我制作了一个简单的演示应用程序,通过 minikube 在本地运行,我试图让 Traefik 将流量路由到
app-1E1118 08:29:28.397486 1 reflector.go:138] k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.Ingress: failed to list *v1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:demo:traefik-account" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
错误消息并不神秘,但我不确定为什么会收到它。
我创建了角色并绑定了它们
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-role
rules:
- apiGroups: [""]
#- networking.k8s.io
resources:
- ingresses
- secrets
- services
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-role-binding
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: {{ .Values.namespace }}
roleRef:
kind: ClusterRole
name: traefik-ingress-role
apiGroup: rbac.authorization.k8s.io
serviceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
namespace: {{ .Values.namespace }}
将其绑定在那里
-> % kubectl get clusterrole traefik-ingress-role -n demo
NAME CREATED AT
traefik-ingress-role 2023-11-17T12:04:55Z
在我看来,角色已经存在,服务帐户已创建并且存在角色绑定?
任何有关其他尝试的建议将不胜感激。
我从 traefik helm 图表中挖掘的简化版本显示您可能需要分离两个 apiGroup:
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
- extensions
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch