kubernetes-ingress
kubernetes-ingress copied to clipboard
haproxytech
haproxy ingress doesn't detect services in kube-system namespace?
I observe that haproxy ingress is not able to detect the services present in kube-system namespace. Is there something which i have missed here?
Below are the yaml which i have tried. I have tried with different apps by deploying them on this namespace but so far haven't been able to figure out
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: minio-deployment namespace: kube-system spec: strategy: type: Recreate template: metadata: labels: app: minio spec: volumes: - name: storage emptyDir: {} containers: - name: minio image: minio/minio args: - server - /storage env: - name: MINIO_ACCESS_KEY value: "minio" - name: MINIO_SECRET_KEY value: "minio123" ports: - containerPort: 9000 volumeMounts: - name: storage # must match the volume name, above mountPath: "/storage"
apiVersion: v1 kind: Service metadata: name: minio-service namespace: kube-system spec: type: ClusterIP ports: - port: 9000 targetPort: 9000 protocol: TCP selector: app: minio
apiVersion: v1 kind: Namespace metadata: name: haproxy-controller
apiVersion: v1 kind: ServiceAccount metadata: name: haproxy-ingress-service-account namespace: haproxy-controller
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: haproxy-ingress-cluster-role rules:
- apiGroups:
- "" resources:
- configmaps
- endpoints
- nodes
- pods
- services
- namespaces
- events
- serviceaccounts verbs:
- get
- list
- watch
- apiGroups:
- "extensions" resources:
- ingresses
- ingresses/status verbs:
- get
- list
- watch
- apiGroups:
- "" resources:
- secrets verbs:
- get
- list
- watch
- create
- patch
- update
- apiGroups:
- extensions resources:
- ingresses verbs:
- get
- list
- watch
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: haproxy-ingress-cluster-role-binding namespace: haproxy-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: haproxy-ingress-cluster-role subjects:
- kind: ServiceAccount name: haproxy-ingress-service-account namespace: haproxy-controller
apiVersion: v1 kind: ConfigMap metadata: name: haproxy-configmap namespace: haproxy-controller data:
apiVersion: apps/v1 kind: Deployment metadata: labels: run: haproxy-ingress name: haproxy-ingress namespace: haproxy-controller spec: replicas: 1 selector: matchLabels: run: haproxy-ingress template: metadata: labels: run: haproxy-ingress spec: serviceAccountName: haproxy-ingress-service-account containers: - name: haproxy-ingress image: haproxytech/kubernetes-ingress args: - --configmap=$(POD_NAMESPACE)/haproxy-configmap - --default-backend-service=$(POD_NAMESPACE)/http-svc - --default-ssl-certificate=$(POD_NAMESPACE)/tls-secret - --ingress.kubernetes.io/secure-backends=true - --ingress.kubernetes.io/ssl-redirect:true resources: requests: cpu: "500m" memory: "50Mi" livenessProbe: httpGet: path: /healthz port: 1042 ports: - name: http containerPort: 80 - name: https containerPort: 443 - name: stat containerPort: 1024 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace
apiVersion: v1 kind: Service metadata: labels: run: haproxy-ingress name: haproxy-ingress namespace: haproxy-controller spec: selector: run: haproxy-ingress type: NodePort ports:
- name: http port: 80 protocol: TCP targetPort: 80 nodePort: 30080
- name: https port: 443 protocol: TCP targetPort: 443 nodePort: 30443
- name: stat port: 1024 protocol: TCP targetPort: 1024 nodePort: 31024
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: haproxy-controller-role namespace: haproxy-controller rules:
- apiGroups:
- "" resources:
- configmaps
- pods
- secrets
- namespaces verbs:
- get
- apiGroups:
- "" resources:
- configmaps verbs:
- get
- update
- apiGroups:
- "" resources:
- configmaps verbs:
- create
- apiGroups:
- "" resources:
- endpoints verbs:
- get
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: haproxy-controller-role-binding namespace: haproxy-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: haproxy-controller subjects:
- kind: ServiceAccount name: haproxy-controller-service-account namespace: haproxy-controller
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: web-ingress namespace: kube-system spec: tls:
- hosts: secretName: tls-secret rules:
- host: http: paths:
- path: /minio backend: serviceName: minio-service servicePort: 9000
kube-system is namespace used by k8s itself and it is not desirable to put personal (non k8s) objects in there.
However, if you wish to do so, that namespace must be whitelisted.
Please see the docs how to do that (--namespace-whitelist=default).
Also please note that there is downside here (need to be carefull) when using whitelisting, You need to mention all namespaces that controller is expected to monitor
The point is that many "administrative" components may run in this namespace. Maybe we could have a flag to "allow" monitoring this namespace on purpose, instead of whitelising it + all of them. I mean, whitelisting is a pain cause you can create very frequently namespaces...
Having a "--yes-I-want-to-monitor-ingresses-in-kube-system-namespace" flag would be better from my point of view.
