ingress-nginx: New ingress-controller should not mandate the cluster level permission on IngressClass

NGINX Ingress controller version: v1.0.0-beta.1

Kubernetes version (use kubectl version): 1.21.0

Environment:

• Cloud provider or hardware configuration:

• OS (e.g. from /etc/os-release): CentOS Linux release 7.6.1810 (Core)

• Kernel (e.g. uname -a): Linux shc-sma-cd56.hpeswlab.net 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:

  • Please mention how/where was clsuter created like kubeadm/kops/minikube/kind etc.

• Basic cluster related info:

  • kubectl version
  • kubectl get nodes -o wide

• How was the ingress-nginx-controller installed:

  • If helm was used then please show output of helm ls -A
  • If helm was used then please show output of helm -n <ingresscontrollernamepspace> get values <helmreleasename>
  • If helm was not used, then please explain how the ingress-nginx-controller was installed or copy/paste the command used to install the controller below
  • if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

• Current State of the controller:

  • kubectl -n <ingresscontrollernamespace> get all -A -o wide
  • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
  • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>

• Current state of ingress object, if applicable:

  • kubectl -n <appnnamespace> get all,ing -o wide
  • kubectl -n <appnamespace> describe ing <ingressname>
  • If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

• Others:

  • Any other related information like ;
    • copy/paste of the snippet (if applicable)
    • kubectl describe ... of any custom configmap(s) created and in use
    • Any other related information that may help

What happened:

I deploy my ingress-controller in kubernetes 1.21 with namespaced permissions only. with old ingress-controller, everythings is fine. but once upgrade to latest ingress controller 1.0.0, ingress-controller cannot start any more because ingress-controller mandate the cluster level permission on “IngressClass”. without this permisison, ingress-controller even fail to start while it is fine in old version. is there someone know it is one bug or intended?

With annotation based ingress-controller, my application can easily deploy in shared k8s environment since namespace permission is good enough. but with new approach, i must ask the k8s administrator to create the cluster level object “IngressClass”. this udpate change completely application deployment flavor which force k8s kubernete administrator to create the cluster level resource “IngressClass” for every application deployed in k8s cluster which don’t have cluster level permission

Error message:

E0819 08:46:59.449156      20 reflector.go:138] k8s.io/client-go@v0.21.1/tools/cache/reflector.go:167: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:test1-rw15y:demo-nginx-ingress" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
E0819 08:47:06.075761      20 reflector.go:138] k8s.io/client-go@v0.21.1/tools/cache/reflector.go:167: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User "system:serviceaccount:itsma-rw15y:itom-nginx-ingress" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope
I0819 08:47:06.667186      20 healthz.go:244] nginx-ingress-controller check failed: healthz
[-]nginx-ingress-controller failed: reading /tmp/nginx.pid: open /tmp/nginx.pid: no such file or directory

What you expected to happen:

IngressController should start as normal even if ServiceAccount don’t have permsison on class level object “IngressClass”

How to reproduce it:

Anything else we need to know:

/kind bug