Hi all,
I have installed Traefik in Kubernetes according to Traefik documentatio
All works well and, as an 'admin' I am able to create an ingress object and reach it from the outside.
We want to create 'limited' users who only have access to a namespace. These users cannot create an ingress. They get the following error:
Error from server (Forbidden): error when creating "/tmp/stg-ingress.yaml": ingresses.networking.k8s.io is forbidden: User "simpleuser" cannot create resource "ingresses" in API group "networking.k8s.io" in the namespace "civ-scorewater-stg"
when I apply the same manifest (/tmp/stg-ingress.yaml) as the 'admin' user, then the manifest just gets created. Ingress manifest:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: orion
namespace: civ-scorewater-stg
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- host.comain.com
secretName: domain-secret
rules:
- host: host.domain.com
http:
paths:
# Path-based routing settings:
- path: /
pathType: Prefix
backend:
service:
name: orion
port:
number: 1026
These are the rights for the 'simpleuser':
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: civ-stg-scorewater-devs
namespace: civ-stg-scorewater
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: simpleuser
namespace: civ-scorewater-stg
subjects:
- kind: User
name: simpleuser
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: civ-stg-scorewater-dev
Anyons knows how to grant the proper rights to the 'simpleuser' user?