Merge pull request #178 from nginxinc/rbac

pleshakov · web-flow · commit 55ccbbe1b2d4 · 2017-08-31T21:32:07.000+01:00
Add RBAC example
diff --git a/examples/complete-example/README.md b/examples/complete-example/README.md
@@ -11,7 +11,7 @@
 
 ## 1. Deploy the Ingress Controller
 
-1. Create a Secret with an SSL certificate and key for the default server of NGINX/NGINX Plus. The default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. 
+1. Create a Secret with an SSL certificate and key for the default server of NGINX/NGINX Plus. The default server returns the Not Found page with the 404 status code for all requests for domains for which there are no Ingress rules defined. It is recommended that you use your own certificate and key. 
     ```
     $ kubectl create -f default-server-secret.yaml
     ```
diff --git a/examples/rbac/README.md b/examples/rbac/README.md
@@ -0,0 +1,26 @@
+# RBAC
+
+For Kubernetes clusters with enabled [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/), follow the steps below to deploy the Ingress controller:
+
+1. Make sure you are a cluster admin.
+
+1. If you would like to deploy the Ingress controller in a namespace other than `default`, change the namespace of the service account used in the cluster role binding in `nginx-ingress-rbac.yaml`. 
+
+1. Create a service account, a cluster role and a cluster role binding for the Ingress controller:
+	```
+	$ kubectl create -f nginx-ingress-rbac.yaml
+	```
+
+1. As usual, create a secret with an SSL certificate and key for the default server of NGINX/NGINX Plus. It is recommended that you use your own certificate and key. 
+    ```
+    $ kubectl create -f default-server-secret.yaml
+    ```
+
+1. Deploy NGINX or NGINX Plus Ingress controller with the service account from the previous step:
+	```
+	$ kubectl create -f nginx-ingress-rc.yaml
+	```
+	or
+	```
+	$ kubectl create -f nginx-plus-ingress-rc.yaml
+	```
diff --git a/examples/rbac/default-server-secret.yaml b/examples/rbac/default-server-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-server-secret
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lKQUs5L2NDNWZocDJHTUEwR0NTcUdTSWIzRFFFQkJRVUFNQ0V4SHpBZEJnTlYKQkFNVEZrNUhTVTVZU1c1bmNtVnpjME52Ym5SeWIyeHNaWEl3SGhjTk1UY3dPRE14TVRBeE16UTRXaGNOTVRndwpPRE14TVRBeE16UTRXakFoTVI4d0hRWURWUVFERXhaT1IwbE9XRWx1WjNKbGMzTkRiMjUwY205c2JHVnlNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0bXhhMDhadExIaWxleWhOUWN5OUl4ankKWTBYdy9CRmZvM3duMDRsSXRoaGRxbkZ3NTZIVG1RVjIvbnEyRUxMdTNoejNjc3Urc3M5WFEzL3BrbXVwTEE5TApuaVVRZFVNcER4VlE1VFFKRW5CanJ5aXc4RWFlcEp4NUNCYVB5V3ZSZkpPb0pFSW56ZmNaYnE4OEVmQklYOHdtClFCa0xlcnFTVmRYWjBXR3FINVVQVlVZMVBqZXBqSXAyZ0NvbDRMUjM1aHRlSk9OMmZVTEF6cmRGMDBDT092WGsKUzgwRGw5eHdoUkVwVWVySGNuNXZod3BJazNkY3FNS3BxWTY2elF3dStMcFJEM3ZVWjR0eC9VYnlUdStkMkdhVwpWaG1RLy85RmtzUzVBS1d2ZXkrK3pPUTFDZTAxNzhDU0hRYXRDaWFuU2lTT3lwakZtTUZ0N1Mra25pbm9Xd0lECkFRQUJvNEdETUlHQU1CMEdBMVVkRGdRV0JCUlFUODVHRzV6a0QxV3FNSzZvOW8xWWFqUVBXVEJSQmdOVkhTTUUKU2pCSWdCUlFUODVHRzV6a0QxV3FNSzZvOW8xWWFqUVBXYUVscENNd0lURWZNQjBHQTFVRUF4TVdUa2RKVGxoSgpibWR5WlhOelEyOXVkSEp2Ykd4bGNvSUpBSzkvY0M1ZmhwMkdNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJCmh2Y05BUUVGQlFBRGdnRUJBSTIxcXpDN0lIYTEzblNvRkMxVFdtSUZydjQ2L2hRSFRjSFhxazRXZW16Z3VwVW8Kdmp0R05DVFlaR1VtL3RZY1FobDZvOXVJZlV5N3NlVS9OeWVCWHpOdGFiQUczQUIzanREVUJySy9xeVJ5cDZjRApIL0MzNmd5VFh3OGJxYVdOSzg0VGhYOVg2MFVFNVE2NzFUQUJMbk9paEhKUVVxTHdRc1VkdEkxRHBQb1BOOFlWCm5YQVl1RXJKWTVRckhzdHZoOFNZM2xoV3BSOWJ0eTVySldweUhIM3NDL1lHN2lFam5TUXp2LzdhK3cxTW1RQ0EKTk1wQnFvdzJKZkdveklyV2JvcFBVR2lmZ2szSjBKT24rcnA4RDRVc1lvNEo4Y3RvVk5qUFdmeU9zczB6ZWZ2aQpyUmVEUDdJOXc5THF1eERIRUhzeUpMUXN0MzNlQWlna1FBQU9zMUU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdG14YTA4WnRMSGlsZXloTlFjeTlJeGp5WTBYdy9CRmZvM3duMDRsSXRoaGRxbkZ3CjU2SFRtUVYyL25xMkVMTHUzaHozY3N1K3NzOVhRMy9wa211cExBOUxuaVVRZFVNcER4VlE1VFFKRW5CanJ5aXcKOEVhZXBKeDVDQmFQeVd2UmZKT29KRUluemZjWmJxODhFZkJJWDh3bVFCa0xlcnFTVmRYWjBXR3FINVVQVlVZMQpQamVwaklwMmdDb2w0TFIzNWh0ZUpPTjJmVUxBenJkRjAwQ09PdlhrUzgwRGw5eHdoUkVwVWVySGNuNXZod3BJCmszZGNxTUtwcVk2NnpRd3UrTHBSRDN2VVo0dHgvVWJ5VHUrZDJHYVdWaG1RLy85RmtzUzVBS1d2ZXkrK3pPUTEKQ2UwMTc4Q1NIUWF0Q2lhblNpU095cGpGbU1GdDdTK2tuaW5vV3dJREFRQUJBb0lCQVFDQ002UkFNd2dKRGJOTwp5OTBZY2NFdEk4a2RBZmFXY3ZBSUI3MkZSaDhYbVJ5QllxWnJMUjJSd2t6RUpXRjlXYmtUM3lqZVRuMjFzamRlCmZoVi81RWZDb3NnZC8rWlhTN0FxaTlSSlEzS1dMcEYzbTF0dW8zam5sS2J1RnV4Wm54TE9EN1dhNjN6dGpNZ2kKTUFCMzdVQTYzOE1OVE5MY3JmMTBOa1paSTVRQkpYWWNPRk1ueDJ4MXVLRkU5RHQzWUEzbE9nOWNGdmFJTFpEQQo3WTVHVDlmUXdJQS92OGRWRU1DTkNiSzI1b1dnRG90WUdZaUhiYm1hUk9DTkRpNzVQZFpkM2daQ3IxUHFPWEZHCkJaVEh1L3Q4OXMwV1QyUkpNV2ljVW5XV0oyVHhmRWU1YUQ4R0JjRzEyN0pkamxLSitWZCtHWmxvODVYYVBvdnUKTVFxek1nbUJBb0dCQU9IS1pGbzVnSVkzL0J3aElCZ2RGUytnOG1GK21JTWpxSGVMN1NFSTNYL0UzWjhJd0syUgpmTTVFRUpTZnlETFpDVkNlSS8veWhBOUF6dG9Dam12TzdjMUxJT3kwR3k5dFlJVHlYY0xQNWNBWitBTkJCRExFCitYZkx5SE9KVXBDM2o4RFRZWDF0RENiUGJ5UFZTZENUNHNKT2JrNDVZVXQ3a3pEYTVHSFpsL3hqQW9HQkFNN1UKayt6TE5zbFQ2azJaakJaZW81YUdoMUNCSVV4bzNFNVpGYUZWR2lyMSs4NVlkVDdXVEpublJ6K0l6QXBMMmRqZApPZjVlQS9wa3JVNExMeGMzVVNEYjJwczJuT1hQd1p1OWdqRTM3aml0SUFRd3BHL3FiamQ3Y1ZaR2hlUkQyK3l4ClptTWU3c1BCZEVmcldmK1REYU9lT3B4L2RRcnFyTEc2UXo1ZHlQbXBBb0dBVmsyZ0VnU01wY0RjY253TzRtaXIKWW1zb2VpK0RhQXpISmZxc0JzWjJzNUd5REVteUxDWENDSzFua1FlSjVEV2xJOVZ1ZVRSZldkMHhzNDdxbFRhaApHcWt1eW9zRklSbXpuTjF2RFRtZDNkR1BSTjhqRmF6SWxndWtjTlQ2WkNwbG5oU3QzTjFEbWNvTDl5eGRiSVk2ClZIN2FGcmhFQWpBWDBNSzZMTlNaRFhVQ2dZQlRYc3JWeTBBbFBTY1g2b25XUm9Xb1drZlhBb1lhbDdZZCtyakcKVkZoODhyUnlnNk9YRmFqQTdNSUNjVERXQWFjcFRGdGhGaUtDWHV5Z3BjOXdpMEt2ZlErTU95SlpYRHBOZmNFcAo5OEtWbyt0ZzVQNlRnaXExUUpQNTArbUtqblBxMzhOR3R5UkZVZ2grS1BjWkZ2eUxkRzlwdjlLOCtNVnR5b2ZxCmJzRmhLUUtCZ0NvcEg5Wm95MjJBNStLcnJYZmQ0VXRBcndjN0dVanFUT1hhTzgyd3FpU0hZMndPTGdkWWw0L3kKSDJEYy9EMWxmWS9GL09sckNMZDNpL0lLc0wxNG13R2dxODZRdDhxeTIwcWw4RFNyWG91TmhsQTJmL1ZUTk1SMAp2OXAwU1JrQjI2UVYyUitndnNVYk9xb1lhMlVQVkNuQW9QeTYwTXlBaVJUR3cyeTExbm9lCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
diff --git a/examples/rbac/nginx-ingress-rbac.yaml b/examples/rbac/nginx-ingress-rbac.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx-ingress 
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: nginx-ingress
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  verbs: 
+  - list
+  - watch
+- apiGroups: 
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - list
+  - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: nginx-ingress
+subjects:
+- kind: ServiceAccount
+  name: nginx-ingress
+  namespace: default 
+roleRef:
+  kind: ClusterRole
+  name: nginx-ingress 
+  apiGroup: rbac.authorization.k8s.io
diff --git a/examples/rbac/nginx-ingress-rc.yaml b/examples/rbac/nginx-ingress-rc.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-ingress-rc
+  labels:
+    app: nginx-ingress
+spec:
+  replicas: 1
+  selector:
+    app: nginx-ingress
+  template:
+    metadata:
+      labels:
+        app: nginx-ingress
+    spec:
+      serviceAccountName: nginx-ingress
+      containers:
+      - image: nginxdemos/nginx-ingress:1.0.0-beta0
+        imagePullPolicy: Always
+        name: nginx-ingress
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 443
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        # Uncomment the lines below to enable extensive logging and/or customization of
+        # NGINX configuration with configmaps
+        args:
+         #- -v=3
+         #- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
+          - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
diff --git a/examples/rbac/nginx-plus-ingress-rc.yaml b/examples/rbac/nginx-plus-ingress-rc.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx-plus-ingress-rc
+  labels:
+    app: nginx-plus-ingress
+spec:
+  replicas: 1
+  selector:
+    app: nginx-plus-ingress
+  template:
+    metadata:
+      labels:
+        app: nginx-plus-ingress
+    spec:
+      serviceAccountName: nginx-ingress
+      containers:
+      - image: nginx-plus-ingress:1.0.0-beta0
+        imagePullPolicy: Always
+        name: nginx-plus-ingress
+        ports:
+        - containerPort: 80
+          hostPort: 80
+        - containerPort: 443
+          hostPort: 443
+        - containerPort: 8080
+          hostPort: 8080
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        # Uncomment the lines below to enable extensive logging and/or customization of
+        # NGINX configuration with configmaps
+        args:
+          - -nginx-plus
+         #- -v=3
+         #- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
+          - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
