
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission-patch
spec:
automountServiceAccountToken: true
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.5@sha256:03a00eb0e255e8a25fa49926c24cde0f7e12e8d072c445cdf5136ec78b546285
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
ttlSecondsAfterFinished: 0
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.14.1
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
metalLB部署文件
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
name: metallb-system
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: bfdprofiles.metallb.io
spec:
group: metallb.io
names:
kind: BFDProfile
listKind: BFDProfileList
plural: bfdprofiles
singular: bfdprofile
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.passiveMode
name: Passive Mode
type: boolean
- jsonPath: .spec.transmitInterval
name: Transmit Interval
type: integer
- jsonPath: .spec.receiveInterval
name: Receive Interval
type: integer
- jsonPath: .spec.detectMultiplier
name: Multiplier
type: integer
name: v1beta1
schema:
openAPIV3Schema:
description: |-
BFDProfile represents the settings of the bfd session that can be
optionally associated with a BGP session.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BFDProfileSpec defines the desired state of BFDProfile.
properties:
detectMultiplier:
description: |-
Configures the detection multiplier to determine
packet loss. The remote transmission interval will be multiplied
by this value to determine the connection loss detection timer.
format: int32
maximum: 255
minimum: 2
type: integer
echoInterval:
description: |-
Configures the minimal echo receive transmission
interval that this system is capable of handling in milliseconds.
Defaults to 50ms
format: int32
maximum: 60000
minimum: 10
type: integer
echoMode:
description: |-
Enables or disables the echo transmission mode.
This mode is disabled by default, and not supported on multi
hops setups.
type: boolean
minimumTtl:
description: |-
For multi hop sessions only: configure the minimum
expected TTL for an incoming BFD control packet.
format: int32
maximum: 254
minimum: 1
type: integer
passiveMode:
description: |-
Mark session as passive: a passive session will not
attempt to start the connection and will wait for control packets
from peer before it begins replying.
type: boolean
receiveInterval:
description: |-
The minimum interval that this system is capable of
receiving control packets in milliseconds.
Defaults to 300ms.
format: int32
maximum: 60000
minimum: 10
type: integer
transmitInterval:
description: |-
The minimum transmission interval (less jitter)
that this system wants to use to send BFD control packets in
milliseconds. Defaults to 300ms
format: int32
maximum: 60000
minimum: 10
type: integer
type: object
status:
description: BFDProfileStatus defines the observed state of BFDProfile.
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: bgpadvertisements.metallb.io
spec:
group: metallb.io
names:
kind: BGPAdvertisement
listKind: BGPAdvertisementList
plural: bgpadvertisements
singular: bgpadvertisement
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.ipAddressPools
name: IPAddressPools
type: string
- jsonPath: .spec.ipAddressPoolSelectors
name: IPAddressPool Selectors
type: string
- jsonPath: .spec.peers
name: Peers
type: string
- jsonPath: .spec.nodeSelectors
name: Node Selectors
priority: 10
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: |-
BGPAdvertisement allows to advertise the IPs coming
from the selected IPAddressPools via BGP, setting the parameters of the
BGP Advertisement.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement.
properties:
aggregationLength:
default: 32
description: The aggregation-length advertisement option lets you
“roll up” the /32s into a larger prefix. Defaults to 32. Works for
IPv4 addresses.
format: int32
minimum: 1
type: integer
aggregationLengthV6:
default: 128
description: The aggregation-length advertisement option lets you
“roll up” the /128s into a larger prefix. Defaults to 128. Works
for IPv6 addresses.
format: int32
type: integer
communities:
description: |-
The BGP communities to be associated with the announcement. Each item can be a standard community of the
form 1234:1234, a large community of the form large:1234:1234:1234 or the name of an alias defined in the
Community CRD.
items:
type: string
type: array
ipAddressPoolSelectors:
description: |-
A selector for the IPAddressPools which would get advertised via this advertisement.
If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
ipAddressPools:
description: The list of IPAddressPools to advertise via this advertisement,
selected by name.
items:
type: string
type: array
localPref:
description: |-
The BGP LOCAL_PREF attribute which is used by BGP best path algorithm,
Path with higher localpref is preferred over one with lower localpref.
format: int32
type: integer
nodeSelectors:
description: NodeSelectors allows to limit the nodes to announce as
next hops for the LoadBalancer IP. When empty, all the nodes having are
announced as next hops.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
peers:
description: |-
Peers limits the bgppeer to advertise the ips of the selected pools to.
When empty, the loadbalancer IP is announced to all the BGPPeers configured.
items:
type: string
type: array
type: object
status:
description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement.
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: bgppeers.metallb.io
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /convert
conversionReviewVersions:
- v1beta1
- v1beta2
group: metallb.io
names:
kind: BGPPeer
listKind: BGPPeerList
plural: bgppeers
singular: bgppeer
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.peerAddress
name: Address
type: string
- jsonPath: .spec.peerASN
name: ASN
type: string
- jsonPath: .spec.bfdProfile
name: BFD Profile
type: string
- jsonPath: .spec.ebgpMultiHop
name: Multi Hops
type: string
deprecated: true
deprecationWarning: v1beta1 is deprecated, please use v1beta2
name: v1beta1
schema:
openAPIV3Schema:
description: BGPPeer is the Schema for the peers API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BGPPeerSpec defines the desired state of Peer.
properties:
bfdProfile:
type: string
ebgpMultiHop:
description: EBGP peer is multi-hops away
type: boolean
holdTime:
description: Requested BGP hold time, per RFC4271.
type: string
keepaliveTime:
description: Requested BGP keepalive time, per RFC4271.
type: string
myASN:
description: AS number to use for the local end of the session.
format: int32
maximum: 4294967295
minimum: 0
type: integer
nodeSelectors:
description: |-
Only connect to this peer on nodes that match one of these
selectors.
items:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
minItems: 1
type: array
required:
- key
- operator
- values
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
type: array
password:
description: Authentication password for routers enforcing TCP MD5
authenticated sessions
type: string
peerASN:
description: AS number to expect from the remote end of the session.
format: int32
maximum: 4294967295
minimum: 0
type: integer
peerAddress:
description: Address to dial when establishing the session.
type: string
peerPort:
description: Port to dial when establishing the session.
maximum: 16384
minimum: 0
type: integer
routerID:
description: BGP router ID to advertise to the peer
type: string
sourceAddress:
description: Source address to use when establishing the session.
type: string
required:
- myASN
- peerASN
- peerAddress
type: object
status:
description: BGPPeerStatus defines the observed state of Peer.
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.peerAddress
name: Address
type: string
- jsonPath: .spec.peerASN
name: ASN
type: string
- jsonPath: .spec.bfdProfile
name: BFD Profile
type: string
- jsonPath: .spec.ebgpMultiHop
name: Multi Hops
type: string
name: v1beta2
schema:
openAPIV3Schema:
description: BGPPeer is the Schema for the peers API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BGPPeerSpec defines the desired state of Peer.
properties:
bfdProfile:
description: The name of the BFD Profile to be used for the BFD session
associated to the BGP session. If not set, the BFD session won't
be set up.
type: string
connectTime:
description: Requested BGP connect time, controls how long BGP waits
between connection attempts to a neighbor.
type: string
x-kubernetes-validations:
- message: connect time should be between 1 seconds to 65535
rule: duration(self).getSeconds() >= 1 && duration(self).getSeconds()
<= 65535
- message: connect time should contain a whole number of seconds
rule: duration(self).getMilliseconds() % 1000 == 0
disableMP:
default: false
description: |-
To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily.
type: boolean
dualStackAddressFamily:
default: false
description: |-
To set if we want to enable the neighbor not only for the ipfamily related to its session,
but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa.
type: boolean
dynamicASN:
description: |-
DynamicASN detects the AS number to use for the remote end of the session
without explicitly setting it via the ASN field. Limited to:
internal - if the neighbor's ASN is different than MyASN connection is denied.
external - if the neighbor's ASN is the same as MyASN the connection is denied.
ASN and DynamicASN are mutually exclusive and one of them must be specified.
enum:
- internal
- external
type: string
ebgpMultiHop:
description: To set if the BGPPeer is multi-hops away. Needed for
FRR mode only.
type: boolean
enableGracefulRestart:
description: |-
EnableGracefulRestart allows BGP peer to continue to forward data packets
along known routes while the routing protocol information is being
restored. This field is immutable because it requires restart of the BGP
session. Supported for FRR mode only.
type: boolean
x-kubernetes-validations:
- message: EnableGracefulRestart cannot be changed after creation
rule: self == oldSelf
holdTime:
description: Requested BGP hold time, per RFC4271.
type: string
interface:
description: |-
Interface is the node interface over which the unnumbered BGP peering will
be established. No API validation takes place as that string value
represents an interface name on the host and if user provides an invalid
value, only the actual BGP session will not be established.
Address and Interface are mutually exclusive and one of them must be specified.
type: string
keepaliveTime:
description: Requested BGP keepalive time, per RFC4271.
type: string
myASN:
description: AS number to use for the local end of the session.
format: int32
maximum: 4294967295
minimum: 0
type: integer
nodeSelectors:
description: |-
Only connect to this peer on nodes that match one of these
selectors.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
password:
description: Authentication password for routers enforcing TCP MD5
authenticated sessions
type: string
passwordSecret:
description: |-
passwordSecret is name of the authentication secret for BGP Peer.
the secret must be of type "kubernetes.io/basic-auth", and created in the
same namespace as the MetalLB deployment. The password is stored in the
secret as the key "password".
properties:
name:
description: name is unique within a namespace to reference a
secret resource.
type: string
namespace:
description: namespace defines the space within which the secret
name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
peerASN:
description: |-
AS number to expect from the remote end of the session.
ASN and DynamicASN are mutually exclusive and one of them must be specified.
format: int32
maximum: 4294967295
minimum: 0
type: integer
peerAddress:
description: Address to dial when establishing the session.
type: string
peerPort:
default: 179
description: Port to dial when establishing the session.
maximum: 16384
minimum: 1
type: integer
routerID:
description: BGP router ID to advertise to the peer
type: string
sourceAddress:
description: Source address to use when establishing the session.
type: string
vrf:
description: |-
To set if we want to peer with the BGPPeer using an interface belonging to
a host vrf
type: string
required:
- myASN
type: object
status:
description: BGPPeerStatus defines the observed state of Peer.
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: communities.metallb.io
spec:
group: metallb.io
names:
kind: Community
listKind: CommunityList
plural: communities
singular: community
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: |-
Community is a collection of aliases for communities.
Users can define named aliases to be used in the BGPPeer CRD.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: CommunitySpec defines the desired state of Community.
properties:
communities:
items:
properties:
name:
description: The name of the alias for the community.
type: string
value:
description: |-
The BGP community value corresponding to the given name. Can be a standard community of the form 1234:1234
or a large community of the form large:1234:1234:1234.
type: string
type: object
type: array
type: object
status:
description: CommunityStatus defines the observed state of Community.
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: configurationstates.metallb.io
spec:
group: metallb.io
names:
kind: ConfigurationState
listKind: ConfigurationStateList
plural: configurationstates
singular: configurationstate
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.result
name: Result
type: string
- jsonPath: .status.errorSummary
name: ErrorSummary
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: |-
ConfigurationState is a status-only CRD that reports configuration validation results from MetalLB components.
Labels:
- metallb.io/component-type: "controller" or "speaker"
- metallb.io/node-name: node name (only for speaker)
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
status:
description: ConfigurationStateStatus defines the observed state of ConfigurationState.
properties:
conditions:
description: Conditions contains the status conditions from the reconcilers
running in this component.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
errorSummary:
description: |-
ErrorSummary contains the aggregated error messages from reconciliation failures.
This field is empty when Result is "Valid".
type: string
result:
description: Result indicates the configuration validation result.
enum:
- Valid
- Invalid
- Unknown
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: ipaddresspools.metallb.io
spec:
group: metallb.io
names:
kind: IPAddressPool
listKind: IPAddressPoolList
plural: ipaddresspools
singular: ipaddresspool
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.autoAssign
name: Auto Assign
type: boolean
- jsonPath: .spec.avoidBuggyIPs
name: Avoid Buggy IPs
type: boolean
- jsonPath: .spec.addresses
name: Addresses
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: |-
IPAddressPool represents a pool of IP addresses that can be allocated
to LoadBalancer services.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: IPAddressPoolSpec defines the desired state of IPAddressPool.
properties:
addresses:
description: |-
A list of IP address ranges over which MetalLB has authority.
You can list multiple ranges in a single pool, they will all share the
same settings. Each range can be either a CIDR prefix, or an explicit
start-end range of IPs.
items:
type: string
type: array
autoAssign:
default: true
description: |-
AutoAssign flag used to prevent MetallB from automatic allocation
for a pool.
type: boolean
avoidBuggyIPs:
default: false
description: |-
AvoidBuggyIPs prevents addresses ending with .0 and .255
to be used by a pool.
type: boolean
serviceAllocation:
description: |-
AllocateTo makes ip pool allocation to specific namespace and/or service.
The controller will use the pool with lowest value of priority in case of
multiple matches. A pool with no priority set will be used only if the
pools with priority can't be used. If multiple matching IPAddressPools are
available it will check for the availability of IPs sorting the matching
IPAddressPools by priority, starting from the highest to the lowest. If
multiple IPAddressPools have the same priority, choice will be random.
properties:
namespaceSelectors:
description: |-
NamespaceSelectors list of label selectors to select namespace(s) for ip pool,
an alternative to using namespace list.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
namespaces:
description: Namespaces list of namespace(s) on which ip pool
can be attached.
items:
type: string
type: array
priority:
description: Priority priority given for ip pool while ip allocation
on a service.
type: integer
serviceSelectors:
description: |-
ServiceSelectors list of label selector to select service(s) for which ip pool
can be used for ip allocation.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
type: object
required:
- addresses
type: object
status:
description: IPAddressPoolStatus defines the observed state of IPAddressPool.
properties:
assignedIPv4:
description: AssignedIPv4 is the number of assigned IPv4 addresses.
format: int64
type: integer
assignedIPv6:
description: AssignedIPv6 is the number of assigned IPv6 addresses.
format: int64
type: integer
availableIPv4:
description: AvailableIPv4 is the number of available IPv4 addresses.
format: int64
type: integer
availableIPv6:
description: AvailableIPv6 is the number of available IPv6 addresses.
format: int64
type: integer
required:
- assignedIPv4
- assignedIPv6
- availableIPv4
- availableIPv6
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: l2advertisements.metallb.io
spec:
group: metallb.io
names:
kind: L2Advertisement
listKind: L2AdvertisementList
plural: l2advertisements
singular: l2advertisement
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.ipAddressPools
name: IPAddressPools
type: string
- jsonPath: .spec.ipAddressPoolSelectors
name: IPAddressPool Selectors
type: string
- jsonPath: .spec.interfaces
name: Interfaces
type: string
- jsonPath: .spec.nodeSelectors
name: Node Selectors
priority: 10
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: |-
L2Advertisement allows to advertise the LoadBalancer IPs provided
by the selected pools via L2.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: L2AdvertisementSpec defines the desired state of L2Advertisement.
properties:
interfaces:
description: |-
A list of interfaces to announce from. The LB IP will be announced only from these interfaces.
If the field is not set, we advertise from all the interfaces on the host.
items:
type: string
type: array
ipAddressPoolSelectors:
description: |-
A selector for the IPAddressPools which would get advertised via this advertisement.
If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
ipAddressPools:
description: The list of IPAddressPools to advertise via this advertisement,
selected by name.
items:
type: string
type: array
nodeSelectors:
description: NodeSelectors allows to limit the nodes to announce as
next hops for the LoadBalancer IP. When empty, all the nodes having are
announced as next hops.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
type: object
status:
description: L2AdvertisementStatus defines the observed state of L2Advertisement.
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: servicebgpstatuses.metallb.io
spec:
group: metallb.io
names:
kind: ServiceBGPStatus
listKind: ServiceBGPStatusList
plural: servicebgpstatuses
singular: servicebgpstatus
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.node
name: Node
type: string
- jsonPath: .status.serviceName
name: Service Name
type: string
- jsonPath: .status.serviceNamespace
name: Service Namespace
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ServiceBGPStatus exposes the BGP peers a service is configured
to be advertised to, per relevant node.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceBGPStatusSpec defines the desired state of ServiceBGPStatus.
type: object
status:
description: MetalLBServiceBGPStatus defines the observed state of ServiceBGPStatus.
properties:
node:
description: Node indicates the node announcing the service.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
peers:
description: |-
Peers indicate the BGP peers for which the service is configured to be advertised to.
The service being actually advertised to a given peer depends on the session state and is not indicated here.
items:
type: string
type: array
serviceName:
description: ServiceName indicates the service this status represents.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
serviceNamespace:
description: ServiceNamespace indicates the namespace of the service.
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.19.0
name: servicel2statuses.metallb.io
spec:
group: metallb.io
names:
kind: ServiceL2Status
listKind: ServiceL2StatusList
plural: servicel2statuses
singular: servicel2status
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.node
name: Allocated Node
type: string
- jsonPath: .status.serviceName
name: Service Name
type: string
- jsonPath: .status.serviceNamespace
name: Service Namespace
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ServiceL2Status reveals the actual traffic status of loadbalancer
services in layer2 mode.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ServiceL2StatusSpec defines the desired state of ServiceL2Status.
type: object
status:
description: MetalLBServiceL2Status defines the observed state of ServiceL2Status.
properties:
interfaces:
description: Interfaces indicates the interfaces that receive the
directed traffic
items:
description: InterfaceInfo defines interface info of layer2 announcement.
properties:
name:
description: Name the name of network interface card
type: string
type: object
type: array
node:
description: Node indicates the node that receives the directed traffic
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
serviceName:
description: ServiceName indicates the service this status represents
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
serviceNamespace:
description: ServiceNamespace indicates the namespace of the service
type: string
x-kubernetes-validations:
- message: Value is immutable
rule: self == oldSelf
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: metallb
name: speaker
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resourceNames:
- memberlist
resources:
- secrets
verbs:
- list
- apiGroups:
- apps
resourceNames:
- controller
resources:
- deployments
verbs:
- get
- apiGroups:
- metallb.io
resources:
- bgppeers
verbs:
- get
- list
- apiGroups:
- metallb.io
resources:
- bfdprofiles
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- ipaddresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- ipaddresspools/status
verbs:
- update
- apiGroups:
- metallb.io
resources:
- bgpadvertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- l2advertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- communities
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: metallb
name: pod-lister
namespace: metallb-system
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bfdprofiles
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bgppeers
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- l2advertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bgpadvertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- ipaddresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- communities
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- servicebgpstatuses
- servicebgpstatuses/status
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: metallb
name: metallb-system:controller
rules:
- apiGroups:
- ""
resources:
- services
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- policy
resourceNames:
- controller
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- metallb-webhook-configuration
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- bfdprofiles.metallb.io
- bgpadvertisements.metallb.io
- bgppeers.metallb.io
- ipaddresspools.metallb.io
- l2advertisements.metallb.io
- communities.metallb.io
- configurationstates.metallb.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- metallb.io
resources:
- configurationstates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- metallb.io
resources:
- configurationstates/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: metallb
name: metallb-system:speaker
rules:
- apiGroups:
- metallb.io
resources:
- servicel2statuses
- servicel2statuses/status
- configurationstates
- configurationstates/status
verbs:
- '*'
- apiGroups:
- ""
resources:
- services
- endpoints
- nodes
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- policy
resourceNames:
- speaker
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
name: controller
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: controller
subjects:
- kind: ServiceAccount
name: controller
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: metallb
name: pod-lister
namespace: metallb-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-lister
subjects:
- kind: ServiceAccount
name: speaker
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: metallb
name: metallb-system:controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:controller
subjects:
- kind: ServiceAccount
name: controller
namespace: metallb-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: metallb
name: metallb-system:speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-system:speaker
subjects:
- kind: ServiceAccount
name: speaker
namespace: metallb-system
---
apiVersion: v1
data:
excludel2.yaml: |
announcedInterfacesToExclude: ["^docker.*", "^cbr.*", "^dummy.*", "^virbr.*", "^lxcbr.*", "^veth.*", "^lo$", "^cali.*", "^tunl.*", "^flannel.*", "^kube-ipvs.*", "^cni.*", "^nodelocaldns.*", "^lxc.*"]
kind: ConfigMap
metadata:
name: metallb-excludel2
namespace: metallb-system
---
apiVersion: v1
kind: Secret
metadata:
name: metallb-webhook-cert
namespace: metallb-system
---
apiVersion: v1
kind: Service
metadata:
name: metallb-webhook-service
namespace: metallb-system
spec:
ports:
- port: 443
targetPort: 9443
selector:
component: controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: metallb
component: controller
name: controller
namespace: metallb-system
spec:
revisionHistoryLimit: 3
selector:
matchLabels:
app: metallb
component: controller
template:
metadata:
annotations:
prometheus.io/port: "7472"
prometheus.io/scrape: "true"
labels:
app: metallb
component: controller
spec:
containers:
- args:
- --port=7472
- --log-level=info
- --tls-min-version=VersionTLS12
env:
- name: METALLB_ML_SECRET_NAME
value: memberlist
- name: METALLB_DEPLOYMENT
value: controller
image: quay.io/metallb/controller:v0.15.3
livenessProbe:
failureThreshold: 3
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 7472
name: monitoring
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
nodeSelector:
kubernetes.io/os: linux
securityContext:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: controller
terminationGracePeriodSeconds: 0
volumes:
- name: cert
secret:
defaultMode: 420
secretName: metallb-webhook-cert
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: metallb
component: speaker
name: speaker
namespace: metallb-system
spec:
selector:
matchLabels:
app: metallb
component: speaker
template:
metadata:
annotations:
prometheus.io/port: "7472"
prometheus.io/scrape: "true"
labels:
app: metallb
component: speaker
spec:
containers:
- args:
- --port=7472
- --log-level=info
env:
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: METALLB_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: METALLB_ML_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: METALLB_ML_LABELS
value: app=metallb,component=speaker
- name: METALLB_ML_SECRET_KEY_PATH
value: /etc/ml_secret_key
image: quay.io/metallb/speaker:v0.15.3
livenessProbe:
failureThreshold: 3
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: speaker
ports:
- containerPort: 7472
name: monitoring
- containerPort: 7946
name: memberlist-tcp
- containerPort: 7946
name: memberlist-udp
protocol: UDP
readinessProbe:
failureThreshold: 3
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ml_secret_key
name: memberlist
readOnly: true
- mountPath: /etc/metallb
name: metallb-excludel2
readOnly: true
hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: speaker
terminationGracePeriodSeconds: 2
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
volumes:
- name: memberlist
secret:
defaultMode: 420
secretName: memberlist
- configMap:
defaultMode: 256
name: metallb-excludel2
name: metallb-excludel2
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: metallb-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta2-bgppeer
failurePolicy: Fail
name: bgppeersvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- bgppeers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta1-bfdprofile
failurePolicy: Fail
name: bfdprofilevalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- DELETE
resources:
- bfdprofiles
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta1-bgpadvertisement
failurePolicy: Fail
name: bgpadvertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- bgpadvertisements
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta1-community
failurePolicy: Fail
name: communityvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- communities
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta1-ipaddresspool
failurePolicy: Fail
name: ipaddresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ipaddresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: metallb-system
path: /validate-metallb-io-v1beta1-l2advertisement
failurePolicy: Fail
name: l2advertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- l2advertisements
sideEffects: None
评论区