K
Q

Setting up Traefik as Kubernetes Ingress on GCP

4/4/2018

I'm trying to follow along with this Traefik user guide: https://docs.traefik.io/user-guide/kubernetes/

The key difference between the user guide and my setup is that the guide presumes I'm on Minikube, whereas I'm trying to get this setup on Google Cloud Platform (GCP). I'm a Kubernetes newbie, but I think I've got a decent handle on the fundamentals.

Anyways, with regards to Role Based Access Control configuration presented in the user guide above, I keep getting this error:

Error from server (Forbidden): error when creating "rbac.yml": cl usterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resour ces:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Res ources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{ Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}] user=&{evan@sherwood.io [system:authenti cated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/ version"], Verbs:["get"]}] ruleResolutionErrors=[]

I feel like I'm running into Privilege Escalation Prevention and Bootstrapping, but I'm not sure what I need to change/do to move past this.

-- neezer
google-cloud-platform
google-kubernetes-engine
kubernetes
traefik

Similar Questions

Sidekiq UI loading wrong assets path in Kubernetes path based routing
Openshift v3 space consumption check
Google Cloud Kubernetes Engine troubleshooting
running cassandra image into the new version 3.0 starter openshift

1 Answer

4/4/2018

As the document you reference states, you need to escalate your user's privileges, at least to an extent necessary to permit RBAC rule changes.

The easiest way to achieve that is to add a ClusterRoleBinding that assigns cluster-admin privileges. The YAML would look like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: megacorp-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: john.doe@megacorp.com

The YAML assumes that your user email address as registered with GKE is john.doe@megacorp.com. After kubectl applying that manifest, you should be apply to extend the RBAC rules of Traefik accordingly.

Note that cluster-admin is basically the root user of the cluster. More selective permissions are possible as well if you intend to restrict privileges further.

-- Timo Reimann
Source: StackOverflow