apiVersion: apps/v1 kind: Deployment metadata: labels: { app.kubernetes.io/name: pomerium } name: pomerium namespace: pomerium spec: replicas: 1 strategy: {type: Recreate} selector: matchLabels: { app.kubernetes.io/name: pomerium } template: metadata: labels: { app.kubernetes.io/name: pomerium } spec: containers: - args: - all-in-one - --pomerium-config=global - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - --metrics-bind-address=$(POD_IP):9090 env: - { name: TMPDIR, value: /tmp } - { name: XDG_CACHE_HOME, value: /tmp } - name: POMERIUM_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP image: pomerium/ingress-controller:sha-efe2d11 imagePullPolicy: IfNotPresent name: pomerium ports: - { containerPort: 8443, name: https, protocol: TCP } - { containerPort: 8080, name: http, protocol: TCP } - { containerPort: 9090, name: metrics, protocol: TCP } resources: limits: { cpu: 5000m, memory: 1Gi } requests: { cpu: 300m, memory: 200Mi } securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 volumeMounts: - { mountPath: /tmp, name: tmp } - { mountPath: /data/autocert, name: autocert } - { mountPath: /.local, name: autocert } nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true serviceAccountName: pomerium-controller terminationGracePeriodSeconds: 10 volumes: - { name: tmp, emptyDir: {} } - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } } affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: "kubernetes.io/hostname" operator: In values: ["bang"] --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/name: pomerium name: pomerium spec: controller: pomerium.io/ingress-controller