Ingress not working when rbac.namespaced=true

Welcome!

• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

10.3.4

What version of Traefik are you using?

2.5.1

What did you do?

We deployed latest helm chart and traefik version on kubernetes 1.22 with rbac.namespaced: true

helm install traefik traefik/traefik --set rbac.namespaced=true

What did you see instead?

We got an error in traefik log:

E0921 14:07:54.739657       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1.IngressClass: failed to list *v1.IngressClass: ingressclasses.networking.k8s │
│ .io is forbidden: User "system:serviceaccount:default:traefik" cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scope  

Routing does not work.

What is your environment & configuration?

We tested on KinD with kubernetes 1.22.1

Additional Information

We also tested with traefik 2.5.3 with same result.

Right, I did notice this a while ago, and package that fix into a PR that was meant for something else ... https://github.com/traefik/traefik-helm-chart/pull/337

You're looking for this: https://github.com/traefik/traefik-helm-chart/pull/337/files#diff-f4430485e5002c71e33daa985c34e0fe4e4738a271c697ba0b1aaaba1718e041 And that one. https://github.com/traefik/traefik-helm-chart/pull/337/files#diff-7999c32e3d6ec3ed70ac9537b6b3b8d3d298fbf21f50609f9377b4ecc2de7ce3

Perfect, that's exactly what I'm looking for. Thanks for your feedback.

While looking deeper in the problem we also found, that the current k8s client api (or k8s api ?) didn't provide the possibility to watch incressClass on namespace level (https://github.com/kubernetes/client-go/issues/987) and therefore traefik (and other IC) have to watch them on cluster level which requires ClusterRole + ClusterRoleBinding, regardless of a namespaced flag.

IngressClass are cluster scoped objects. When issuing a command (get/list/watch/create/...), you do need those permissions at the cluster level. This is not a bug. Same goes for all cluster scoped objects: StorageClasses, PersistentVolumes, APIServices, ValidatingWebhookConfigurations, ...

IngressClass are cluster scoped objects. When issuing a command (get/list/watch/create/...), you do need those permissions at the cluster level. This is not a bug. Same goes for all cluster scoped objects: StorageClasses, PersistentVolumes, APIServices, ValidatingWebhookConfigurations, ...

So what's the purpose of rbac.namespaced=true? Is there a scenario where it can be used?

what's the purpose of rbac.namespaced=true?

Limits the scope of Ingresses that a given Traefik controller may use/write. Limits the scope of Services that a given controller may expose/communicate with.

if controller needs to read cluster scoped objects ... You need to grant that access, with a ClusterRoleBinding. Which is fixed by that PR. Doesn't have any impact on namespace-scoped resources.

Is there a scenario where it can be used?

Is there a scenario where it can't? With or without ingress classes, you can scope Traefik to a given namespace. Or you could deploy a single Traefik for your whole cluster.

if controller needs to read cluster scoped objects ... You need to grant that access, with a ClusterRoleBinding. Which is fixed by that PR.

So I'm missing something here...according to the PR you linked, with rbac.namespaced=true the ClusterRole and ClusterRoleBinding are created so that traefik can read the cluster-wide IngressClass objects, so everything should work? Because I just tried with the 10.7.1 helm chart and if I use rbac.namespaced=true I still get the OP error. Is the change still not merged? EDIT: ok, I see it's still open. Is a merge planned soon-ish?