apiVersion: apps/v1
kind: Deployment
metadata:
labels: { app.kubernetes.io/name: pomerium }
name: pomerium
namespace: pomerium
spec:
replicas: 1
strategy: {type: Recreate}
selector:
matchLabels: { app.kubernetes.io/name: pomerium }
template:
metadata:
labels: { app.kubernetes.io/name: pomerium }
spec:
containers:
- args:
- all-in-one
- --pomerium-config=global
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
env:
- { name: TMPDIR, value: /tmp }
- { name: XDG_CACHE_HOME, value: /tmp }
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: pomerium/ingress-controller:sha-efe2d11
imagePullPolicy: IfNotPresent
name: pomerium
ports:
- { containerPort: 8443, name: https, protocol: TCP }
- { containerPort: 8080, name: http, protocol: TCP }
- { containerPort: 9090, name: metrics, protocol: TCP }
resources:
limits: { cpu: 5000m, memory: 1Gi }
requests: { cpu: 300m, memory: 200Mi }
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- { mountPath: /tmp, name: tmp }
- { mountPath: /data/autocert, name: autocert }
- { mountPath: /.local, name: autocert }
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: pomerium-controller
terminationGracePeriodSeconds: 10
volumes:
- { name: tmp, emptyDir: {} }
- { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["ditto"]
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
spec:
controller: pomerium.io/ingress-controller