Last active
June 5, 2025 20:23
-
-
Save ssro/267aa992b9871ef73ade1215a325e995 to your computer and use it in GitHub Desktop.
nginx-kubernetes-manifest
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: nginx | |
| labels: | |
| app: nginx | |
| spec: | |
| selector: | |
| app: nginx | |
| ports: | |
| - port: 8080 | |
| name: alt-http | |
| targetPort: 8080 | |
| protocol: TCP | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: conf | |
| data: | |
| ratelimit.conf: | | |
| limit_req_zone $limit zone=limit_zone:10m rate=1r/s; | |
| limit_req_status 429; | |
| geo $whitelist { | |
| default 1; | |
| include /etc/nginx/conf.d/ratelimit_whiltelist; | |
| } | |
| map $whitelist $limit { | |
| 0 ""; | |
| 1 $binary_remote_addr; | |
| } | |
| default.conf: | | |
| # Ignore kube probes from the logs by user agent filtering | |
| map $http_user_agent $ignore_ua { | |
| default 0; | |
| "~kube-probe" 1; | |
| } | |
| server { | |
| listen 8080; | |
| listen [::]:8080; | |
| root /usr/share/nginx/html; | |
| index index.html index.htm; | |
| server_tokens off; | |
| location / { | |
| if ($ignore_ua) { | |
| access_log off; | |
| } | |
| limit_req zone=limit_zone burst=1 nodelay; | |
| limit_except GET { deny all; } | |
| } | |
| location = /favicon.ico { | |
| limit_req zone=limit_zone burst=1 nodelay; | |
| access_log off; | |
| log_not_found off; | |
| limit_except GET { deny all; } | |
| } | |
| } | |
| allow.conf: | | |
| # VPC internal subnet | |
| allow 10.99.0.0/16; | |
| ratelimit_whiltelist: | | |
| # VPC internal subnet | |
| 10.99.0.0/16 0; | |
| # WARP | |
| 8.29.230.200/32 0; | |
| 8.29.231.200/32 0; | |
| 2a09:bac0:1000:200::/64 0; | |
| 2a09:bac0:1001:200::/64 0; | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: nginx | |
| spec: | |
| strategy: | |
| type: RollingUpdate | |
| selector: | |
| matchLabels: | |
| app: nginx | |
| replicas: 2 | |
| template: | |
| metadata: | |
| labels: | |
| app: nginx | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginxinc/nginx-unprivileged:1.27-alpine | |
| imagePullPolicy: IfNotPresent | |
| ports: | |
| - containerPort: 8080 | |
| volumeMounts: | |
| - mountPath: /etc/nginx/conf.d | |
| readOnly: true | |
| name: conf | |
| subPath: conf.d | |
| - mountPath: /tmp | |
| name: tmp | |
| securityContext: | |
| capabilities: | |
| drop: | |
| - ALL | |
| runAsNonRoot: true | |
| runAsUser: 101 | |
| allowPrivilegeEscalation: false | |
| readOnlyRootFilesystem: true | |
| seccompProfile: | |
| type: "RuntimeDefault" | |
| resources: | |
| requests: | |
| cpu: 10m | |
| memory: 16Mi | |
| limits: | |
| cpu: 100m | |
| memory: 32Mi | |
| startupProbe: | |
| httpGet: | |
| path: / | |
| port: 8080 | |
| failureThreshold: 12 | |
| periodSeconds: 5 | |
| livenessProbe: | |
| httpGet: | |
| path: / | |
| port: 8080 | |
| timeoutSeconds: 1 | |
| successThreshold: 1 | |
| failureThreshold: 5 | |
| periodSeconds: 10 | |
| readinessProbe: | |
| httpGet: | |
| path: / | |
| port: 8080 | |
| timeoutSeconds: 1 | |
| successThreshold: 1 | |
| failureThreshold: 5 | |
| periodSeconds: 10 | |
| lifecycle: | |
| preStop: | |
| exec: | |
| command: [ "sleep", "10" ] | |
| volumes: | |
| - name: tmp | |
| emptyDir: {} | |
| - name: conf | |
| configMap: | |
| name: conf | |
| items: | |
| - key: default.conf | |
| path: conf.d/default.conf | |
| - key: allow.conf | |
| path: conf.d/allow.conf | |
| - key: ratelimit.conf | |
| path: conf.d/ratelimit.conf | |
| - key: ratelimit_whiltelist | |
| path: conf.d/ratelimit_whiltelist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment