Failed to list/watch resources

zoid · November 7, 2019, 2:50pm

Hello,

I got following errors during deploying traefik ingress controller. I am running kubernetes on GKE (1.14.8-gke.2). Deploying via kubectl apply -f from pipelines:

Failed to watch *v1alpha1.IngressRoute: unknown (get ingressroutes.traefik.containo.us) 
Failed to watch *v1alpha1.Middleware: unknown (get middlewares.traefik.containo.us) 
Failed to watch *v1alpha1.TLSOption: unknown (get tlsoptions.traefik.containo.us) 
Failed to watch *v1alpha1.IngressRouteTCP: unknown (get ingressroutetcps.traefik.containo.us) 
Failed to list *v1alpha1.IngressRoute: ingressroutes.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressroutes" in API group "traefik.containo.us" at the cluster scope 
Failed to list *v1alpha1.Middleware: middlewares.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "middlewares" in API group "traefik.containo.us" at the cluster scope 
Failed to list *v1alpha1.TLSOption: tlsoptions.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "tlsoptions" in API group "traefik.containo.us" at the cluster scope 
Failed to list *v1alpha1.IngressRouteTCP: ingressroutetcps.traefik.containo.us is forbidden: User "system:serviceaccount:default:traefik-ingress-controller" cannot list resource "ingressroutetcps" in API group "traefik.containo.us" at the cluster scope

Here is how I add custom resources:

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

Can not find any proper informations on google, so maybe some of you guys will know.

Thanks for any advice.

David

zespri · November 7, 2019, 9:34pm

Looks like permission problem? Have you also applied RBAC settings? https://docs.traefik.io/user-guides/crd-acme/#ingressroute-definition

zoid · November 8, 2019, 8:14am

Yes, I have applied it before applying custom resources. It looks exactly like in docs.

zespri · November 8, 2019, 9:26am

Looks like you had something wrong or missing when you set up traefik in kubernetes, you need to correct that. That link above gives you a base line that proved working.

zoid · November 8, 2019, 10:18am

Checked twice, RBAC is Ok - just like in docs. Don't know why it cant load resources.

zespri · November 8, 2019, 8:12pm

Then it something else that you did wrong or missed.

imans77 · November 9, 2019, 5:15pm

It's probably the namespaces you're trying to list.

I had the same problem and I solved it by limiting namespace access for traefik like this (static config):

[providers.kubernetescrd]
      namespaces = ["traefik-ns"]

in the namespaces, you need to set only the namespace that traefik exists on.
Try this, and everything should be working correctly.

Then if you want for traefik to watch over more namespaces, e.g. new-ns, you need to define a k8s Role in new-ns and then bind that role with a RoleBinding to the ServiceAccount that traefik uses (exactly that sa, not a new one. Make sure you're setting namespace: traefik-ns in the subject part of RoleBinding.

Having done that and making sure about k8s NetworkPolicies, you're good to go.

link · November 14, 2019, 5:03am

I have meet similar problem too. My problem is described above.

Topic		Replies	Views
Failed to watch XXXX: failed to list XXXX: Unauthorized Traefik v2 kubernetes-crd	3	2006	April 27, 2022
Bunch of authorizations issues Traefik v2 kubernetes-crd	5	995	April 29, 2023
Traefik Ingress K8s cannot watch TLSSTore, ServersTransport, IngressRoute Traefik v2 kubernetes-ingress	0	404	September 19, 2021
Failed to list *: the server could not find the requested resource Traefik v2 kubernetes-crd	1	5805	May 18, 2020
Error on traefik plugin install configuration in kubernetes Traefik v2 plugin	8	306	March 6, 2024

Failed to list/watch resources

Related Topics