nodes rbac

[Links2004]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

28.1.0-beta.3

What version of Traefik are you using?

master(05d2c86)

What did you do?

build and deploy latest traefik from 05d2c86

What did you see instead?

traefik does not work with a RBAC error:

W0508 08:33:16.267506       1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.2/tools/cache/reflector.go:229: failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:tcglobal:rx-traefik" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "rx-traefik" not found

What is your environment & configuration?

N/A

Additional Information

can be fixed by adding the needed RBAC:


---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-nodes
rules:
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-nodes
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-nodes
subjects:
- kind: ServiceAccount
  name: rx-traefik
  namespace: tcglobal

reported so that this not happens when the next version comes out.

[mloiseleur]

Hello @Links2004,

Thanks for this report. There is no rbac needed on nodes required for Traefik, according to official upstream documentation.
It may come from a plugin.
Would you please share your (helm) values ?

[Links2004]

the repo shows the usage of corev1.Node, may the docu has not been updated yet.

https://github.com/search?q=repo%3Atraefik%2Ftraefik+corev1.Node&type=code

the GetNodes function is used in all for ingress types:

https://github.com/search?q=repo%3Atraefik%2Ftraefik%20GetNodes()&type=code

e.g.:

https://github.com/traefik/traefik/blob/6a06560318c4d940a211e7007f5e0b715480c360/pkg/provider/kubernetes/crd/kubernetes_http.go#L413

sure:

image:
  registry: internal
  name: traefik
  tag: v3.0.0-our-05d2c86-build

fullnameOverride: "rx-traefik"

deployment:
  replicas: 5

podDisruptionBudget:
  enabled: true
  maxUnavailable: 1

updateStrategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 1
    maxSurge: 1

pilot:
  dashboard: false

globalArguments: []
additionalArguments:
  - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
  - "--entrypoints.web.http.redirections.entrypoint.to=:443"
  - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
  - "--entrypoints.web.http.redirections.entrypoint.priority=1000000000"
  - "--entryPoints.websecure.transport.respondingTimeouts.idleTimeout=21600"
  - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=86400"
  - "--providers.kubernetescrd.allowCrossNamespace=true"
  - "--tracing.otlp.grpc=true"
  - "--tracing.otlp.grpc.endpoint=jaeger-collector-headless.observability.svc.cluster.local:4317"
  - "--tracing.otlp.grpc.insecure=true"
tlsOptions:
  default:
    minVersion: VersionTLS12
    cipherSuites:
      - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
      - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
      - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
      - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

  mintls13:
    minVersion: VersionTLS13

providers:
  kubernetesIngress:
    publishedService:
      pathOverride: traefik/rx-traefik
      enabled: true

ingressClass:
  name: rx-traefik
  isDefaultClass: true

dashboard:
  enable: true
  ingressRoute: true

service:
  enabled: true
  type: LoadBalancer
  annotations:
    loadbalancer.openstack.org/timeout-client-data: "86400000"
    loadbalancer.openstack.org/timeout-member-data: "86400000"
  spec: {}

logs:
  general:
    format: json
    level: INFO

metrics:
  prometheus:
    addEntryPointsLabels: true
    addRoutersLabels: true
    addServicesLabels: true
    service:
      enabled: true
    entryPoint: metrics
    serviceMonitor:
      metricRelabelings:
        - sourceLabels: [__name__]
          separator: ;
          regex: ^fluentd_output_status_buffer_(oldest|newest)_.+
          replacement: $1
          action: drop
      relabelings:
        - sourceLabels: [__meta_kubernetes_pod_node_name]
          separator: ;
          regex: ^(.*)$
          targetLabel: nodename
          replacement: $1
          action: replace
      jobLabel: traefik
      interval: 30s
      honorLabels: true
    prometheusRule:
      namespace: "rx-monitoring"
      additionalLabels:
        rx.monitoring.mercedes-benz.com/rx-monitoring: "true"
      rules:
        - alert: TraefikDown
          expr: up{job="rx-traefik-metrics"} == 0
          for: 5m
          labels:
            context: traefik
            severity: warning
          annotations:
            summary: "Traefik Down"
            description: "{{ $labels.pod }} on {{ $labels.nodename }} is down"

ingressRoute:
  enabled: true

the PR of the change, updates the docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml too.
traefik/traefik@c1ef742

found the PR:
traefik/traefik#10278

looks like this is going in to 3.1

[mloiseleur]

ah, so you are on recent master version, not latest v3.
That explains it 😅.
Thanks for the report 👍