Permission issue for Service Account using CRD TCP on AKS

I'm using Traefik v2.5.4 and external DNS and TCP routes in AKS 1.22.2. I have the example from the link below about mysql working great, I was able to login from another machine into the pod running mysql.

Thanks for the detailed post, I just fixed the entry point from mysql to mysql-port and it worked.

I've installed traefik and have ingress and crd providers loaded and restricted crd to traefik-internal class.

I've loaded the CRD from here: Kubernetes IngressRoute - Traefik

here is my RBAC for system:serviceaccount:kube-system:traefik-ingress-controller

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io       
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch

Here is the error I'm getting without adding cluster-admin to my service account:
E1124 08:55:58.035988 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.21.0/tools/cache/reflector.go:167: Failed to watch *v1alpha1.MiddlewareTCP: failed to list *v1alpha1.MiddlewareTCP: middlewaretcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewaretcps" in API group "traefik.containo.us" at the cluster scope

This starts to work once I add cluster-admin role to my service account, but I would like to add a less powerful permission.
Thanks for your help.

Hi @BrianAffinity7Conslt and thanks for your interest in Traefik,

As described in the documentation the middlewaretcps resource is missing in the RBAC. The RBAC should look like the following:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io       
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middleware
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch

Hope this helps!

That fixed it! thank you for your help.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.