I'm connecting Traefik to my Kubernetes 1.7.2 cluster. My cluster uses RBAC, and the guide for toml does not include anything about rbac.
I get the certificate by running (and putting it in /root/projects/certs/ca.crt):
cat ~/.kube/config | grep client-certificate-data | tr -d ' ' | cut -d ":" -f2 | base64 -d
And the token by running :
kubectl get secrets default-token-mnxss -o jsonpath='{.data.token}' | base64 -d
My toml looks like this now :
InsecureSkipVerify = true
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/certs/kubernetes.pem"
KeyFile = "/certs/kubernetes-key.pem"
[web]
address = ":8080"
ReadOnly = true
[kubernetes]
endpoint = "https://192.168.100.226:6443"
token="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbW54c3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQxNjYxZWIyLTc1Y2EtMTFlNy1iY2Q4LTUyNTQwMDI2OGU5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.xHVMxmFm8e8SkfHQxaxh_UjocWeHr_GoAvkMfrZUyMrleqxj5LQg_fHfpaWNcKePF3AfLmDn7COILiPNAoknF9OqaQzSXRoch0i8omFIbTtf3d5fe7z3psHBCE827tdtnV_9VNejFWC6VWRhxmkHz6_9x1LeLvYWOXPet5_97A254UUvJVQouriq3Y9GqIZiWdCIzU4yC9wQbYCG5s_Sy9pVELsRAGuVNYMA6-UH4rjUDrtn0fBxah89XjBlqJ8FB1darByqmY0Ws-3IX6AB1PGPKrQdz9kI2Yzg_ftobUJNcjM3oeQ4acx4EO9zu_5WMl7PnrVfO3tWZHHXRa-6IA"
certAuthFilePath = "/root/projects/certs/ca.crt"
# Kubernetes server endpoint
#endpoint = "http://localhost:8001"
#endpoint = "https://192.168.100.226:6443"
#namespaces = ["default","kube-system"]
I still get :
ERROR: logging before flag.Parse: E0804 04:02:54.161007 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:54.161070 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
ERROR: logging before flag.Parse: E0804 04:02:54.161089 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:54.162291 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174304 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: the server does not allow access to the requested resource (get secrets)
ERROR: logging before flag.Parse: E0804 04:02:55.174399 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: the server does not allow access to the requested resource (get services)
ERROR: logging before flag.Parse: E0804 04:02:55.174474 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: the server does not allow access to the requested resource (get endpoints)
ERROR: logging before flag.Parse: E0804 04:02:55.176349 12874 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: the server does not allow access to the requested resource (get ingresses.extensions)
The service account name does not go into the TOML configuration but the specification of your Deployment/DaemonSet manifest.
The Traefik guide shows an example. Following is just the minimum YAML for a Deployment to see where the service account name needs to go indentation-wise:
kind: Deployment
apiVersion: extensions/v1beta1
spec:
template:
spec:
serviceAccountName: traefik-ingress-controller
Note that this example assumes you have set up a service account by the name traefik-ingress-controller
and bound proper RBAC rules to it. The guide also provides additional and consistent manifests for both.
If you want to run Traefik out-of-cluster, you'll have to set the three parameters endpoint
, token
, and certAuthFilePath
. The token should be the one associated with your service account's secret that Kubernetes creates automatically. To extract the token, do the following:
kubectl get secrets --namespace=<the service account's namespace>
.kubectl get secrets <the service account's secret> --namespace=<the service account's namespace> -o jsonpath='{.data.token}' | base64 -D
.Finally, set that token in your TOML configuration file.
You can get the CA certificate from the secrets object similarly. However, it's public and likely more easily accessible from elsewhere (like your cluster's management console or inside $HOME/.kube/config
).