I'm using Traefik v2.5.4 and external DNS and TCP routes in AKS 1.22.2. I have the example from the link below about mysql working great, I was able to login from another machine into the pod running mysql.
Thanks for the detailed post, I just fixed the entry point from mysql to mysql-port and it worked.
I've installed traefik and have ingress and crd providers loaded and restricted crd to traefik-internal class.
I've loaded the CRD from here: Routing Configuration for Traefik CRD - Traefik
here is my RBAC for system:serviceaccount:kube-system:traefik-ingress-controller
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
verbs:
- get
- list
- watch
Here is the error I'm getting without adding cluster-admin to my service account:
E1124 08:55:58.035988 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.21.0/tools/cache/reflector.go:167: Failed to watch *v1alpha1.MiddlewareTCP: failed to list *v1alpha1.MiddlewareTCP: middlewaretcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewaretcps" in API group "traefik.containo.us" at the cluster scope
This starts to work once I add cluster-admin role to my service account, but I would like to add a less powerful permission.
Thanks for your help.