Search code examples
kuberneteskubernetes-ingresstraefikminikubetraefik-ingress

Traefik v2 in Kubernetes. fail to deploy. do not see other services

I have been trying to run traefik v2.x in minikube to check it and how it routes request to needed service. I am failing to get access to my services at all. would be good to understand what I am doing wrong.

  • minikube is running in VirtualBox VM
  • VM box has lab IP address to which I want to send URL request
  • on my localhost I set hosts (mydomain.local and mydomain.com) to IP address of minikube VM

enter image description here

How to reproduce:

  1. create 2 namespaces new-ns and new-who
  2. set namespace to be default for Ingress: kubectl config set-context --current --namespace=new-ns

All yaml files can be found in https://github.com/vencrena-LT/traefik

  1. deploy CustomResourceDefinition
  2. deploy ClusterRole , ClusterRoleBinding and ServiceAccount (to new-ns namespace)
  3. deploy DaemonSet and Service (to new-ns namespace)

then would like to deploy 2 apps: in both namespaces (for testing purposes)

  1. Deployment, Service and IngressRoute to new-ns namespace
  2. Deployment, Service and IngressRoute to new-new namespace

Dashboard: enter image description here Routes: enter image description here LocalPod: enter image description here

some logs from traefik pod:

E0206 08:25:21.798628       1 reflector.go:127] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:156: Failed to watch *v1alpha1.TLSStore: failed to list 
*v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope

E0206 08:25:34.653633       1 reflector.go:127] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:156: Failed to watch *v1alpha1.ServersTransport: failed to list
*v1alpha1.ServersTransport: serverstransports.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "serverstransports" in API group "traefik.containo.us" at the cluster scope

E0206 08:26:02.857094       1 reflector.go:127] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:156: Failed to watch *v1alpha1.IngressRouteUDP: failed to list
*v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope

any hints what I am doing wrong? why can not access mydomain.local and mydomain.com and see whoami services. why no routes are seen in Traefik dashboard

Solution

  • Your ClusterRole definition is a bit too thin:

    https://github.com/vencrena-LT/traefik/blob/main/2_roles.yml

    You could try to follow the example here:

    https://github.com/sleighzy/k3s-traefik-v2-kubernetes-crd

    For the question why no routes are seen: Traefik will pickup from k8s routes when you specify

            - --providers.kubernetescrd
        - --providers.kubernetesingress

    Also please be aware of the namespace where traefik resides, you will apply IngressRoutes on that namespace