1

I have been trying to run traefik v2.x in minikube to check it and how it routes request to needed service. I am failing to get access to my services at all. would be good to understand what I am doing wrong.

  • minikube is running in VirtualBox VM
  • VM box has lab IP address to which I want to send URL request
  • on my localhost I set hosts (mydomain.local and mydomain.com) to IP address of minikube VM

enter image description here

How to reproduce:

  1. create 2 namespaces new-ns and new-who
  2. set namespace to be default for Ingress: kubectl config set-context --current --namespace=new-ns

All yaml files can be found in https://github.com/vencrena-LT/traefik

  1. deploy CustomResourceDefinition
  2. deploy ClusterRole , ClusterRoleBinding and ServiceAccount (to new-ns namespace)
  3. deploy DaemonSet and Service (to new-ns namespace)

then would like to deploy 2 apps: in both namespaces (for testing purposes)

  1. Deployment, Service and IngressRoute to new-ns namespace
  2. Deployment, Service and IngressRoute to new-new namespace

Dashboard: enter image description here Routes: enter image description here LocalPod: enter image description here

some logs from traefik pod:

E0206 08:25:21.798628       1 reflector.go:127] pkg/mod/k8s.io/client-go@v0.19.2/tools/cache/reflector.go:156: Failed to watch *v1alpha1.TLSStore: failed to list 
*v1alpha1.TLSStore: tlsstores.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "tlsstores" in API group "traefik.containo.us" at the cluster scope

E0206 08:25:34.653633       1 reflector.go:127] pkg/mod/k8s.io/client-go@v0.19.2/tools/cache/reflector.go:156: Failed to watch *v1alpha1.ServersTransport: failed to list
*v1alpha1.ServersTransport: serverstransports.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "serverstransports" in API group "traefik.containo.us" at the cluster scope

E0206 08:26:02.857094       1 reflector.go:127] pkg/mod/k8s.io/client-go@v0.19.2/tools/cache/reflector.go:156: Failed to watch *v1alpha1.IngressRouteUDP: failed to list
*v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:new-ns:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope

any hints what I am doing wrong? why can not access mydomain.local and mydomain.com and see whoami services. why no routes are seen in Traefik dashboard

Sylvan LE DEUNFF
  • 682
  • 1
  • 6
  • 21
vencrena
  • 65
  • 1
  • 10
  • 1
    Can you provide logs from `traefik` Pod ? Your `IngressRoute`s seem to be correct. Maybe it would be better for you to install `Traefik` using Helm Chart as described [here](https://doc.traefik.io/traefik/getting-started/install-traefik/#use-the-helm-chart) ? – matt_j Feb 05 '21 at 20:31
  • I have no issues when deploying helm chart. this is for learning and fully understanding how it should work. good hint about logs - adding output to main question. seems like service account does not have enough permissions – vencrena Feb 06 '21 at 08:23

1 Answers1

2

Your ClusterRole definition is a bit too thin:

https://github.com/vencrena-LT/traefik/blob/main/2_roles.yml

You could try to follow the example here:

https://github.com/sleighzy/k3s-traefik-v2-kubernetes-crd

For the question why no routes are seen: Traefik will pickup from k8s routes when you specify

        - --providers.kubernetescrd
        - --providers.kubernetesingress

Also please be aware of the namespace where traefik resides, you will apply IngressRoutes on that namespace

DarthHTTP
  • 406
  • 2
  • 7