Search code examples
kubernetes-helmtraefiktraefik-ingress

Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden

I made a simple demo app that is running locally via minikube and I am trying to get Traefik to route traffic to app-1 and ´app-2`. However I am running into an error that reads.

E1118 08:29:28.397486       1 reflector.go:138] k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:demo:traefik-account" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope

The error message is not cryptic but I am not sure why I am getting it.

I created the roles and bound them

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik-ingress-role
rules:
  - apiGroups: [""]
    #- networking.k8s.io
    resources:
       - ingresses
       - secrets
       - services
       - endpoints
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-ingress-role-binding
subjects:
  - kind: ServiceAccount
    name: traefik-account
    namespace: {{ .Values.namespace }}
roleRef:
  kind: ClusterRole
  name: traefik-ingress-role
  apiGroup: rbac.authorization.k8s.io

serviceAccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-account
  namespace: {{ .Values.namespace }}

The binding it there

-> % kubectl get clusterrole traefik-ingress-role -n demo        

NAME                   CREATED AT
traefik-ingress-role   2023-11-17T12:04:55Z

It looks to me that the roles are there, the service account is created and there are role bindings?

Any advice on something else to try out would be greatly appreciated.

Solution

  • A simplified version I dug from the traefik helm chart shows that you need to seperate the two apiGroups:

    rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
      - extensions
    resources:
      - ingressclasses
      - ingresses
    verbs:
      - get
      - list
      - watch

    Why?

    From the API docs

    There are several API groups in Kubernetes:

    The core (also called legacy) group is found at REST path /api/v1. The core group is not specified as part of the apiVersion field, for example, apiVersion: v1. The named groups are at REST path /apis/$GROUP_NAME/$VERSION and use apiVersion: $GROUP_NAME/$VERSION (for example, apiVersion: batch/v1).

    all of the resources you mentioned except ingress are part of the first core API group which you reference by having empty quotes.

    [""] # indicates the core API group (source)

    However, ingress is in the networking.k8s.io group