traefik: Ingressclasses not available on namespace scope level

Hi traefik community,

After upgrading of k8s cluster to v1.18+ we get the following error during startup of traefik v2.3+

E0107 06:45:40.895430 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.2/tools/cache/reflector.go:125: Failed to list *v1beta1.IngressClass: ingressclasses.networking.k8s.io is forbidden: User “system:serviceaccount:traefik:traefik” cannot list resource “ingressclasses” in API group “networking.k8s.io” at the cluster scope`

The problem: Within k8s v1.18+ the “IngressClass” was introduced to avoid bad annotations on “Ingress” resource objects themselves (see here) . However, the idea of that concept is pretty cool but lacks in implementation because it requires access on cluster scope level. Hence, developers or teams which can only work on namespace scope cannot use traefik ingress > 2.3.x on gke > 1.18.x.

Possible solutions could be:

  • Introduce a configuration switch to disable the listing/ usage of ingressclasses during startup of traefik v2.3+ OR
  • Raise this issue to k8s community so that they can work on the cluster scope issue of “ingressclasses” on k8s v1.18+. In my opinion it must be possible to define ingressclasses also on namespace scope.

Temporary Solution

Currently we downgraded our traefik to v2.2.11 where lisitng of “ingressclasses” is not implemented and treafik starts up correctly also on gke 1.18+

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 14
  • Comments: 20 (7 by maintainers)

Most upvoted comments

Hello @bschoenbach @nustiueudinastea @joeldeteves @alexangas,

Thanks for your interest in Traefik!

This error can happen because Traefik, as a Kubernetes client, has no rights to fetch resources. As mentioned in the migration guide, when updating to Traefik v2.3+, the support of IngressClasses makes necessary to update the RBACs.

Can you please check that your RBACs granted to Traefik contains:

- apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch

More generally you can find up-to-date RBACs in the documentation in the dynamic-configuration reference for Kubernetes CRD provider page.

+6
rtribotte on Mar 3, 2021

Thanks for the explanation, we think it makes sense and we are then labeling the issue as an enhancement.

Unfortunately, this would not make it to our roadmap for a while as we are focused elsewhere. If you or another community member would like to build it, let us know and we will work with you to make sure you have all the information needed so that it can be merged.

+2
rtribotte on Apr 11, 2022

Having the same issue when trying to run the latest Helm chart using namespaced deployment.

+1
nustiueudinastea on Jan 22, 2021
Read more comments on GitHub
← traefik: High CPU usage on traefik v2 compared to v1
traefik: IngressRoute subset not found for kube-system/kubernetes-dashboard →