From 09fac667588a057bd0d3df8b42f3e608ca305e5c Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 9 May 2024 09:38:12 -0700 Subject: [PATCH 01/34] Add SCC and inclusion of openshift on helm chart --- .../nginx-gateway-fabric/templates/rbac.yaml | 10 +++++ charts/nginx-gateway-fabric/values.yaml | 5 ++- deploy/manifests/scc.yaml | 37 +++++++++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 deploy/manifests/scc.yaml diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index cc12735ae7..2cf81ec96d 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -149,6 +149,16 @@ rules: verbs: - list - watch +{{- if .Values.onOpenshift }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-ngf-admin + verbs: + - use +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index b108a8eb6a..8e6d16b14f 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -106,12 +106,15 @@ terminationGracePeriodSeconds: 30 ## Tolerations for the NGINX Gateway Fabric pod. tolerations: [] -## The nodeSelector of the NGINX Gateway Fabric pod. +## The nodeSelector of the NGINX Gateway Fabric pod. nodeSelector: {} ## The affinity of the NGINX Gateway Fabric pod. affinity: {} +## Whether the platform is openshift or not. +onOpenshift: false + serviceAccount: annotations: {} ## The name of the service account of the NGINX Gateway Fabric pods. Used for RBAC. diff --git a/deploy/manifests/scc.yaml b/deploy/manifests/scc.yaml new file mode 100644 index 0000000000..f3f4c42bcb --- /dev/null +++ b/deploy/manifests/scc.yaml @@ -0,0 +1,37 @@ +# Create SCC for Gateway resources +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-ngf-admin +allowPrivilegedContainer: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPorts: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMax: 105 + uidRangeMin: 100 +fsGroup: + type: MustRunAs + ranges: + - min: 1000 + max: 1003 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1000 + max: 1003 +seLinuxContext: + type: MustRunAs +volumes: + - emptyDir + - secret +users: + - 'system:serviceaccount:*:ngf-nginx-gateway-fabric' +allowedCapabilities: + - NET_BIND_SERVICE + - KILL +requiredDropCapabilities: + - ALL From 622e4c6dfc93da37612a817fcb0308ba261f14ad Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 9 May 2024 13:34:08 -0700 Subject: [PATCH 02/34] Adjust scc range values --- deploy/manifests/scc.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/manifests/scc.yaml b/deploy/manifests/scc.yaml index f3f4c42bcb..3592af864d 100644 --- a/deploy/manifests/scc.yaml +++ b/deploy/manifests/scc.yaml @@ -11,18 +11,18 @@ allowHostPorts: false readOnlyRootFilesystem: true runAsUser: type: MustRunAsRange - uidRangeMax: 105 - uidRangeMin: 100 + uidRangeMin: 101 + uidRangeMax: 102 fsGroup: type: MustRunAs ranges: - - min: 1000 - max: 1003 + - min: 1001 + max: 1001 supplementalGroups: type: MustRunAs ranges: - - min: 1000 - max: 1003 + - min: 1001 + max: 1001 seLinuxContext: type: MustRunAs volumes: From 3503fdc4a9e552fc5012741b100f0ec512d6442c Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Tue, 14 May 2024 14:27:17 -0700 Subject: [PATCH 03/34] Fix rbac spacing --- charts/nginx-gateway-fabric/templates/rbac.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index 2cf81ec96d..ff662a0295 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -153,9 +153,9 @@ rules: - apiGroups: - security.openshift.io resources: - - securitycontextconstraints + - securitycontextconstraints resourceNames: - - nginx-ngf-admin + - nginx-ngf-admin verbs: - use {{- end }} From 8362f2819527fbbe9299390ab6dc7665a266a4b7 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 15 May 2024 10:40:04 -0700 Subject: [PATCH 04/34] Add Openshift Permissions Reference document --- .../reference/openshift-permissions.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 site/content/reference/openshift-permissions.md diff --git a/site/content/reference/openshift-permissions.md b/site/content/reference/openshift-permissions.md new file mode 100644 index 0000000000..32b274d9e6 --- /dev/null +++ b/site/content/reference/openshift-permissions.md @@ -0,0 +1,44 @@ +--- +title: "Openshift Permissions" +date: 2024-05-14T15:08:41-07:00 +# Change draft status to false to publish doc +draft: false +# Description +# Add a short description (150 chars) for the doc. Include keywords for SEO. +# The description text appears in search results and at the top of the doc. +description: "Learn about the permissions given to the NGINX Gateway Fabric Pod in an Openshift environment." +# Assign weights in increments of 100 +weight: 100 +toc: true +tags: [ "docs" ] +# Create a new entry in the Jira DOCS Catalog and add the ticket ID (DOCS-) below +docs: "DOCS-000" +--- + +## Overview + +To deploy NGINX Gateway Fabric on an Openshift environment, additional permissions are granted to the Pod which are defined +in a SecurityContextConstraints object. This document attempts to describe the permissions given to the Pod and +why they were given. + + +## Specification + +{{< bootstrap-table "table table-bordered table-striped table-responsive" >}} +| Name | Value | Explanation | +| -------------------------- | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| _allowPrivilegedContainer_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to be run as privileged. | +| _allowHostDirVolumePlugin_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to use the HostDir volume plugin. | +| _allowHostIPC_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need host ipc. | +| _allowHostNetwork_ | _false_ | The NGINX Gateway Fabric Pod does not require the use of HostNetwork. | +| _allowHostPorts_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to use host ports. | +| _readOnlyRootFilesystem_ | _true_ | None of the containers in the NGINX Gateway Fabric Pod require a non-read only root file system. | +| _runAsUser_ | _MustRunAsRange: 101-102_ | The NGINX Gateway Fabric Pod sets the user ID for the nginx-gateway and nginx containers to 102 and 101 respectively. | +| _fsGroup_ | _MusRunAs: 1001-1001_ | The NGINX Gateway Fabric Pod sets the nginx container's fsGroup to 1001. | +| _supplementalGroups_ | _MustRunAs: 1001-1001_ | Since the nginx container's fsGroup is set to 1001, all processes of the container are also part of the supplementary group ID 1001. | +| _seLinuxContext_ | _MustRunAs_ | By default, the Kubernetes container runtime assigns the SELinux label to all files on all Pod volumes. Since we don't change any of the labels, we enforce that the labels must be of type SELinux. | +| _volumes_ | _emptyDir, secret_ | TODO | +| _users_ | _'system:serviceaccount:*:ngf-nginx-gateway-fabric'_ | This binds the SecurityContextConstraints object to the ServiceAccount associated with the NGINX Gateway Fabric Pod, which gives these permissions to the Pod. | +| _allowedCapabilities_ | _NET_BIND_SERVICE, KILL_ | TODO | +| _requiredDropCapabilities_ | _ALL_ | To ensure that the NGINX Gateway Fabric Pod is run with the least amount of capabilities necessary, we drop all the capabilities and only add what's needed. | +{{% /bootstrap-table %}} From 68f1a20fcc0a4baad954650032bdf95ac1ffe76c Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 15 May 2024 14:37:34 -0700 Subject: [PATCH 05/34] Add Openshift Permissions installaiton guide --- .../installation/running-on-openshift.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 site/content/installation/running-on-openshift.md diff --git a/site/content/installation/running-on-openshift.md b/site/content/installation/running-on-openshift.md new file mode 100644 index 0000000000..c077056eda --- /dev/null +++ b/site/content/installation/running-on-openshift.md @@ -0,0 +1,49 @@ +--- +title: "Deploying NGINX Gateway Fabric in an Openshift environment" +# Change draft status to false to publish doc +draft: false +description: "Learn how to run NGINX Gateway Fabric in an Openshift environment." +weight: 400 +toc: true +tags: [ "docs" ] +docs: "DOCS-0000" +--- + +{{< custom-styles >}} + +## Prerequisites + +To complete the steps in this guide, you first need to install the following tools for Kubernetes management and development: + +- [kubectl](https://kubernetes.io/docs/tasks/tools/): A command-line interface for Kubernetes that allows you to manage and inspect cluster resources, and control containerized applications. +- Access to an Openshift environment with cluster administrative permissions. + + +## Apply SCC + +In order to deploy NGINX Gateway Fabric instances into Openshift environments, a new SCC is required to be created +on the cluster which will be used to bind the specific required capabilities to the NGINX Gateway Fabric service account. +To do so for NGF deployments, please run the following command (assuming you are logged in with administrator access to the cluster): + +`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml` + +## Deploy NGINX Gateway Fabric + +Now that you've created the new SCC, the next step is to install NGINX Gateway Fabric. + +We currently only support manual installation with Helm on Openshift: + +- [Installation with Helm]({{< relref "installation/installing-ngf/helm.md" >}}) + +Please follow the instructions in the referenced setup, until you get to running a `helm install` command. +When you do, please add the following flag `--set onOpenshift=true` to whichever `helm install` command you are +using. This will give NGF the correct RBAC permissions to bind to the SCC. + +## Getting Started with NGINX Gateway Fabric + +Learn how to use NGINX Gateway Fabric by exploring the tutorials in the [examples](https://github.com/nginxinc/nginx-gateway-fabric/tree/v1.2.0/examples) directory. The guides provide practical instructions and scenarios to help you use NGINX Gateway Fabric effectively. + +## References + +If you have any additional questions specific to the permissions granted in the SCC, feel free to check out +our explanation in our [Openshift Permissions guide]({{< relref "reference/openshift-permissions.md" >}}) From ada3ae06f15d97957d466ec00782feaeb2c09582 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 15 May 2024 14:38:55 -0700 Subject: [PATCH 06/34] Adjust wording of SCC --- site/content/installation/running-on-openshift.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/content/installation/running-on-openshift.md b/site/content/installation/running-on-openshift.md index c077056eda..9944326205 100644 --- a/site/content/installation/running-on-openshift.md +++ b/site/content/installation/running-on-openshift.md @@ -19,9 +19,9 @@ To complete the steps in this guide, you first need to install the following too - Access to an Openshift environment with cluster administrative permissions. -## Apply SCC +## Create SCC Object -In order to deploy NGINX Gateway Fabric instances into Openshift environments, a new SCC is required to be created +In order to deploy NGINX Gateway Fabric instances into Openshift environments, a new SCC object is required to be created on the cluster which will be used to bind the specific required capabilities to the NGINX Gateway Fabric service account. To do so for NGF deployments, please run the following command (assuming you are logged in with administrator access to the cluster): From 9c6e578c477f51a1ee965c57293828b3412fc765 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 15 May 2024 14:51:23 -0700 Subject: [PATCH 07/34] Change helm template from onOpenshift to platform --- site/content/installation/running-on-openshift.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/installation/running-on-openshift.md b/site/content/installation/running-on-openshift.md index 9944326205..0d3414f01d 100644 --- a/site/content/installation/running-on-openshift.md +++ b/site/content/installation/running-on-openshift.md @@ -36,7 +36,7 @@ We currently only support manual installation with Helm on Openshift: - [Installation with Helm]({{< relref "installation/installing-ngf/helm.md" >}}) Please follow the instructions in the referenced setup, until you get to running a `helm install` command. -When you do, please add the following flag `--set onOpenshift=true` to whichever `helm install` command you are +When you do, please add the following flag `--set platform=openshift` to whichever `helm install` command you are using. This will give NGF the correct RBAC permissions to bind to the SCC. ## Getting Started with NGINX Gateway Fabric From 2592c87da5bcfa66893f2a0f336e830f1558783b Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 15 May 2024 14:51:37 -0700 Subject: [PATCH 08/34] Change helm template from onOpenshift to platform --- charts/nginx-gateway-fabric/templates/rbac.yaml | 2 +- charts/nginx-gateway-fabric/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index ff662a0295..2d34eafbe7 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -149,7 +149,7 @@ rules: verbs: - list - watch -{{- if .Values.onOpenshift }} +{{- if eq .Values.platform "openshift" }} - apiGroups: - security.openshift.io resources: diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 8e6d16b14f..b4d884910e 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -112,8 +112,8 @@ nodeSelector: {} ## The affinity of the NGINX Gateway Fabric pod. affinity: {} -## Whether the platform is openshift or not. -onOpenshift: false +## What platform NGINX Gateway Fabric is being deployed on. +platform: kubernetes serviceAccount: annotations: {} From 0c14d2c86fcda6e9422de533fb85ae5bfae1d5d2 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 08:57:36 -0700 Subject: [PATCH 09/34] Add allowPrivilegeEscalation --- deploy/manifests/scc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/manifests/scc.yaml b/deploy/manifests/scc.yaml index 3592af864d..9cd7da49bb 100644 --- a/deploy/manifests/scc.yaml +++ b/deploy/manifests/scc.yaml @@ -8,6 +8,7 @@ allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPorts: false +allowPrivilegeEscalation: true readOnlyRootFilesystem: true runAsUser: type: MustRunAsRange From 9727a3b8aff409984f93c8d2aeeb3fcb44f77670 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 09:55:47 -0700 Subject: [PATCH 10/34] Remove unnecessary false boolean fields in SCC --- deploy/manifests/scc.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/deploy/manifests/scc.yaml b/deploy/manifests/scc.yaml index 9cd7da49bb..be55c798fb 100644 --- a/deploy/manifests/scc.yaml +++ b/deploy/manifests/scc.yaml @@ -3,11 +3,6 @@ kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: nginx-ngf-admin -allowPrivilegedContainer: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPorts: false allowPrivilegeEscalation: true readOnlyRootFilesystem: true runAsUser: From a36ca2c58f3de23213b7d5af449df2a00eb36fc5 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 13:47:02 -0700 Subject: [PATCH 11/34] Add Helm templating for SCC --- .../nginx-gateway-fabric/templates}/scc.yaml | 8 +++++--- charts/nginx-gateway-fabric/values.yaml | 5 ++++- 2 files changed, 9 insertions(+), 4 deletions(-) rename {deploy/manifests => charts/nginx-gateway-fabric/templates}/scc.yaml (66%) diff --git a/deploy/manifests/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml similarity index 66% rename from deploy/manifests/scc.yaml rename to charts/nginx-gateway-fabric/templates/scc.yaml index be55c798fb..6b8f0c3573 100644 --- a/deploy/manifests/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -1,9 +1,10 @@ # Create SCC for Gateway resources +{{- if eq .Values.platform "openshift" }} kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: - name: nginx-ngf-admin -allowPrivilegeEscalation: true + name: {{ .Values.sccName }} +allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }} readOnlyRootFilesystem: true runAsUser: type: MustRunAsRange @@ -25,9 +26,10 @@ volumes: - emptyDir - secret users: - - 'system:serviceaccount:*:ngf-nginx-gateway-fabric' + - {{ printf "system:serviceaccount:*:%s" (include "nginx-gateway.fullname" .) }} allowedCapabilities: - NET_BIND_SERVICE - KILL requiredDropCapabilities: - ALL +{{- end }} diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index b4d884910e..dcc78be8d5 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -112,9 +112,12 @@ nodeSelector: {} ## The affinity of the NGINX Gateway Fabric pod. affinity: {} -## What platform NGINX Gateway Fabric is being deployed on. +## The platform that NGINX Gateway Fabric is being deployed on. Valid values: kubernetes, openshift platform: kubernetes +## The name for the SecurityContextConstraints object used in Openshift environments. +sccName: nginx-ngf-admin + serviceAccount: annotations: {} ## The name of the service account of the NGINX Gateway Fabric pods. Used for RBAC. From 356c951df7a8f412adfb52181a2817fb95f63fa5 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 13:58:04 -0700 Subject: [PATCH 12/34] Remove openshift permissions document --- .../reference/openshift-permissions.md | 44 ------------------- 1 file changed, 44 deletions(-) delete mode 100644 site/content/reference/openshift-permissions.md diff --git a/site/content/reference/openshift-permissions.md b/site/content/reference/openshift-permissions.md deleted file mode 100644 index 32b274d9e6..0000000000 --- a/site/content/reference/openshift-permissions.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: "Openshift Permissions" -date: 2024-05-14T15:08:41-07:00 -# Change draft status to false to publish doc -draft: false -# Description -# Add a short description (150 chars) for the doc. Include keywords for SEO. -# The description text appears in search results and at the top of the doc. -description: "Learn about the permissions given to the NGINX Gateway Fabric Pod in an Openshift environment." -# Assign weights in increments of 100 -weight: 100 -toc: true -tags: [ "docs" ] -# Create a new entry in the Jira DOCS Catalog and add the ticket ID (DOCS-) below -docs: "DOCS-000" ---- - -## Overview - -To deploy NGINX Gateway Fabric on an Openshift environment, additional permissions are granted to the Pod which are defined -in a SecurityContextConstraints object. This document attempts to describe the permissions given to the Pod and -why they were given. - - -## Specification - -{{< bootstrap-table "table table-bordered table-striped table-responsive" >}} -| Name | Value | Explanation | -| -------------------------- | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| _allowPrivilegedContainer_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to be run as privileged. | -| _allowHostDirVolumePlugin_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to use the HostDir volume plugin. | -| _allowHostIPC_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need host ipc. | -| _allowHostNetwork_ | _false_ | The NGINX Gateway Fabric Pod does not require the use of HostNetwork. | -| _allowHostPorts_ | _false_ | None of the containers in the NGINX Gateway Fabric Pod need to use host ports. | -| _readOnlyRootFilesystem_ | _true_ | None of the containers in the NGINX Gateway Fabric Pod require a non-read only root file system. | -| _runAsUser_ | _MustRunAsRange: 101-102_ | The NGINX Gateway Fabric Pod sets the user ID for the nginx-gateway and nginx containers to 102 and 101 respectively. | -| _fsGroup_ | _MusRunAs: 1001-1001_ | The NGINX Gateway Fabric Pod sets the nginx container's fsGroup to 1001. | -| _supplementalGroups_ | _MustRunAs: 1001-1001_ | Since the nginx container's fsGroup is set to 1001, all processes of the container are also part of the supplementary group ID 1001. | -| _seLinuxContext_ | _MustRunAs_ | By default, the Kubernetes container runtime assigns the SELinux label to all files on all Pod volumes. Since we don't change any of the labels, we enforce that the labels must be of type SELinux. | -| _volumes_ | _emptyDir, secret_ | TODO | -| _users_ | _'system:serviceaccount:*:ngf-nginx-gateway-fabric'_ | This binds the SecurityContextConstraints object to the ServiceAccount associated with the NGINX Gateway Fabric Pod, which gives these permissions to the Pod. | -| _allowedCapabilities_ | _NET_BIND_SERVICE, KILL_ | TODO | -| _requiredDropCapabilities_ | _ALL_ | To ensure that the NGINX Gateway Fabric Pod is run with the least amount of capabilities necessary, we drop all the capabilities and only add what's needed. | -{{% /bootstrap-table %}} From b3b8fc27629de0da86c853f444304c0bc007ea48 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 14:35:54 -0700 Subject: [PATCH 13/34] Add back required SCC fields --- charts/nginx-gateway-fabric/templates/scc.yaml | 6 ++++++ site/content/installation/installing-ngf/helm.md | 2 ++ 2 files changed, 8 insertions(+) diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 6b8f0c3573..48be19de1e 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -5,6 +5,12 @@ apiVersion: security.openshift.io/v1 metadata: name: {{ .Values.sccName }} allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false readOnlyRootFilesystem: true runAsUser: type: MustRunAsRange diff --git a/site/content/installation/installing-ngf/helm.md b/site/content/installation/installing-ngf/helm.md index 658425f6e7..9880e5438e 100644 --- a/site/content/installation/installing-ngf/helm.md +++ b/site/content/installation/installing-ngf/helm.md @@ -29,6 +29,8 @@ To complete this guide, you'll need to install: To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command: +{{< note >}} OpenShift users must add the `--set platform=openshift` flag to the install commands below. {{< /note >}} + ##### For NGINX ```shell From fa4245378ab030d94640214313f4cf5526d0082b Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 16 May 2024 14:58:59 -0700 Subject: [PATCH 14/34] Add platform openshift to upgrade commands too --- site/content/installation/installing-ngf/helm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/installation/installing-ngf/helm.md b/site/content/installation/installing-ngf/helm.md index 9880e5438e..2d864c74ff 100644 --- a/site/content/installation/installing-ngf/helm.md +++ b/site/content/installation/installing-ngf/helm.md @@ -29,7 +29,7 @@ To complete this guide, you'll need to install: To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command: -{{< note >}} OpenShift users must add the `--set platform=openshift` flag to the install commands below. {{< /note >}} +{{< note >}} OpenShift users must add the `--set platform=openshift` flag to the install and upgrade commands below. {{< /note >}} ##### For NGINX From 580cec8d6ae5109dd32ff99b329ecee571e21b5b Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 10:07:35 -0700 Subject: [PATCH 15/34] Add sccName value to rbac template --- charts/nginx-gateway-fabric/templates/rbac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index 2d34eafbe7..4a13f6977f 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -155,7 +155,7 @@ rules: resources: - securitycontextconstraints resourceNames: - - nginx-ngf-admin + - {{ .Values.sccName }} verbs: - use {{- end }} From 892d48a2a2caf126e03f12e7a9ffd0a432ac9fcf Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 10:45:55 -0700 Subject: [PATCH 16/34] Add scc name to helpers template file --- charts/nginx-gateway-fabric/templates/_helpers.tpl | 8 ++++++++ charts/nginx-gateway-fabric/templates/rbac.yaml | 2 +- charts/nginx-gateway-fabric/templates/scc.yaml | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/nginx-gateway-fabric/templates/_helpers.tpl b/charts/nginx-gateway-fabric/templates/_helpers.tpl index 13d78128ae..90b0698e55 100644 --- a/charts/nginx-gateway-fabric/templates/_helpers.tpl +++ b/charts/nginx-gateway-fabric/templates/_helpers.tpl @@ -39,6 +39,14 @@ Create data plane config name. {{- printf "%s-proxy-config" $name | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Create security context constraints name. +*/}} +{{- define "nginx-gateway.scc-name" -}} +{{- $name := default .Release.Name .Values.nameOverride }} +{{- printf "%s-scc" $name | trunc 63 | trimSuffix "-" }} +{{- end }} + {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index 4a13f6977f..36866eba42 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -155,7 +155,7 @@ rules: resources: - securitycontextconstraints resourceNames: - - {{ .Values.sccName }} + - {{ include "nginx-gateway.scc-name" . }} verbs: - use {{- end }} diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 48be19de1e..64a579ce71 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -3,7 +3,7 @@ kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: - name: {{ .Values.sccName }} + name: {{ include "nginx-gateway.scc-name" . }} allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }} allowHostDirVolumePlugin: false allowHostIPC: false From 517ac811a63207afb499b5991c743709b125602b Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 10:49:49 -0700 Subject: [PATCH 17/34] Remove sccName from values file --- charts/nginx-gateway-fabric/values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index dcc78be8d5..2b5a605419 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -115,9 +115,6 @@ affinity: {} ## The platform that NGINX Gateway Fabric is being deployed on. Valid values: kubernetes, openshift platform: kubernetes -## The name for the SecurityContextConstraints object used in Openshift environments. -sccName: nginx-ngf-admin - serviceAccount: annotations: {} ## The name of the service account of the NGINX Gateway Fabric pods. Used for RBAC. From 202c0c9d57f08f7ce5690ba5613cc610ca6281a6 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 13:25:25 -0700 Subject: [PATCH 18/34] Add createOpenShiftSCC flag --- charts/nginx-gateway-fabric/templates/scc.yaml | 2 +- charts/nginx-gateway-fabric/values.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 64a579ce71..51834d8ecb 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -1,5 +1,5 @@ # Create SCC for Gateway resources -{{- if eq .Values.platform "openshift" }} +{{- if and (eq .Values.platform "openshift") .Values.createOpenShiftSCC }} kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 2b5a605419..5d187bbf8f 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -115,6 +115,9 @@ affinity: {} ## The platform that NGINX Gateway Fabric is being deployed on. Valid values: kubernetes, openshift platform: kubernetes +## Create and apply the OpenShift SecurityContextConstraints object. +createOpenShiftSCC: true + serviceAccount: annotations: {} ## The name of the service account of the NGINX Gateway Fabric pods. Used for RBAC. From 083972ac51d1af1ae59674c272f5504478ae2d9a Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 14:07:03 -0700 Subject: [PATCH 19/34] Add openshift manifests and helm template generation --- Makefile | 8 +- .../nginx-gateway-fabric/templates/scc.yaml | 21 +- .../openshift/nginx-gateway-experimental.yaml | 353 +++++++++++++++++ deploy/manifests/openshift/nginx-gateway.yaml | 347 +++++++++++++++++ .../nginx-plus-gateway-experimental.yaml | 360 ++++++++++++++++++ .../openshift/nginx-plus-gateway.yaml | 354 +++++++++++++++++ deploy/manifests/openshift/scc.yaml | 40 ++ 7 files changed, 1471 insertions(+), 12 deletions(-) create mode 100644 deploy/manifests/openshift/nginx-gateway-experimental.yaml create mode 100644 deploy/manifests/openshift/nginx-gateway.yaml create mode 100644 deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml create mode 100644 deploy/manifests/openshift/nginx-plus-gateway.yaml create mode 100644 deploy/manifests/openshift/scc.yaml diff --git a/Makefile b/Makefile index b9c042c4db..eb196f721c 100644 --- a/Makefile +++ b/Makefile @@ -128,7 +128,13 @@ generate-manifests: ## Generate manifests using Helm. helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway-experimental.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway-experimental.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > config/tests/static-deployment.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > config/tests/static-deployment.yam + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --set platform=openshift -s templates/scc.yaml > $(strip $(MANIFEST_DIR))/openshift/scc.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-gateway.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-plus-gateway.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-gateway-experimental.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-plus-gateway-experimental.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > conformance/provisioner/static-deployment.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 51834d8ecb..f9fa209b73 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -1,4 +1,3 @@ -# Create SCC for Gateway resources {{- if and (eq .Values.platform "openshift") .Values.createOpenShiftSCC }} kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 @@ -19,23 +18,23 @@ runAsUser: fsGroup: type: MustRunAs ranges: - - min: 1001 - max: 1001 + - min: 1001 + max: 1001 supplementalGroups: type: MustRunAs ranges: - - min: 1001 - max: 1001 + - min: 1001 + max: 1001 seLinuxContext: type: MustRunAs volumes: - - emptyDir - - secret +- emptyDir +- secret users: - - {{ printf "system:serviceaccount:*:%s" (include "nginx-gateway.fullname" .) }} +- {{ printf "system:serviceaccount:*:%s" (include "nginx-gateway.fullname" .) }} allowedCapabilities: - - NET_BIND_SERVICE - - KILL +- NET_BIND_SERVICE +- KILL requiredDropCapabilities: - - ALL +- ALL {{- end }} diff --git a/deploy/manifests/openshift/nginx-gateway-experimental.yaml b/deploy/manifests/openshift/nginx-gateway-experimental.yaml new file mode 100644 index 0000000000..8bef4ee697 --- /dev/null +++ b/deploy/manifests/openshift/nginx-gateway-experimental.yaml @@ -0,0 +1,353 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" + annotations: + {} +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +rules: +- apiGroups: + - "" + resources: + - namespaces + - services + - secrets + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + - backendtlspolicies + - grpcroutes + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - gateways/status + - gatewayclasses/status + - backendtlspolicies/status + - grpcroutes/status + verbs: + - update +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways + verbs: + - get + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxproxies + verbs: + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways/status + verbs: + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-gateway-scc + verbs: + - use +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-gateway +subjects: +- kind: ServiceAccount + name: nginx-gateway + namespace: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + template: + metadata: + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + spec: + containers: + - args: + - static-mode + - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller + - --gatewayclass=nginx + - --config=nginx-gateway-config + - --service=nginx-gateway + - --metrics-port=9113 + - --health-port=8081 + - --leader-election-lock-name=nginx-gateway-leader-election + - --gateway-api-experimental-features + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: nginx-gateway + ports: + - name: metrics + containerPort: 9113 + - name: health + containerPort: 8081 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + periodSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - KILL + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 102 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 101 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx + terminationGracePeriodSeconds: 30 + serviceAccountName: nginx-gateway + shareProcessNamespace: true + securityContext: + fsGroup: 1001 + runAsNonRoot: true + volumes: + - name: nginx-conf + emptyDir: {} + - name: module-includes + emptyDir: {} + - name: nginx-secrets + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} +--- +# Source: nginx-gateway-fabric/templates/gatewayclass.yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + controllerName: gateway.nginx.org/nginx-gateway-controller +--- +# Source: nginx-gateway-fabric/templates/nginxgateway.yaml +apiVersion: gateway.nginx.org/v1alpha1 +kind: NginxGateway +metadata: + name: nginx-gateway-config + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + logging: + level: info +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:*:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL diff --git a/deploy/manifests/openshift/nginx-gateway.yaml b/deploy/manifests/openshift/nginx-gateway.yaml new file mode 100644 index 0000000000..d50cd5e3e1 --- /dev/null +++ b/deploy/manifests/openshift/nginx-gateway.yaml @@ -0,0 +1,347 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" + annotations: + {} +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +rules: +- apiGroups: + - "" + resources: + - namespaces + - services + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - gateways/status + - gatewayclasses/status + verbs: + - update +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways + verbs: + - get + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxproxies + verbs: + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways/status + verbs: + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-gateway-scc + verbs: + - use +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-gateway +subjects: +- kind: ServiceAccount + name: nginx-gateway + namespace: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + template: + metadata: + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + spec: + containers: + - args: + - static-mode + - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller + - --gatewayclass=nginx + - --config=nginx-gateway-config + - --service=nginx-gateway + - --metrics-port=9113 + - --health-port=8081 + - --leader-election-lock-name=nginx-gateway-leader-election + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: nginx-gateway + ports: + - name: metrics + containerPort: 9113 + - name: health + containerPort: 8081 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + periodSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - KILL + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 102 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 101 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx + terminationGracePeriodSeconds: 30 + serviceAccountName: nginx-gateway + shareProcessNamespace: true + securityContext: + fsGroup: 1001 + runAsNonRoot: true + volumes: + - name: nginx-conf + emptyDir: {} + - name: module-includes + emptyDir: {} + - name: nginx-secrets + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} +--- +# Source: nginx-gateway-fabric/templates/gatewayclass.yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + controllerName: gateway.nginx.org/nginx-gateway-controller +--- +# Source: nginx-gateway-fabric/templates/nginxgateway.yaml +apiVersion: gateway.nginx.org/v1alpha1 +kind: NginxGateway +metadata: + name: nginx-gateway-config + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + logging: + level: info +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:*:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL diff --git a/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml b/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml new file mode 100644 index 0000000000..dfcb81a5e3 --- /dev/null +++ b/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml @@ -0,0 +1,360 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" + annotations: + {} +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +rules: +- apiGroups: + - "" + resources: + - namespaces + - services + - secrets + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + - backendtlspolicies + - grpcroutes + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - gateways/status + - gatewayclasses/status + - backendtlspolicies/status + - grpcroutes/status + verbs: + - update +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways + verbs: + - get + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxproxies + verbs: + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways/status + verbs: + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-gateway-scc + verbs: + - use +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-gateway +subjects: +- kind: ServiceAccount + name: nginx-gateway + namespace: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + template: + metadata: + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + spec: + containers: + - args: + - static-mode + - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller + - --gatewayclass=nginx + - --config=nginx-gateway-config + - --service=nginx-gateway + - --nginx-plus + - --metrics-port=9113 + - --health-port=8081 + - --leader-election-lock-name=nginx-gateway-leader-election + - --gateway-api-experimental-features + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: nginx-gateway + ports: + - name: metrics + containerPort: 9113 + - name: health + containerPort: 8081 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + periodSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - KILL + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 102 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - image: nginx-gateway-fabric/nginx-plus:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 101 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx + terminationGracePeriodSeconds: 30 + serviceAccountName: nginx-gateway + shareProcessNamespace: true + securityContext: + fsGroup: 1001 + runAsNonRoot: true + volumes: + - name: nginx-conf + emptyDir: {} + - name: module-includes + emptyDir: {} + - name: nginx-secrets + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} +--- +# Source: nginx-gateway-fabric/templates/gatewayclass.yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + controllerName: gateway.nginx.org/nginx-gateway-controller +--- +# Source: nginx-gateway-fabric/templates/nginxgateway.yaml +apiVersion: gateway.nginx.org/v1alpha1 +kind: NginxGateway +metadata: + name: nginx-gateway-config + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + logging: + level: info +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:*:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL diff --git a/deploy/manifests/openshift/nginx-plus-gateway.yaml b/deploy/manifests/openshift/nginx-plus-gateway.yaml new file mode 100644 index 0000000000..812c23a6b3 --- /dev/null +++ b/deploy/manifests/openshift/nginx-plus-gateway.yaml @@ -0,0 +1,354 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" + annotations: + {} +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +rules: +- apiGroups: + - "" + resources: + - namespaces + - services + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get +- apiGroups: + - apps + resources: + - replicasets + verbs: + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - referencegrants + verbs: + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - gateways/status + - gatewayclasses/status + verbs: + - update +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways + verbs: + - get + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxproxies + verbs: + - list + - watch +- apiGroups: + - gateway.nginx.org + resources: + - nginxgateways/status + verbs: + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-gateway-scc + verbs: + - use +--- +# Source: nginx-gateway-fabric/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-gateway +subjects: +- kind: ServiceAccount + name: nginx-gateway + namespace: nginx-gateway +--- +# Source: nginx-gateway-fabric/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-gateway + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + template: + metadata: + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9113" + spec: + containers: + - args: + - static-mode + - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller + - --gatewayclass=nginx + - --config=nginx-gateway-config + - --service=nginx-gateway + - --nginx-plus + - --metrics-port=9113 + - --health-port=8081 + - --leader-election-lock-name=nginx-gateway-leader-election + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: nginx-gateway + ports: + - name: metrics + containerPort: 9113 + - name: health + containerPort: 8081 + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + periodSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - KILL + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 102 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - image: nginx-gateway-fabric/nginx-plus:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 101 + runAsGroup: 1001 + volumeMounts: + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: module-includes + mountPath: /etc/nginx/module-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-lib + mountPath: /var/lib/nginx + terminationGracePeriodSeconds: 30 + serviceAccountName: nginx-gateway + shareProcessNamespace: true + securityContext: + fsGroup: 1001 + runAsNonRoot: true + volumes: + - name: nginx-conf + emptyDir: {} + - name: module-includes + emptyDir: {} + - name: nginx-secrets + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} +--- +# Source: nginx-gateway-fabric/templates/gatewayclass.yaml +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + controllerName: gateway.nginx.org/nginx-gateway-controller +--- +# Source: nginx-gateway-fabric/templates/nginxgateway.yaml +apiVersion: gateway.nginx.org/v1alpha1 +kind: NginxGateway +metadata: + name: nginx-gateway-config + namespace: nginx-gateway + labels: + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/version: "edge" +spec: + logging: + level: info +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:*:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL diff --git a/deploy/manifests/openshift/scc.yaml b/deploy/manifests/openshift/scc.yaml new file mode 100644 index 0000000000..0757ee93ff --- /dev/null +++ b/deploy/manifests/openshift/scc.yaml @@ -0,0 +1,40 @@ +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:*:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL From d32061de4b421ec4b2da4dae23b4547a26daa794 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 17 May 2024 14:07:53 -0700 Subject: [PATCH 20/34] Remove unnecessary scc manifest --- deploy/manifests/openshift/scc.yaml | 40 ----------------------------- 1 file changed, 40 deletions(-) delete mode 100644 deploy/manifests/openshift/scc.yaml diff --git a/deploy/manifests/openshift/scc.yaml b/deploy/manifests/openshift/scc.yaml deleted file mode 100644 index 0757ee93ff..0000000000 --- a/deploy/manifests/openshift/scc.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# Source: nginx-gateway-fabric/templates/scc.yaml -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: nginx-gateway-scc -allowPrivilegeEscalation: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: true -runAsUser: - type: MustRunAsRange - uidRangeMin: 101 - uidRangeMax: 102 -fsGroup: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -supplementalGroups: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -seLinuxContext: - type: MustRunAs -volumes: -- emptyDir -- secret -users: -- system:serviceaccount:*:nginx-gateway -allowedCapabilities: -- NET_BIND_SERVICE -- KILL -requiredDropCapabilities: -- ALL From 9b173603577ac926dbb79e6b71de05fc52b938c6 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Mon, 20 May 2024 15:02:22 -0700 Subject: [PATCH 21/34] Add installation through manifests on openshift document --- .../installing-ngf/manifests-openshift.md | 232 ++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 site/content/installation/installing-ngf/manifests-openshift.md diff --git a/site/content/installation/installing-ngf/manifests-openshift.md b/site/content/installation/installing-ngf/manifests-openshift.md new file mode 100644 index 0000000000..82c4f327d2 --- /dev/null +++ b/site/content/installation/installing-ngf/manifests-openshift.md @@ -0,0 +1,232 @@ +--- +title: "Installation with Kubernetes manifests on Openshift" +description: "Learn how to install, upgrade, and uninstall NGINX Gateway Fabric using Kubernetes manifests on Openshift." +weight: 200 +toc: true +docs: "DOCS-0000" +--- + +{{}} + +## Prerequisites + +To complete this guide, you'll need to install: + +- [kubectl](https://kubernetes.io/docs/tasks/tools/), a command-line interface for managing Kubernetes clusters. + +## Deploy NGINX Gateway Fabric + +Deploying NGINX Gateway Fabric with Kubernetes manifests takes only a few steps. With manifests, you can configure your deployment exactly how you want. Manifests also make it easy to replicate deployments across environments or clusters, ensuring consistency. + +- If you’d like to use NGINX Plus: + 1. To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-gateway-fabric/installation/ngf-images/jwt-token-docker-secret). Make sure to specify the secret in the `imagePullSecrets` field of the `nginx-gateway` ServiceAccount. + 1. Alternatively, pull an NGINX Gateway Fabric image with NGINX Plus and push it to your private registry by following the instructions from [here]({{}}). + 1. Update the nginx container's `image` field of the `nginx-gateway` Deployment accordingly. + +### 1. Install the Gateway API resources + +{{}} + +### 2. Deploy the NGINX Gateway Fabric CRDs + +#### Stable release + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml +``` + +#### Edge version + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/main/deploy/crds.yaml +``` + +### 3. Deploy NGINX Gateway Fabric + +{{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} + +#### Stable release + +##### For NGINX + +```shell +kubectl apply -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml +``` + +##### For NGINX Plus + +Download the [deployment YAML](https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-plus-gateway.yaml). + +Update the `nginx-plus-gateway.yaml` file to include your chosen NGINX Plus image from the F5 Container registry or your custom image. + +{{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} + +```shell +kubectl apply -f nginx-plus-gateway.yaml +``` + +#### Edge version + +##### For NGINX + +```shell +kubectl apply -f deploy/manifests/openshift/nginx-gateway.yaml +``` + +##### For NGINX Plus + +{{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} + +```shell +kubectl apply -f deploy/manifests/openshift/nginx-plus-gateway.yaml +``` + +Update the nginx-plus-gateway.yaml file to include your chosen image from the F5 Container registry or your custom container image. + +#### Enable experimental features + +We support a subset of the additional features provided by the Gateway API experimental channel. To enable the experimental features of Gateway API which are supported by NGINX Gateway Fabric: + +##### For NGINX + +```shell +kubectl apply -f deploy/manifests/openshift/nginx-gateway-experimental.yaml +``` + +##### For NGINX Plus + +```shell +kubectl apply -f deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml +``` + +Update the nginx-plus-gateway-experimental.yaml file to include your chosen image from the F5 Container registry or your custom container image. + +{{}}Requires the Gateway APIs installed from the experimental channel.{{}} + +### 4. Verify the Deployment + +To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: + +```shell +kubectl get pods -n nginx-gateway +``` + +The output should look similar to this (note that the pod name will include a unique string): + +```text +NAME READY STATUS RESTARTS AGE +nginx-gateway-5d4f4c7db7-xk2kq 2/2 Running 0 112s +``` + +## Upgrade NGINX Gateway Fabric + +{{}}For guidance on zero downtime upgrades, see the [Delay Pod Termination](#configure-delayed-pod-termination-for-zero-downtime-upgrades) section below.{{}} + +To upgrade NGINX Gateway Fabric and get the latest features and improvements, take the following steps: + +1. **Upgrade Gateway API resources:** + + - Verify that your NGINX Gateway Fabric version is compatible with the Gateway API resources. Refer to the [Technical Specifications]({{< relref "reference/technical-specifications.md" >}}) for details. + - Review the [release notes](https://github.com/kubernetes-sigs/gateway-api/releases) for any important upgrade-specific information. + - To upgrade the Gateway API resources, run: + + ```shell + kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml + ``` + + or, if you installed the from the experimental channel: + + ```shell + kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml + ``` + +1. **Upgrade NGINX Gateway Fabric CRDs:** + + - To upgrade the Custom Resource Definitions (CRDs), run: + + ```shell + kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml + ``` + +1. **Upgrade NGINX Gateway Fabric deployment:** + + - To upgrade the deployment, run: + + ```shell + kubectl apply -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml + ``` + +## Delay pod termination for zero downtime upgrades {#configure-delayed-pod-termination-for-zero-downtime-upgrades} + +{{< include "installation/delay-pod-termination/delay-pod-termination-overview.md" >}} + +Follow these steps to configure delayed pod termination: + +1. Open the `nginx-gateway.yaml` for editing. + +1. **Add delayed shutdown hooks**: + + - In the `nginx-gateway.yaml` file, add `lifecycle: preStop` hooks to both the `nginx` and `nginx-gateway` container definitions. These hooks instruct the containers to delay their shutdown process, allowing time for connections to close gracefully. Update the `sleep` value to what works for your environment. + + ```yaml + <...> + name: nginx-gateway + <...> + lifecycle: + preStop: + exec: + command: + - /usr/bin/gateway + - sleep + - --duration=40s # This flag is optional, the default is 30s + <...> + name: nginx + <...> + lifecycle: + preStop: + exec: + command: + - /bin/sleep + - "40" + <...> + ``` + +1. **Set the termination grace period**: + + - {{}} + +1. Save the changes. + +{{}} +For additional information on configuring and understanding the behavior of containers and pods during their lifecycle, refer to the following Kubernetes documentation: + +- [Container Lifecycle Hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) +- [Pod Lifecycle](https://kubernetes.io/docs/concepts/workloads/Pods/Pod-lifecycle/#Pod-termination) + +{{}} + +## Uninstall NGINX Gateway Fabric + +Follow these steps to uninstall NGINX Gateway Fabric and Gateway API from your Kubernetes cluster: + +1. **Uninstall NGINX Gateway Fabric:** + + - To remove NGINX Gateway Fabric and its custom resource definitions (CRDs), run: + + ```shell + kubectl delete -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml + ``` + + ```shell + kubectl delete -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml + ``` + +1. **Remove the Gateway API resources:** + + - {{}} + +## Next steps + +### Expose NGINX Gateway Fabric + +{{}} From 88345735554fa012d591847b84951b1e375fb0c1 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Mon, 20 May 2024 15:03:25 -0700 Subject: [PATCH 22/34] Add grpc routes changes from main --- .../openshift/nginx-gateway-experimental.yaml | 12 ++++++++++-- deploy/manifests/openshift/nginx-gateway.yaml | 10 ++++++++++ .../openshift/nginx-plus-gateway-experimental.yaml | 12 ++++++++++-- deploy/manifests/openshift/nginx-plus-gateway.yaml | 10 ++++++++++ 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/deploy/manifests/openshift/nginx-gateway-experimental.yaml b/deploy/manifests/openshift/nginx-gateway-experimental.yaml index 8bef4ee697..750e50fd0d 100644 --- a/deploy/manifests/openshift/nginx-gateway-experimental.yaml +++ b/deploy/manifests/openshift/nginx-gateway-experimental.yaml @@ -76,8 +76,8 @@ rules: - gateways - httproutes - referencegrants - - backendtlspolicies - grpcroutes + - backendtlspolicies verbs: - list - watch @@ -87,8 +87,8 @@ rules: - httproutes/status - gateways/status - gatewayclasses/status - - backendtlspolicies/status - grpcroutes/status + - backendtlspolicies/status verbs: - update - apiGroups: @@ -103,6 +103,7 @@ rules: - gateway.nginx.org resources: - nginxproxies + - clientsettingspolicies verbs: - list - watch @@ -110,6 +111,7 @@ rules: - gateway.nginx.org resources: - nginxgateways/status + - clientsettingspolicies/status verbs: - update - apiGroups: @@ -236,6 +238,8 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge imagePullPolicy: Always name: nginx @@ -266,6 +270,8 @@ spec: mountPath: /var/cache/nginx - name: nginx-lib mountPath: /var/lib/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes terminationGracePeriodSeconds: 30 serviceAccountName: nginx-gateway shareProcessNamespace: true @@ -285,6 +291,8 @@ spec: emptyDir: {} - name: nginx-lib emptyDir: {} + - name: nginx-includes + emptyDir: {} --- # Source: nginx-gateway-fabric/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1 diff --git a/deploy/manifests/openshift/nginx-gateway.yaml b/deploy/manifests/openshift/nginx-gateway.yaml index d50cd5e3e1..caa5411bca 100644 --- a/deploy/manifests/openshift/nginx-gateway.yaml +++ b/deploy/manifests/openshift/nginx-gateway.yaml @@ -75,6 +75,7 @@ rules: - gateways - httproutes - referencegrants + - grpcroutes verbs: - list - watch @@ -84,6 +85,7 @@ rules: - httproutes/status - gateways/status - gatewayclasses/status + - grpcroutes/status verbs: - update - apiGroups: @@ -98,6 +100,7 @@ rules: - gateway.nginx.org resources: - nginxproxies + - clientsettingspolicies verbs: - list - watch @@ -105,6 +108,7 @@ rules: - gateway.nginx.org resources: - nginxgateways/status + - clientsettingspolicies/status verbs: - update - apiGroups: @@ -230,6 +234,8 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge imagePullPolicy: Always name: nginx @@ -260,6 +266,8 @@ spec: mountPath: /var/cache/nginx - name: nginx-lib mountPath: /var/lib/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes terminationGracePeriodSeconds: 30 serviceAccountName: nginx-gateway shareProcessNamespace: true @@ -279,6 +287,8 @@ spec: emptyDir: {} - name: nginx-lib emptyDir: {} + - name: nginx-includes + emptyDir: {} --- # Source: nginx-gateway-fabric/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1 diff --git a/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml b/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml index dfcb81a5e3..f641d6b947 100644 --- a/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml +++ b/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml @@ -82,8 +82,8 @@ rules: - gateways - httproutes - referencegrants - - backendtlspolicies - grpcroutes + - backendtlspolicies verbs: - list - watch @@ -93,8 +93,8 @@ rules: - httproutes/status - gateways/status - gatewayclasses/status - - backendtlspolicies/status - grpcroutes/status + - backendtlspolicies/status verbs: - update - apiGroups: @@ -109,6 +109,7 @@ rules: - gateway.nginx.org resources: - nginxproxies + - clientsettingspolicies verbs: - list - watch @@ -116,6 +117,7 @@ rules: - gateway.nginx.org resources: - nginxgateways/status + - clientsettingspolicies/status verbs: - update - apiGroups: @@ -243,6 +245,8 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes - image: nginx-gateway-fabric/nginx-plus:edge imagePullPolicy: Always name: nginx @@ -273,6 +277,8 @@ spec: mountPath: /var/cache/nginx - name: nginx-lib mountPath: /var/lib/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes terminationGracePeriodSeconds: 30 serviceAccountName: nginx-gateway shareProcessNamespace: true @@ -292,6 +298,8 @@ spec: emptyDir: {} - name: nginx-lib emptyDir: {} + - name: nginx-includes + emptyDir: {} --- # Source: nginx-gateway-fabric/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1 diff --git a/deploy/manifests/openshift/nginx-plus-gateway.yaml b/deploy/manifests/openshift/nginx-plus-gateway.yaml index 812c23a6b3..e8afc695bf 100644 --- a/deploy/manifests/openshift/nginx-plus-gateway.yaml +++ b/deploy/manifests/openshift/nginx-plus-gateway.yaml @@ -81,6 +81,7 @@ rules: - gateways - httproutes - referencegrants + - grpcroutes verbs: - list - watch @@ -90,6 +91,7 @@ rules: - httproutes/status - gateways/status - gatewayclasses/status + - grpcroutes/status verbs: - update - apiGroups: @@ -104,6 +106,7 @@ rules: - gateway.nginx.org resources: - nginxproxies + - clientsettingspolicies verbs: - list - watch @@ -111,6 +114,7 @@ rules: - gateway.nginx.org resources: - nginxgateways/status + - clientsettingspolicies/status verbs: - update - apiGroups: @@ -237,6 +241,8 @@ spec: mountPath: /etc/nginx/secrets - name: nginx-run mountPath: /var/run/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes - image: nginx-gateway-fabric/nginx-plus:edge imagePullPolicy: Always name: nginx @@ -267,6 +273,8 @@ spec: mountPath: /var/cache/nginx - name: nginx-lib mountPath: /var/lib/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes terminationGracePeriodSeconds: 30 serviceAccountName: nginx-gateway shareProcessNamespace: true @@ -286,6 +294,8 @@ spec: emptyDir: {} - name: nginx-lib emptyDir: {} + - name: nginx-includes + emptyDir: {} --- # Source: nginx-gateway-fabric/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1 From 228de492f2695760be03d7b3cb76baf246acc1e5 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Mon, 20 May 2024 15:23:43 -0700 Subject: [PATCH 23/34] Remove running on openshift document --- .../installation/running-on-openshift.md | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 site/content/installation/running-on-openshift.md diff --git a/site/content/installation/running-on-openshift.md b/site/content/installation/running-on-openshift.md deleted file mode 100644 index 0d3414f01d..0000000000 --- a/site/content/installation/running-on-openshift.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: "Deploying NGINX Gateway Fabric in an Openshift environment" -# Change draft status to false to publish doc -draft: false -description: "Learn how to run NGINX Gateway Fabric in an Openshift environment." -weight: 400 -toc: true -tags: [ "docs" ] -docs: "DOCS-0000" ---- - -{{< custom-styles >}} - -## Prerequisites - -To complete the steps in this guide, you first need to install the following tools for Kubernetes management and development: - -- [kubectl](https://kubernetes.io/docs/tasks/tools/): A command-line interface for Kubernetes that allows you to manage and inspect cluster resources, and control containerized applications. -- Access to an Openshift environment with cluster administrative permissions. - - -## Create SCC Object - -In order to deploy NGINX Gateway Fabric instances into Openshift environments, a new SCC object is required to be created -on the cluster which will be used to bind the specific required capabilities to the NGINX Gateway Fabric service account. -To do so for NGF deployments, please run the following command (assuming you are logged in with administrator access to the cluster): - -`kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml` - -## Deploy NGINX Gateway Fabric - -Now that you've created the new SCC, the next step is to install NGINX Gateway Fabric. - -We currently only support manual installation with Helm on Openshift: - -- [Installation with Helm]({{< relref "installation/installing-ngf/helm.md" >}}) - -Please follow the instructions in the referenced setup, until you get to running a `helm install` command. -When you do, please add the following flag `--set platform=openshift` to whichever `helm install` command you are -using. This will give NGF the correct RBAC permissions to bind to the SCC. - -## Getting Started with NGINX Gateway Fabric - -Learn how to use NGINX Gateway Fabric by exploring the tutorials in the [examples](https://github.com/nginxinc/nginx-gateway-fabric/tree/v1.2.0/examples) directory. The guides provide practical instructions and scenarios to help you use NGINX Gateway Fabric effectively. - -## References - -If you have any additional questions specific to the permissions granted in the SCC, feel free to check out -our explanation in our [Openshift Permissions guide]({{< relref "reference/openshift-permissions.md" >}}) From f8f97c98bbfe278af10323c51dc774de64690ae3 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Wed, 22 May 2024 08:39:06 -0700 Subject: [PATCH 24/34] Add openshift to file names and add files to goreleaser --- .goreleaser.yml | 4 ++++ ...openshift-nginx-gateway-experimental.yaml} | 0 ...eway.yaml => openshift-nginx-gateway.yaml} | 0 ...hift-nginx-plus-gateway-experimental.yaml} | 0 ...yaml => openshift-nginx-plus-gateway.yaml} | 0 .../installing-ngf/manifests-openshift.md | 20 +++++++++---------- 6 files changed, 14 insertions(+), 10 deletions(-) rename deploy/manifests/openshift/{nginx-gateway-experimental.yaml => openshift-nginx-gateway-experimental.yaml} (100%) rename deploy/manifests/openshift/{nginx-gateway.yaml => openshift-nginx-gateway.yaml} (100%) rename deploy/manifests/openshift/{nginx-plus-gateway-experimental.yaml => openshift-nginx-plus-gateway-experimental.yaml} (100%) rename deploy/manifests/openshift/{nginx-plus-gateway.yaml => openshift-nginx-plus-gateway.yaml} (100%) diff --git a/.goreleaser.yml b/.goreleaser.yml index 96ae8af317..5f3f690b0d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -70,3 +70,7 @@ release: - glob: ./deploy/manifests/nginx-plus-gateway.yaml - glob: ./deploy/manifests/nginx-gateway-experimental.yaml - glob: ./deploy/manifests/nginx-plus-gateway-experimental.yaml + - glob: ./deploy/manifests/openshift/openshift-nginx-gateway.yaml + - glob: ./deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml + - glob: ./deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml + - glob: ./deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml diff --git a/deploy/manifests/openshift/nginx-gateway-experimental.yaml b/deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml similarity index 100% rename from deploy/manifests/openshift/nginx-gateway-experimental.yaml rename to deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml diff --git a/deploy/manifests/openshift/nginx-gateway.yaml b/deploy/manifests/openshift/openshift-nginx-gateway.yaml similarity index 100% rename from deploy/manifests/openshift/nginx-gateway.yaml rename to deploy/manifests/openshift/openshift-nginx-gateway.yaml diff --git a/deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml b/deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml similarity index 100% rename from deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml rename to deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml diff --git a/deploy/manifests/openshift/nginx-plus-gateway.yaml b/deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml similarity index 100% rename from deploy/manifests/openshift/nginx-plus-gateway.yaml rename to deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml diff --git a/site/content/installation/installing-ngf/manifests-openshift.md b/site/content/installation/installing-ngf/manifests-openshift.md index 82c4f327d2..41938ba049 100644 --- a/site/content/installation/installing-ngf/manifests-openshift.md +++ b/site/content/installation/installing-ngf/manifests-openshift.md @@ -57,12 +57,12 @@ kubectl apply -f https://github.com/nginxinc/nginx-gateway-fabric/releases/downl Download the [deployment YAML](https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-plus-gateway.yaml). -Update the `nginx-plus-gateway.yaml` file to include your chosen NGINX Plus image from the F5 Container registry or your custom image. +Update the `openshift-nginx-plus-gateway.yaml` file to include your chosen NGINX Plus image from the F5 Container registry or your custom image. {{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} ```shell -kubectl apply -f nginx-plus-gateway.yaml +kubectl apply -f openshift-nginx-plus-gateway.yaml ``` #### Edge version @@ -70,7 +70,7 @@ kubectl apply -f nginx-plus-gateway.yaml ##### For NGINX ```shell -kubectl apply -f deploy/manifests/openshift/nginx-gateway.yaml +kubectl apply -f deploy/manifests/openshift/openshift-nginx-gateway.yaml ``` ##### For NGINX Plus @@ -78,10 +78,10 @@ kubectl apply -f deploy/manifests/openshift/nginx-gateway.yaml {{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} ```shell -kubectl apply -f deploy/manifests/openshift/nginx-plus-gateway.yaml +kubectl apply -f deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml ``` -Update the nginx-plus-gateway.yaml file to include your chosen image from the F5 Container registry or your custom container image. +Update the openshift-nginx-plus-gateway.yaml file to include your chosen image from the F5 Container registry or your custom container image. #### Enable experimental features @@ -90,16 +90,16 @@ We support a subset of the additional features provided by the Gateway API exper ##### For NGINX ```shell -kubectl apply -f deploy/manifests/openshift/nginx-gateway-experimental.yaml +kubectl apply -f deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml ``` ##### For NGINX Plus ```shell -kubectl apply -f deploy/manifests/openshift/nginx-plus-gateway-experimental.yaml +kubectl apply -f deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml ``` -Update the nginx-plus-gateway-experimental.yaml file to include your chosen image from the F5 Container registry or your custom container image. +Update the openshift-nginx-plus-gateway-experimental.yaml file to include your chosen image from the F5 Container registry or your custom container image. {{}}Requires the Gateway APIs installed from the experimental channel.{{}} @@ -162,11 +162,11 @@ To upgrade NGINX Gateway Fabric and get the latest features and improvements, ta Follow these steps to configure delayed pod termination: -1. Open the `nginx-gateway.yaml` for editing. +1. Open the `openshift-nginx-gateway.yaml` for editing. 1. **Add delayed shutdown hooks**: - - In the `nginx-gateway.yaml` file, add `lifecycle: preStop` hooks to both the `nginx` and `nginx-gateway` container definitions. These hooks instruct the containers to delay their shutdown process, allowing time for connections to close gracefully. Update the `sleep` value to what works for your environment. + - In the `openshift-nginx-gateway.yaml` file, add `lifecycle: preStop` hooks to both the `nginx` and `nginx-gateway` container definitions. These hooks instruct the containers to delay their shutdown process, allowing time for connections to close gracefully. Update the `sleep` value to what works for your environment. ```yaml <...> From 48a7e1c29aa598d7bd8dab194c71cc47f5ecda3e Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 10:12:23 -0700 Subject: [PATCH 25/34] Add Helm template checker for Openshift platform and remove fields in values file --- charts/nginx-gateway-fabric/templates/rbac.yaml | 2 +- charts/nginx-gateway-fabric/templates/scc.yaml | 2 +- charts/nginx-gateway-fabric/values.yaml | 6 ------ 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/charts/nginx-gateway-fabric/templates/rbac.yaml b/charts/nginx-gateway-fabric/templates/rbac.yaml index 36866eba42..823669534f 100644 --- a/charts/nginx-gateway-fabric/templates/rbac.yaml +++ b/charts/nginx-gateway-fabric/templates/rbac.yaml @@ -149,7 +149,7 @@ rules: verbs: - list - watch -{{- if eq .Values.platform "openshift" }} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }} - apiGroups: - security.openshift.io resources: diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index f9fa209b73..4db35d5150 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -1,4 +1,4 @@ -{{- if and (eq .Values.platform "openshift") .Values.createOpenShiftSCC }} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }} kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 5d187bbf8f..9c2ec18df2 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -112,12 +112,6 @@ nodeSelector: {} ## The affinity of the NGINX Gateway Fabric pod. affinity: {} -## The platform that NGINX Gateway Fabric is being deployed on. Valid values: kubernetes, openshift -platform: kubernetes - -## Create and apply the OpenShift SecurityContextConstraints object. -createOpenShiftSCC: true - serviceAccount: annotations: {} ## The name of the service account of the NGINX Gateway Fabric pods. Used for RBAC. From ad6dacc9d2d9723fdfd9028a68f166a4d15e106a Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 10:14:05 -0700 Subject: [PATCH 26/34] Remove openshift specific manifests --- .goreleaser.yml | 4 - Makefile | 5 - .../openshift-nginx-gateway-experimental.yaml | 361 ----------------- .../openshift/openshift-nginx-gateway.yaml | 357 ----------------- ...shift-nginx-plus-gateway-experimental.yaml | 368 ------------------ .../openshift-nginx-plus-gateway.yaml | 364 ----------------- 6 files changed, 1459 deletions(-) delete mode 100644 deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml delete mode 100644 deploy/manifests/openshift/openshift-nginx-gateway.yaml delete mode 100644 deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml delete mode 100644 deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml diff --git a/.goreleaser.yml b/.goreleaser.yml index 5f3f690b0d..96ae8af317 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -70,7 +70,3 @@ release: - glob: ./deploy/manifests/nginx-plus-gateway.yaml - glob: ./deploy/manifests/nginx-gateway-experimental.yaml - glob: ./deploy/manifests/nginx-plus-gateway-experimental.yaml - - glob: ./deploy/manifests/openshift/openshift-nginx-gateway.yaml - - glob: ./deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml - - glob: ./deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml - - glob: ./deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml diff --git a/Makefile b/Makefile index eb196f721c..91a592f385 100644 --- a/Makefile +++ b/Makefile @@ -129,11 +129,6 @@ generate-manifests: ## Generate manifests using Helm. helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway-experimental.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway-experimental.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > config/tests/static-deployment.yam - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --set platform=openshift -s templates/scc.yaml > $(strip $(MANIFEST_DIR))/openshift/scc.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-gateway.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-plus-gateway.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-gateway-experimental.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway --set platform=openshift | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/openshift/nginx-plus-gateway-experimental.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > conformance/provisioner/static-deployment.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml diff --git a/deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml b/deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml deleted file mode 100644 index 750e50fd0d..0000000000 --- a/deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml +++ /dev/null @@ -1,361 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" - annotations: - {} ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -rules: -- apiGroups: - - "" - resources: - - namespaces - - services - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - grpcroutes - - backendtlspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - - gateways/status - - gatewayclasses/status - - grpcroutes/status - - backendtlspolicies/status - verbs: - - update -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways - verbs: - - get - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxproxies - - clientsettingspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways/status - - clientsettingspolicies/status - verbs: - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nginx-gateway-scc - verbs: - - use ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-gateway -subjects: -- kind: ServiceAccount - name: nginx-gateway - namespace: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - template: - metadata: - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - spec: - containers: - - args: - - static-mode - - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - - --gatewayclass=nginx - - --config=nginx-gateway-config - - --service=nginx-gateway - - --metrics-port=9113 - - --health-port=8081 - - --leader-election-lock-name=nginx-gateway-leader-election - - --gateway-api-experimental-features - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: ghcr.io/nginxinc/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: nginx-gateway - ports: - - name: metrics - containerPort: 9113 - - name: health - containerPort: 8081 - readinessProbe: - httpGet: - path: /readyz - port: health - initialDelaySeconds: 3 - periodSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - KILL - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 102 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge - imagePullPolicy: Always - name: nginx - ports: - - containerPort: 80 - name: http - - containerPort: 443 - name: https - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 101 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-cache - mountPath: /var/cache/nginx - - name: nginx-lib - mountPath: /var/lib/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - terminationGracePeriodSeconds: 30 - serviceAccountName: nginx-gateway - shareProcessNamespace: true - securityContext: - fsGroup: 1001 - runAsNonRoot: true - volumes: - - name: nginx-conf - emptyDir: {} - - name: module-includes - emptyDir: {} - - name: nginx-secrets - emptyDir: {} - - name: nginx-run - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: nginx-lib - emptyDir: {} - - name: nginx-includes - emptyDir: {} ---- -# Source: nginx-gateway-fabric/templates/gatewayclass.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: nginx - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - controllerName: gateway.nginx.org/nginx-gateway-controller ---- -# Source: nginx-gateway-fabric/templates/nginxgateway.yaml -apiVersion: gateway.nginx.org/v1alpha1 -kind: NginxGateway -metadata: - name: nginx-gateway-config - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - logging: - level: info ---- -# Source: nginx-gateway-fabric/templates/scc.yaml -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: nginx-gateway-scc -allowPrivilegeEscalation: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: true -runAsUser: - type: MustRunAsRange - uidRangeMin: 101 - uidRangeMax: 102 -fsGroup: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -supplementalGroups: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -seLinuxContext: - type: MustRunAs -volumes: -- emptyDir -- secret -users: -- system:serviceaccount:*:nginx-gateway -allowedCapabilities: -- NET_BIND_SERVICE -- KILL -requiredDropCapabilities: -- ALL diff --git a/deploy/manifests/openshift/openshift-nginx-gateway.yaml b/deploy/manifests/openshift/openshift-nginx-gateway.yaml deleted file mode 100644 index caa5411bca..0000000000 --- a/deploy/manifests/openshift/openshift-nginx-gateway.yaml +++ /dev/null @@ -1,357 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" - annotations: - {} ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -rules: -- apiGroups: - - "" - resources: - - namespaces - - services - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - grpcroutes - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - - gateways/status - - gatewayclasses/status - - grpcroutes/status - verbs: - - update -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways - verbs: - - get - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxproxies - - clientsettingspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways/status - - clientsettingspolicies/status - verbs: - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nginx-gateway-scc - verbs: - - use ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-gateway -subjects: -- kind: ServiceAccount - name: nginx-gateway - namespace: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - template: - metadata: - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - spec: - containers: - - args: - - static-mode - - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - - --gatewayclass=nginx - - --config=nginx-gateway-config - - --service=nginx-gateway - - --metrics-port=9113 - - --health-port=8081 - - --leader-election-lock-name=nginx-gateway-leader-election - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: ghcr.io/nginxinc/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: nginx-gateway - ports: - - name: metrics - containerPort: 9113 - - name: health - containerPort: 8081 - readinessProbe: - httpGet: - path: /readyz - port: health - initialDelaySeconds: 3 - periodSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - KILL - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 102 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge - imagePullPolicy: Always - name: nginx - ports: - - containerPort: 80 - name: http - - containerPort: 443 - name: https - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 101 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-cache - mountPath: /var/cache/nginx - - name: nginx-lib - mountPath: /var/lib/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - terminationGracePeriodSeconds: 30 - serviceAccountName: nginx-gateway - shareProcessNamespace: true - securityContext: - fsGroup: 1001 - runAsNonRoot: true - volumes: - - name: nginx-conf - emptyDir: {} - - name: module-includes - emptyDir: {} - - name: nginx-secrets - emptyDir: {} - - name: nginx-run - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: nginx-lib - emptyDir: {} - - name: nginx-includes - emptyDir: {} ---- -# Source: nginx-gateway-fabric/templates/gatewayclass.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: nginx - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - controllerName: gateway.nginx.org/nginx-gateway-controller ---- -# Source: nginx-gateway-fabric/templates/nginxgateway.yaml -apiVersion: gateway.nginx.org/v1alpha1 -kind: NginxGateway -metadata: - name: nginx-gateway-config - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - logging: - level: info ---- -# Source: nginx-gateway-fabric/templates/scc.yaml -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: nginx-gateway-scc -allowPrivilegeEscalation: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: true -runAsUser: - type: MustRunAsRange - uidRangeMin: 101 - uidRangeMax: 102 -fsGroup: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -supplementalGroups: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -seLinuxContext: - type: MustRunAs -volumes: -- emptyDir -- secret -users: -- system:serviceaccount:*:nginx-gateway -allowedCapabilities: -- NET_BIND_SERVICE -- KILL -requiredDropCapabilities: -- ALL diff --git a/deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml b/deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml deleted file mode 100644 index f641d6b947..0000000000 --- a/deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml +++ /dev/null @@ -1,368 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" - annotations: - {} ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -rules: -- apiGroups: - - "" - resources: - - namespaces - - services - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - grpcroutes - - backendtlspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - - gateways/status - - gatewayclasses/status - - grpcroutes/status - - backendtlspolicies/status - verbs: - - update -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways - verbs: - - get - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxproxies - - clientsettingspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways/status - - clientsettingspolicies/status - verbs: - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nginx-gateway-scc - verbs: - - use ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-gateway -subjects: -- kind: ServiceAccount - name: nginx-gateway - namespace: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - template: - metadata: - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - spec: - containers: - - args: - - static-mode - - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - - --gatewayclass=nginx - - --config=nginx-gateway-config - - --service=nginx-gateway - - --nginx-plus - - --metrics-port=9113 - - --health-port=8081 - - --leader-election-lock-name=nginx-gateway-leader-election - - --gateway-api-experimental-features - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: ghcr.io/nginxinc/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: nginx-gateway - ports: - - name: metrics - containerPort: 9113 - - name: health - containerPort: 8081 - readinessProbe: - httpGet: - path: /readyz - port: health - initialDelaySeconds: 3 - periodSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - KILL - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 102 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - - image: nginx-gateway-fabric/nginx-plus:edge - imagePullPolicy: Always - name: nginx - ports: - - containerPort: 80 - name: http - - containerPort: 443 - name: https - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 101 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-cache - mountPath: /var/cache/nginx - - name: nginx-lib - mountPath: /var/lib/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - terminationGracePeriodSeconds: 30 - serviceAccountName: nginx-gateway - shareProcessNamespace: true - securityContext: - fsGroup: 1001 - runAsNonRoot: true - volumes: - - name: nginx-conf - emptyDir: {} - - name: module-includes - emptyDir: {} - - name: nginx-secrets - emptyDir: {} - - name: nginx-run - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: nginx-lib - emptyDir: {} - - name: nginx-includes - emptyDir: {} ---- -# Source: nginx-gateway-fabric/templates/gatewayclass.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: nginx - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - controllerName: gateway.nginx.org/nginx-gateway-controller ---- -# Source: nginx-gateway-fabric/templates/nginxgateway.yaml -apiVersion: gateway.nginx.org/v1alpha1 -kind: NginxGateway -metadata: - name: nginx-gateway-config - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - logging: - level: info ---- -# Source: nginx-gateway-fabric/templates/scc.yaml -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: nginx-gateway-scc -allowPrivilegeEscalation: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: true -runAsUser: - type: MustRunAsRange - uidRangeMin: 101 - uidRangeMax: 102 -fsGroup: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -supplementalGroups: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -seLinuxContext: - type: MustRunAs -volumes: -- emptyDir -- secret -users: -- system:serviceaccount:*:nginx-gateway -allowedCapabilities: -- NET_BIND_SERVICE -- KILL -requiredDropCapabilities: -- ALL diff --git a/deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml b/deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml deleted file mode 100644 index e8afc695bf..0000000000 --- a/deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml +++ /dev/null @@ -1,364 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" - annotations: - {} ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -rules: -- apiGroups: - - "" - resources: - - namespaces - - services - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - get -- apiGroups: - - apps - resources: - - replicasets - verbs: - - list -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - httproutes - - referencegrants - - grpcroutes - verbs: - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - - gateways/status - - gatewayclasses/status - - grpcroutes/status - verbs: - - update -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways - verbs: - - get - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxproxies - - clientsettingspolicies - verbs: - - list - - watch -- apiGroups: - - gateway.nginx.org - resources: - - nginxgateways/status - - clientsettingspolicies/status - verbs: - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch -- apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nginx-gateway-scc - verbs: - - use ---- -# Source: nginx-gateway-fabric/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-gateway -subjects: -- kind: ServiceAccount - name: nginx-gateway - namespace: nginx-gateway ---- -# Source: nginx-gateway-fabric/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-gateway - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - template: - metadata: - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - spec: - containers: - - args: - - static-mode - - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller - - --gatewayclass=nginx - - --config=nginx-gateway-config - - --service=nginx-gateway - - --nginx-plus - - --metrics-port=9113 - - --health-port=8081 - - --leader-election-lock-name=nginx-gateway-leader-election - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: ghcr.io/nginxinc/nginx-gateway-fabric:edge - imagePullPolicy: Always - name: nginx-gateway - ports: - - name: metrics - containerPort: 9113 - - name: health - containerPort: 8081 - readinessProbe: - httpGet: - path: /readyz - port: health - initialDelaySeconds: 3 - periodSeconds: 1 - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - KILL - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 102 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - - image: nginx-gateway-fabric/nginx-plus:edge - imagePullPolicy: Always - name: nginx - ports: - - containerPort: 80 - name: http - - containerPort: 443 - name: https - securityContext: - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - runAsUser: 101 - runAsGroup: 1001 - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/conf.d - - name: module-includes - mountPath: /etc/nginx/module-includes - - name: nginx-secrets - mountPath: /etc/nginx/secrets - - name: nginx-run - mountPath: /var/run/nginx - - name: nginx-cache - mountPath: /var/cache/nginx - - name: nginx-lib - mountPath: /var/lib/nginx - - name: nginx-includes - mountPath: /etc/nginx/includes - terminationGracePeriodSeconds: 30 - serviceAccountName: nginx-gateway - shareProcessNamespace: true - securityContext: - fsGroup: 1001 - runAsNonRoot: true - volumes: - - name: nginx-conf - emptyDir: {} - - name: module-includes - emptyDir: {} - - name: nginx-secrets - emptyDir: {} - - name: nginx-run - emptyDir: {} - - name: nginx-cache - emptyDir: {} - - name: nginx-lib - emptyDir: {} - - name: nginx-includes - emptyDir: {} ---- -# Source: nginx-gateway-fabric/templates/gatewayclass.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: nginx - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - controllerName: gateway.nginx.org/nginx-gateway-controller ---- -# Source: nginx-gateway-fabric/templates/nginxgateway.yaml -apiVersion: gateway.nginx.org/v1alpha1 -kind: NginxGateway -metadata: - name: nginx-gateway-config - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -spec: - logging: - level: info ---- -# Source: nginx-gateway-fabric/templates/scc.yaml -kind: SecurityContextConstraints -apiVersion: security.openshift.io/v1 -metadata: - name: nginx-gateway-scc -allowPrivilegeEscalation: false -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: true -runAsUser: - type: MustRunAsRange - uidRangeMin: 101 - uidRangeMax: 102 -fsGroup: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -supplementalGroups: - type: MustRunAs - ranges: - - min: 1001 - max: 1001 -seLinuxContext: - type: MustRunAs -volumes: -- emptyDir -- secret -users: -- system:serviceaccount:*:nginx-gateway -allowedCapabilities: -- NET_BIND_SERVICE -- KILL -requiredDropCapabilities: -- ALL From 540552bab5295a6e05f72e88e853f9d9f45cd609 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 10:39:12 -0700 Subject: [PATCH 27/34] Update scc users template to use release namespace and SA name --- charts/nginx-gateway-fabric/templates/scc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml index 4db35d5150..8b6b741434 100644 --- a/charts/nginx-gateway-fabric/templates/scc.yaml +++ b/charts/nginx-gateway-fabric/templates/scc.yaml @@ -31,7 +31,7 @@ volumes: - emptyDir - secret users: -- {{ printf "system:serviceaccount:*:%s" (include "nginx-gateway.fullname" .) }} +- {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "nginx-gateway.serviceAccountName" .) }} allowedCapabilities: - NET_BIND_SERVICE - KILL From 2515c2270ce0da6dce07d2e5d42dde94569cf5ae Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 13:10:19 -0700 Subject: [PATCH 28/34] Add scc.yaml manifest --- Makefile | 1 + deploy/manifests/scc.yaml | 40 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 deploy/manifests/scc.yaml diff --git a/Makefile b/Makefile index 91a592f385..c388c9337c 100644 --- a/Makefile +++ b/Makefile @@ -133,6 +133,7 @@ generate-manifests: ## Generate manifests using Helm. helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway --api-versions security.openshift.io/v1/SecurityContextConstraints -s templates/scc.yaml > $(strip $(MANIFEST_DIR))/scc.yaml .PHONY: clean clean: ## Clean the build diff --git a/deploy/manifests/scc.yaml b/deploy/manifests/scc.yaml new file mode 100644 index 0000000000..59bf343b33 --- /dev/null +++ b/deploy/manifests/scc.yaml @@ -0,0 +1,40 @@ +--- +# Source: nginx-gateway-fabric/templates/scc.yaml +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-gateway-scc +allowPrivilegeEscalation: false +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: true +runAsUser: + type: MustRunAsRange + uidRangeMin: 101 + uidRangeMax: 102 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +supplementalGroups: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +volumes: +- emptyDir +- secret +users: +- system:serviceaccount:nginx-gateway:nginx-gateway +allowedCapabilities: +- NET_BIND_SERVICE +- KILL +requiredDropCapabilities: +- ALL From 2e2153f32f4067c5802b01141b45f2917e1ea84e Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 13:22:45 -0700 Subject: [PATCH 29/34] Remove Openshift manifest specific document --- .../installing-ngf/manifests-openshift.md | 232 ------------------ .../installation/installing-ngf/manifests.md | 2 + 2 files changed, 2 insertions(+), 232 deletions(-) delete mode 100644 site/content/installation/installing-ngf/manifests-openshift.md diff --git a/site/content/installation/installing-ngf/manifests-openshift.md b/site/content/installation/installing-ngf/manifests-openshift.md deleted file mode 100644 index 41938ba049..0000000000 --- a/site/content/installation/installing-ngf/manifests-openshift.md +++ /dev/null @@ -1,232 +0,0 @@ ---- -title: "Installation with Kubernetes manifests on Openshift" -description: "Learn how to install, upgrade, and uninstall NGINX Gateway Fabric using Kubernetes manifests on Openshift." -weight: 200 -toc: true -docs: "DOCS-0000" ---- - -{{}} - -## Prerequisites - -To complete this guide, you'll need to install: - -- [kubectl](https://kubernetes.io/docs/tasks/tools/), a command-line interface for managing Kubernetes clusters. - -## Deploy NGINX Gateway Fabric - -Deploying NGINX Gateway Fabric with Kubernetes manifests takes only a few steps. With manifests, you can configure your deployment exactly how you want. Manifests also make it easy to replicate deployments across environments or clusters, ensuring consistency. - -- If you’d like to use NGINX Plus: - 1. To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-gateway-fabric/installation/ngf-images/jwt-token-docker-secret). Make sure to specify the secret in the `imagePullSecrets` field of the `nginx-gateway` ServiceAccount. - 1. Alternatively, pull an NGINX Gateway Fabric image with NGINX Plus and push it to your private registry by following the instructions from [here]({{}}). - 1. Update the nginx container's `image` field of the `nginx-gateway` Deployment accordingly. - -### 1. Install the Gateway API resources - -{{}} - -### 2. Deploy the NGINX Gateway Fabric CRDs - -#### Stable release - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml -``` - -#### Edge version - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/main/deploy/crds.yaml -``` - -### 3. Deploy NGINX Gateway Fabric - -{{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} - -#### Stable release - -##### For NGINX - -```shell -kubectl apply -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml -``` - -##### For NGINX Plus - -Download the [deployment YAML](https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-plus-gateway.yaml). - -Update the `openshift-nginx-plus-gateway.yaml` file to include your chosen NGINX Plus image from the F5 Container registry or your custom image. - -{{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} - -```shell -kubectl apply -f openshift-nginx-plus-gateway.yaml -``` - -#### Edge version - -##### For NGINX - -```shell -kubectl apply -f deploy/manifests/openshift/openshift-nginx-gateway.yaml -``` - -##### For NGINX Plus - -{{< important >}}Ensure that you [Enable Usage Reporting]({{< relref "installation/usage-reporting.md" >}}) before applying.{{< /important >}} - -```shell -kubectl apply -f deploy/manifests/openshift/openshift-nginx-plus-gateway.yaml -``` - -Update the openshift-nginx-plus-gateway.yaml file to include your chosen image from the F5 Container registry or your custom container image. - -#### Enable experimental features - -We support a subset of the additional features provided by the Gateway API experimental channel. To enable the experimental features of Gateway API which are supported by NGINX Gateway Fabric: - -##### For NGINX - -```shell -kubectl apply -f deploy/manifests/openshift/openshift-nginx-gateway-experimental.yaml -``` - -##### For NGINX Plus - -```shell -kubectl apply -f deploy/manifests/openshift/openshift-nginx-plus-gateway-experimental.yaml -``` - -Update the openshift-nginx-plus-gateway-experimental.yaml file to include your chosen image from the F5 Container registry or your custom container image. - -{{}}Requires the Gateway APIs installed from the experimental channel.{{}} - -### 4. Verify the Deployment - -To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: - -```shell -kubectl get pods -n nginx-gateway -``` - -The output should look similar to this (note that the pod name will include a unique string): - -```text -NAME READY STATUS RESTARTS AGE -nginx-gateway-5d4f4c7db7-xk2kq 2/2 Running 0 112s -``` - -## Upgrade NGINX Gateway Fabric - -{{}}For guidance on zero downtime upgrades, see the [Delay Pod Termination](#configure-delayed-pod-termination-for-zero-downtime-upgrades) section below.{{}} - -To upgrade NGINX Gateway Fabric and get the latest features and improvements, take the following steps: - -1. **Upgrade Gateway API resources:** - - - Verify that your NGINX Gateway Fabric version is compatible with the Gateway API resources. Refer to the [Technical Specifications]({{< relref "reference/technical-specifications.md" >}}) for details. - - Review the [release notes](https://github.com/kubernetes-sigs/gateway-api/releases) for any important upgrade-specific information. - - To upgrade the Gateway API resources, run: - - ```shell - kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml - ``` - - or, if you installed the from the experimental channel: - - ```shell - kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml - ``` - -1. **Upgrade NGINX Gateway Fabric CRDs:** - - - To upgrade the Custom Resource Definitions (CRDs), run: - - ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml - ``` - -1. **Upgrade NGINX Gateway Fabric deployment:** - - - To upgrade the deployment, run: - - ```shell - kubectl apply -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml - ``` - -## Delay pod termination for zero downtime upgrades {#configure-delayed-pod-termination-for-zero-downtime-upgrades} - -{{< include "installation/delay-pod-termination/delay-pod-termination-overview.md" >}} - -Follow these steps to configure delayed pod termination: - -1. Open the `openshift-nginx-gateway.yaml` for editing. - -1. **Add delayed shutdown hooks**: - - - In the `openshift-nginx-gateway.yaml` file, add `lifecycle: preStop` hooks to both the `nginx` and `nginx-gateway` container definitions. These hooks instruct the containers to delay their shutdown process, allowing time for connections to close gracefully. Update the `sleep` value to what works for your environment. - - ```yaml - <...> - name: nginx-gateway - <...> - lifecycle: - preStop: - exec: - command: - - /usr/bin/gateway - - sleep - - --duration=40s # This flag is optional, the default is 30s - <...> - name: nginx - <...> - lifecycle: - preStop: - exec: - command: - - /bin/sleep - - "40" - <...> - ``` - -1. **Set the termination grace period**: - - - {{}} - -1. Save the changes. - -{{}} -For additional information on configuring and understanding the behavior of containers and pods during their lifecycle, refer to the following Kubernetes documentation: - -- [Container Lifecycle Hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) -- [Pod Lifecycle](https://kubernetes.io/docs/concepts/workloads/Pods/Pod-lifecycle/#Pod-termination) - -{{}} - -## Uninstall NGINX Gateway Fabric - -Follow these steps to uninstall NGINX Gateway Fabric and Gateway API from your Kubernetes cluster: - -1. **Uninstall NGINX Gateway Fabric:** - - - To remove NGINX Gateway Fabric and its custom resource definitions (CRDs), run: - - ```shell - kubectl delete -f https://github.com/nginxinc/nginx-gateway-fabric/releases/download/v1.2.0/openshift-nginx-gateway.yaml - ``` - - ```shell - kubectl delete -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/crds.yaml - ``` - -1. **Remove the Gateway API resources:** - - - {{}} - -## Next steps - -### Expose NGINX Gateway Fabric - -{{}} diff --git a/site/content/installation/installing-ngf/manifests.md b/site/content/installation/installing-ngf/manifests.md index f6200be880..0f69ffb614 100644 --- a/site/content/installation/installing-ngf/manifests.md +++ b/site/content/installation/installing-ngf/manifests.md @@ -45,6 +45,8 @@ kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric {{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} +{{}}If you are deploying NGINX Gateway Fabric in an Openshift environment, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole rbac.{{}} + #### Stable release ##### For NGINX From 2238762b4a87fa1655537bb48720b3268f6c3fea Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Thu, 23 May 2024 13:24:45 -0700 Subject: [PATCH 30/34] Remove comment on installation in helm installation guide --- site/content/installation/installing-ngf/helm.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/site/content/installation/installing-ngf/helm.md b/site/content/installation/installing-ngf/helm.md index 2d864c74ff..658425f6e7 100644 --- a/site/content/installation/installing-ngf/helm.md +++ b/site/content/installation/installing-ngf/helm.md @@ -29,8 +29,6 @@ To complete this guide, you'll need to install: To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command: -{{< note >}} OpenShift users must add the `--set platform=openshift` flag to the install and upgrade commands below. {{< /note >}} - ##### For NGINX ```shell From 03c8be512956ec290ea9b299ec05a30a06737de5 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 24 May 2024 10:37:26 -0700 Subject: [PATCH 31/34] Add more details on installation through manifests --- .../installation/installing-ngf/manifests.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/site/content/installation/installing-ngf/manifests.md b/site/content/installation/installing-ngf/manifests.md index 0f69ffb614..f1c7b574fe 100644 --- a/site/content/installation/installing-ngf/manifests.md +++ b/site/content/installation/installing-ngf/manifests.md @@ -45,7 +45,22 @@ kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric {{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} -{{}}If you are deploying NGINX Gateway Fabric in an Openshift environment, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole rbac.{{}} +{{}}If you are deploying NGINX Gateway Fabric on Openshift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/main/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC: + +```yaml +. . . +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nginx-gateway-scc + verbs: + - use + ``` + +Alternatively, use [helm]({{< relref "installation/installing-ngf/helm.md" >}}), which will automatically configure the mentioned resources on OpenShift. +{{}} #### Stable release From bda54b77ff64787b9e8bdcc8729eadb32c0c9536 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Fri, 24 May 2024 13:40:42 -0700 Subject: [PATCH 32/34] Change SCC link to version 1.2.0 --- site/content/installation/installing-ngf/manifests.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/installation/installing-ngf/manifests.md b/site/content/installation/installing-ngf/manifests.md index f1c7b574fe..cd43c79492 100644 --- a/site/content/installation/installing-ngf/manifests.md +++ b/site/content/installation/installing-ngf/manifests.md @@ -45,7 +45,7 @@ kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric {{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} -{{}}If you are deploying NGINX Gateway Fabric on Openshift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/main/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC: +{{}}If you are deploying NGINX Gateway Fabric on Openshift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC: ```yaml . . . From 2573e90778754b81063eefcfca8731aa13c247e9 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Tue, 28 May 2024 08:35:20 -0700 Subject: [PATCH 33/34] Fix Openshift to OpenShift --- site/content/installation/installing-ngf/manifests.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/installation/installing-ngf/manifests.md b/site/content/installation/installing-ngf/manifests.md index cd43c79492..de7f911972 100644 --- a/site/content/installation/installing-ngf/manifests.md +++ b/site/content/installation/installing-ngf/manifests.md @@ -45,7 +45,7 @@ kubectl apply -f https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric {{}}By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files.{{}} -{{}}If you are deploying NGINX Gateway Fabric on Openshift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC: +{{}}If you are deploying NGINX Gateway Fabric on OpenShift, we've supplied a baseline [SecurityContextConstraints](https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/v1.2.0/deploy/manifests/scc.yaml) manifest that you can download, modify if needed, and apply. You will also need to make sure the SecurityContextConstraints resource is added to the ClusterRole RBAC: ```yaml . . . From 0dcc8b69251ca0bf209d353f92c3ce1f7aee0185 Mon Sep 17 00:00:00 2001 From: Benjamin Jee Date: Tue, 28 May 2024 10:35:07 -0700 Subject: [PATCH 34/34] Fix rebase issue --- Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c388c9337c..030fabd26a 100644 --- a/Makefile +++ b/Makefile @@ -128,8 +128,7 @@ generate-manifests: ## Generate manifests using Helm. helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway-experimental.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway-experimental.yaml - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > config/tests/static-deployment.yam - helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > conformance/provisioner/static-deployment.yaml + helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false --set nginxGateway.productTelemetry.enable=false -n nginx-gateway -s templates/deployment.yaml > config/tests/static-deployment.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml