diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 05fa08ea31..c415c2b899 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -283,6 +283,7 @@ metadata: | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | | controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | | controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | +| controller.admissionWebhooks.patch.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | | controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | | controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | @@ -438,6 +439,7 @@ metadata: | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | +| controller.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | @@ -549,6 +551,7 @@ metadata: | defaultBackend.readinessProbe.timeoutSeconds | int | `5` | | | defaultBackend.replicaCount | int | `1` | | | defaultBackend.resources | object | `{}` | | +| defaultBackend.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | | defaultBackend.service.annotations | object | `{}` | | | defaultBackend.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index bb31e60ba4..0d3c863042 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -37,6 +37,9 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.runtimeClassName }} + runtimeClassName: {{ .Values.controller.admissionWebhooks.patch.runtimeClassName | quote }} + {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index cf757c98bc..263cbbf77e 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -37,6 +37,9 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.runtimeClassName }} + runtimeClassName: {{ .Values.controller.admissionWebhooks.patch.runtimeClassName | quote }} + {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 804ff56d9d..a9a3dee399 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -57,6 +57,9 @@ spec: {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName | quote }} {{- end }} + {{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName | quote }} + {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: {{- if .Values.controller.podSecurityContext }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index da8ce97d3e..224694d1b3 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -63,6 +63,9 @@ spec: {{- if .Values.controller.priorityClassName }} priorityClassName: {{ .Values.controller.priorityClassName | quote }} {{- end }} + {{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName | quote }} + {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: {{- if .Values.controller.podSecurityContext }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 4a17f74441..75c3d09cbf 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -45,6 +45,9 @@ spec: {{- if .Values.defaultBackend.priorityClassName }} priorityClassName: {{ .Values.defaultBackend.priorityClassName }} {{- end }} + {{- if .Values.defaultBackend.runtimeClassName }} + runtimeClassName: {{ .Values.defaultBackend.runtimeClassName | quote }} + {{- end }} {{- if .Values.defaultBackend.podSecurityContext }} securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 0321fd3763..9f79a3b23d 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -199,3 +199,12 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a DaemonSet with a custom runtime if `controller.runtimeClassName` is set + set: + controller.kind: DaemonSet + controller.runtimeClassName: myClass + asserts: + - equal: + path: spec.template.spec.runtimeClassName + value: myClass diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 18306079eb..37b6908853 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -223,3 +223,11 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a Deployment with a custom runtime if `controller.runtimeClassName` is set + set: + controller.runtimeClassName: myClass + asserts: + - equal: + path: spec.template.spec.runtimeClassName + value: myClass diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index a06b49d106..15152afd64 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -78,6 +78,8 @@ controller: # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. dnsPolicy: ClusterFirst + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false @@ -822,6 +824,8 @@ controller: # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" podAnnotations: {} # NetworkPolicy for webhook patch networkPolicy: @@ -1195,6 +1199,8 @@ defaultBackend: servicePort: 80 type: ClusterIP priorityClassName: "" + # -- Instruct the kubelet to use the named RuntimeClass to run the pod + runtimeClassName: "" # -- Labels to be added to the default backend resources labels: {} ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266