traefik, bare-metal kubernetes : secret doesnt exist

5/28/2018

I am using kubernetes on bare-metal (v1.10.2) and latest traefik (v1.6.2) as ingress. I am seeing following issue when I want to enable traefik to route to a httpS service. Error configuring TLS for ingress default/cheese: secret default/traefik-cert does not exist

The secret exists ! why does it report that it doesnt ?

On the basis of comment: secret is inaccessible from traefik service account. But I dont understand why.

Details as follows:

kubectl get secret dex-tls -oyaml --as gem-lb-traefik
Error from server (Forbidden): secrets "dex-tls" is forbidden: User "gem-lb-traefik" cannot get secrets in the namespace "default"
$ kubectl describe clusterrolebinding gem-lb-traefik
Name:         gem-lb-traefik
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  gem-lb-traefik
Subjects:
  Kind            Name            Namespace
  ----            ----            ---------
  ServiceAccount  gem-lb-traefik  default
$ kubectl describe clusterrole gem-lb-traefik
Name:         gem-lb-traefik
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources             Non-Resource URLs  Resource Names  Verbs
  ---------             -----------------  --------------  -----
  endpoints             []                 []              [get list watch]
  pods                  []                 []              [get list watch]
  secrets               []                 []              [get list watch]
  services              []                 []              [get list watch]
  ingresses.extensions  []                 []              [get list watch]

I still dont understand why I am getting error of secret inaccessibility from the service account

-- everCurious
kubernetes
traefik

1 Answer

5/29/2018

First of all, in this case, you cannot check the access to the secret using --as gem-lb-traefik key because it tries to run the command as user gem-lb-traefik, but you have no such user, you only have ServiceAccount with ClusterRole gem-lb-traefik. Moreover, using --as <user> key with any nonexistent user provides an error similar to yours:

Error from server (Forbidden): secrets "<secretname>" is forbidden: User "<user>" cannot get secrets in the namespace "<namespace>"

So, as @Ignacio Millán mentioned, you need to check your settings for Traefik and fix them according to the official documentation. Possibly, you missed your ServiceAccount in Traefik DaemonSet description. Also, you need to check if Traefik DaemonSet is located in the same namespace as ServiceAccount for which you use ClusterRoleBinding.

-- Artem Golenyaev
Source: StackOverflow