Traefik authorisations error

[AllardKrings]

Hi,

I dit a clean install of Ubuntu 23.10 on my RISCV Starfive Visionfive.
The only thing I installed next was K3S.

Now alle pods are running:

kube-system helm-install-traefik-crd-7wm7w 0/1 Completed 0 174m
kube-system helm-install-traefik-v4v2d 0/1 Completed 2 174m
kube-system local-path-provisioner-6d44f4f9d7-k7dgx 1/1 Running 2 (107m ago) 174m
kube-system metrics-server-7c55d89d5d-w2hmq 1/1 Running 2 (106m ago) 174m
kube-system svclb-traefik-9a48e820-nvbsj 2/2 Running 2 (108m ago) 172m
kube-system traefik-8657d6b9f4-stbbv 1/1 Running 1 (108m ago) 172m
kube-system coredns-97b598894-2sb45 1/1 Running 1 (108m ago) 174m

However trafik does not seem to work correctly:

kubectl logs traefik-8657d6b9f4-stbbv -n kube-system gives:

E0420 11:21:03.776064 1 reflector.go:140] k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1alpha1.MiddlewareTCP: failed to list *v1alpha1.MiddlewareTCP: middlewaretcps.traefik.io is forbidden: User "system:serviceaccount:kube-system:traefik" cannot list resource "middlewaretcps" in API group "traefik.io" at the cluster scope

This error is given for each CRD.

Looking at the clusterrole:

kubectl get clusterrole traefik-kube-system -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: traefik
meta.helm.sh/release-namespace: kube-system
creationTimestamp: "2024-04-20T08:26:10Z"
labels:
app.kubernetes.io/instance: traefik-kube-system
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-21.2.1_up21.2.0
name: traefik-kube-system
resourceVersion: "600"
uid: e7326656-78c0-47a1-a8b2-408af3176c72
rules:

• apiGroups:
  • extensions
  • networking.k8s.io
    resources:
  • ingressclasses
  • ingresses
    verbs:
  • get
  • list
  • watch
• apiGroups:
  • ""
    resources:
  • services
  • endpoints
  • secrets
    verbs:
  • get
  • list
  • watch
• apiGroups:
  • extensions
  • networking.k8s.io
    resources:
  • ingresses/status
    verbs:
  • update
• apiGroups:
  • traefik.containo.us
    resources:
  • ingressroutes
  • ingressroutetcps
  • ingressrouteudps
  • middlewares
  • middlewaretcps
  • tlsoptions
  • tlsstores
  • traefikservices
  • serverstransports
    verbs:
  • get
  • list
  • watch

Ik tried NGINX with an Ingressroute but traefik does not route correctly (404)

[AllardKrings]

Hi,

I did som more research and concluded that the traefik k3s installation uses uses the deprecated api-group traefik.containo.us.

I found this on the traefik site in their documentation:

   In v2.10, the Kubernetes CRDs API Group traefik.containo.us is deprecated, 
   and its support will end starting with Traefik v3. 

   Please use the API Group traefik.io instead.

   As the Kubernetes CRD provider still works with both API Versions 
   (traefik.io/v1alpha1 and traefik.containo.us/v1alpha1), 
    it means that for the same kind, namespace and name, 
    the provider will only keep the traefik.io/v1alpha1 resource.

   In addition, the Kubernetes CRDs API Version traefik.io/v1alpha1 
   will not be supported in Traefik v3 itself.

   Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading              Traefik. To do so, please apply the required CRDs and RBAC manifests for v2.10:


  kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-            configuration/kubernetes-crd-rbac.yml
  kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-            configuration/kubernetes-crd-definition-v1.yml

After migrating the CRD’s this way and changing the yaml’s to use api-group traefik.io it works!

[AllardKrings]

[chazapis]

Thanks @AllardKrings for figuring this out. I'll update the documentation and keep this open, until we have a newer version of K3s that uses the new CRDs.