From bcecbad65232713d1b5199891f2224e2c8711eb7 Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Fri, 13 Dec 2019 17:58:07 -0800 Subject: [PATCH] Ingress: k8s and ingress version compatibility k8s 1.14 first enabled Ingress in the networking.k8s.io/v1beta1 API group, while still serving it in the extensions/v1beta1 API group. The extensions/v1beta1 API endpoint is deprecated in 1.16 and scheduled for removal in 1.20. [0] ingress-nginx 0.25.0 actually uses the networking.k8s.io/v1beta1 API, which requires updated RBAC rules. [1] This change updates the ClusterRole used by the ingress service account to grant access to Ingress resources via either the extensions/v1beta1 or networking.k8s.io/v1beta1 API, aligning with the static manifests from the kubernetes/ingress-nginx repo [2]. It does not change the apiVersion used when creating Ingress resources. [0] https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ [1] https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.25.0 [2] https://github.com/kubernetes/ingress-nginx/blob/870be3bcd88c267f14fd82da82303472f383cd14/deploy/static/mandatory.yaml#L50-L106 Change-Id: I67d4dbdb3834ca4ac8ce90ec51c8d6414ce80a01 --- ingress/templates/deployment-ingress.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml index c9977e14f..175b8ff67 100644 --- a/ingress/templates/deployment-ingress.yaml +++ b/ingress/templates/deployment-ingress.yaml @@ -58,21 +58,22 @@ rules: - get - list - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - "extensions" + - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - apiGroups: - "extensions" - "networking.k8s.io"