I made a simple demo app that is running locally via minikube and I am trying to get Traefik to route traffic to app-1 and ´app-2`. However I am running into an error that reads.
E1118 08:29:28.397486 1 reflector.go:138] k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:demo:traefik-account" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
The error message is not cryptic but I am not sure why I am getting it.
I created the roles and bound them
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-role
rules:
- apiGroups: [""]
#- networking.k8s.io
resources:
- ingresses
- secrets
- services
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-role-binding
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: {{ .Values.namespace }}
roleRef:
kind: ClusterRole
name: traefik-ingress-role
apiGroup: rbac.authorization.k8s.io
serviceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
namespace: {{ .Values.namespace }}
The binding it there
-> % kubectl get clusterrole traefik-ingress-role -n demo
NAME CREATED AT
traefik-ingress-role 2023-11-17T12:04:55Z
It looks to me that the roles are there, the service account is created and there are role bindings?
Any advice on something else to try out would be greatly appreciated.
A simplified version I dug from the traefik helm chart shows that you need to seperate the two apiGroups:
Why?
From the API docs
all of the resources you mentioned except ingress are part of the first
coreAPI group which you reference by having empty quotes.However, ingress is in the
networking.k8s.iogroup