Search code examples
traefik

Defining RBAC in traefik toml file

I'm connecting Traefik to my Kubernetes 1.7.2 cluster. My cluster uses RBAC, and the guide for toml does not include anything about rbac.

I get the certificate by running (and putting it in /root/projects/certs/ca.crt):

cat ~/.kube/config | grep client-certificate-data | tr -d ' ' | cut -d ":" -f2 | base64 -d

And the token by running :

kubectl get secrets default-token-mnxss -o jsonpath='{.data.token}' | base64 -d

My toml looks like this now :

InsecureSkipVerify = true

defaultEntryPoints = ["http", "https"]

[entryPoints]
[entryPoints.http]
  address = ":80"
[entryPoints.http.redirect]
  entryPoint = "https"
[entryPoints.https]
  address = ":443"
[entryPoints.https.tls]

[[entryPoints.https.tls.certificates]]
CertFile = "/certs/kubernetes.pem"
KeyFile = "/certs/kubernetes-key.pem"

[web]
address = ":8080"
ReadOnly = true

[kubernetes]
endpoint = "https://192.168.100.226:6443"

token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbW54c3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQxNjYxZWIyLTc1Y2EtMTFlNy1iY2Q4LTUyNTQwMDI2OGU5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xHVMxmFm8e8SkfHQxaxh_UjocWeHr_GoAvkMfrZUyMrleqxj5LQg_fHfpaWNcKePF3AfLmDn7COILiPNAoknF9OqaQzSXRoch0i8omFIbTtf3d5fe7z3psHBCE827tdtnV_9VNejFWC6VWRhxmkHz6_9x1LeLvYWOXPet5_97A254UUvJVQouriq3Y9GqIZiWdCIzU4yC9wQbYCG5s_Sy9pVELsRAGuVNYMA6-UH4rjUDrtn0fBxah89XjBlqJ8FB1darByqmY0Ws-3IX6AB1PGPKrQdz9kI2Yzg_ftobUJNcjM3oeQ4acx4EO9zu_5WMl7PnrVfO3tWZHHXRa-6IA"

certAuthFilePath = "/root/projects/certs/ca.crt"

# Kubernetes server endpoint
#endpoint = "http://localhost:8001"
#endpoint = "https://192.168.100.226:6443"
#namespaces = ["default","kube-system"]

I still get :

ERROR: logging before flag.Parse: E0804 04:02:54.161007   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:54.161070   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
ERROR: logging before flag.Parse: E0804 04:02:54.161089   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:54.162291   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174304   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174399   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:55.174474   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:55.176349   12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
Solution

  • The service account name does not go into the TOML configuration but the specification of your Deployment/DaemonSet manifest.

    The Traefik guide shows an example. Following is just the minimum YAML for a Deployment to see where the service account name needs to go indentation-wise:

    kind: Deployment
apiVersion: extensions/v1beta1
spec:
  template:
    spec:
      serviceAccountName: traefik-ingress-controller

    Note that this example assumes you have set up a service account by the name traefik-ingress-controller and bound proper RBAC rules to it. The guide also provides additional and consistent manifests for both.

    If you want to run Traefik out-of-cluster, you'll have to set the three parameters endpoint, token, and certAuthFilePath. The token should be the one associated with your service account's secret that Kubernetes creates automatically. To extract the token, do the following:

    1. Identify your service account's secret name from kubectl get secrets --namespace=<the service account's namespace>.
    2. Extract the token (note that all secrets are base64-encoded, so you'll need to decode): kubectl get secrets <the service account's secret> --namespace=<the service account's namespace> -o jsonpath='{.data.token}' | base64 -D.

    Finally, set that token in your TOML configuration file.

    You can get the CA certificate from the secrets object similarly. However, it's public and likely more easily accessible from elsewhere (like your cluster's management console or inside $HOME/.kube/config).