Creating ingress with kube-ingress-aws-controller and skipper
kopsでAWSにk8sクラスタを構築したあとに上記を参考にして、Ingressを構築しているときに
Skipperの構築でハマったのでメモ
$ kubectl logs skipper-ingress-9hpr7 -n kube-system -f
10.0.0.30 - - [12/Jul/2018:09:36:07 +0000] "GET /kube-system/healthz HTTP/1.1" 404 10 "-" "kube-probe/1.9" 0 10.0.0.30:9999 - -
[APP]time="2018-07-12T09:36:10Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:10Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"
上記のように 403 と 404 でpods/skipperが立ち上がらず2日ほどはまった。
どうやら RBAC 絡みで設定が足りなかった??
を参考にRoleの設定をしたらなんとか動いた
kube-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress
rules:
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: skipper
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kube-system-default-user-role-binding-ingress
namespace: kube-system
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: ClusterRole
name: ingress
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kube-system-default-user-role-binding-skipper
namespace: kube-system
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: ClusterRole
name: skipper
apiGroup: rbac.authorization.k8s.io
$ kubectl create -f kube-rbac.yaml
k8s難しいなぁ