Cannot get resource "ingressroutes" in API group "traefik.containo.us" in the namespace "traefik" (Gitlab + K3s)

Traefik Traefik v2
2

Hello @jaydrogers :wave:

Thanks a lot for sending a detailed description of the issue you experience.

Based on the error message you got I think that it can be related to RBAC configuration in the Kubernetes cluster.

The user (alpha-test-8-production-service-account) that is connecting has no privileges to access Ingressroute resources. That's why you got 403 Forbidden once you try to apply your configuration via GitLab.

I've just performed a quick test and created a new user that has permission to work with the following resources:

  • deployments
  • services
  • IngressRoutes that are specifically related to Traefik Proxy

I think that should be enough to perform deployment (but it can be modified according to GitLab needs). What you are interested in is apiGroups for traefik.containo.us

On those resources, I defined privileges that can be executed by the user such as: create, list, update, patch`,

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: alpha-sa
  namespace: default

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: role-with-privileges-to-deploy
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "create", "list", "update", "patch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes"]
    verbs: ["get", "create", "list", "update", "patch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-with-privileges
  namespace: default
subjects:
  - kind: ServiceAccount
    name: alpha-sa
    namespace: default
roleRef:
  kind: Role
  name: role-with-privileges-to-deploy
  apiGroup: rbac.authorization.k8s.io

---

Once you apply that config you can test what the user can do in your cluster.

Can the user create IngressRoutes objects?

➜ kubectl auth can-i create ingressroutes -n default --as system:serviceaccount:default:alpha-sa
yes

Can I update, patch, list the already created Ingressroutes resources?

➜ kubectl auth can-i update ingressroutes -n default --as system:serviceaccount:default:alpha-sa
yes

➜ kubectl auth can-i patch ingressroutes -n default --as system:serviceaccount:default:alpha-sa
yes

➜ kubectl auth can-i list ingressroutes -n default --as system:serviceaccount:default:alpha-sa
yes

Can I delete the IngressRoutes resource?

➜ kubectl auth can-i delete ingressroutes -n default --as system:serviceaccount:default:alpha-sa
no

Based on that example you can try to update privileges for a user you are connecting from Gitlbab to your K8S cluster should solve your issue.

Hope that helps!