-
Notifications
You must be signed in to change notification settings - Fork 745
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nodes rbac #1064
Comments
Hello @Links2004, Thanks for this report. There is no rbac needed on nodes required for Traefik, according to official upstream documentation. |
the repo shows the usage of corev1.Node, may the docu has not been updated yet. https://github.com/search?q=repo%3Atraefik%2Ftraefik+corev1.Node&type=code the https://github.com/search?q=repo%3Atraefik%2Ftraefik%20GetNodes()&type=code e.g.: sure: image:
registry: internal
name: traefik
tag: v3.0.0-our-05d2c86-build
fullnameOverride: "rx-traefik"
deployment:
replicas: 5
podDisruptionBudget:
enabled: true
maxUnavailable: 1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 1
pilot:
dashboard: false
globalArguments: []
additionalArguments:
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entrypoints.web.http.redirections.entrypoint.to=:443"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.priority=1000000000"
- "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=21600"
- "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=86400"
- "--providers.kubernetescrd.allowCrossNamespace=true"
- "--tracing.otlp.grpc=true"
- "--tracing.otlp.grpc.endpoint=jaeger-collector-headless.observability.svc.cluster.local:4317"
- "--tracing.otlp.grpc.insecure=true"
tlsOptions:
default:
minVersion: VersionTLS12
cipherSuites:
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
mintls13:
minVersion: VersionTLS13
providers:
kubernetesIngress:
publishedService:
pathOverride: traefik/rx-traefik
enabled: true
ingressClass:
name: rx-traefik
isDefaultClass: true
dashboard:
enable: true
ingressRoute: true
service:
enabled: true
type: LoadBalancer
annotations:
loadbalancer.openstack.org/timeout-client-data: "86400000"
loadbalancer.openstack.org/timeout-member-data: "86400000"
spec: {}
logs:
general:
format: json
level: INFO
metrics:
prometheus:
addEntryPointsLabels: true
addRoutersLabels: true
addServicesLabels: true
service:
enabled: true
entryPoint: metrics
serviceMonitor:
metricRelabelings:
- sourceLabels: [__name__]
separator: ;
regex: ^fluentd_output_status_buffer_(oldest|newest)_.+
replacement: $1
action: drop
relabelings:
- sourceLabels: [__meta_kubernetes_pod_node_name]
separator: ;
regex: ^(.*)$
targetLabel: nodename
replacement: $1
action: replace
jobLabel: traefik
interval: 30s
honorLabels: true
prometheusRule:
namespace: "rx-monitoring"
additionalLabels:
rx.monitoring.mercedes-benz.com/rx-monitoring: "true"
rules:
- alert: TraefikDown
expr: up{job="rx-traefik-metrics"} == 0
for: 5m
labels:
context: traefik
severity: warning
annotations:
summary: "Traefik Down"
description: "{{ $labels.pod }} on {{ $labels.nodename }} is down"
ingressRoute:
enabled: true the PR of the change, updates the found the PR: looks like this is going in to 3.1 |
ah, so you are on recent master version, not latest v3. |
Welcome!
What version of the Traefik's Helm Chart are you using?
28.1.0-beta.3
What version of Traefik are you using?
master(05d2c86)
What did you do?
build and deploy latest traefik from 05d2c86
What did you see instead?
traefik does not work with a RBAC error:
What is your environment & configuration?
N/A
Additional Information
can be fixed by adding the needed RBAC: --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-nodes rules: - apiGroups: - "" resources: - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: traefik-nodes roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-nodes subjects: - kind: ServiceAccount name: rx-traefik namespace: tcglobal
reported so that this not happens when the next version comes out.
The text was updated successfully, but these errors were encountered: