kubernetes
kops
skipper
kube-ingress-aws-controller

[k8s] kube-ingress-aws-controller + skipperを構築したときに pods/skipperで403と404が出る

Creating ingress with kube-ingress-aws-controller and skipper

kopsでAWSにk8sクラスタを構築したあとに上記を参考にして、Ingressを構築しているときに
Skipperの構築でハマったのでメモ

$ kubectl logs skipper-ingress-9hpr7 -n kube-system -f
10.0.0.30 - - [12/Jul/2018:09:36:07 +0000] "GET /kube-system/healthz HTTP/1.1" 404 10 "-" "kube-probe/1.9" 0 10.0.0.30:9999 - -
[APP]time="2018-07-12T09:36:10Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:10Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"

上記のように 403 と 404 でpods/skipperが立ち上がらず2日ほどはまった。

どうやら RBAC 絡みで設定が足りなかった??

https://github.com/zalando-incubator/kube-ingress-aws-controller/issues/153

を参考にRoleの設定をしたらなんとか動いた

kube-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress
rules:
- apiGroups:
  - extensions
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - get
  - list
  - patch

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: skipper
rules:
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kube-system-default-user-role-binding-ingress
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ingress
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kube-system-default-user-role-binding-skipper
  namespace: kube-system
subjects:
  - kind: ServiceAccount
    name: default
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: skipper
  apiGroup: rbac.authorization.k8s.io
$ kubectl create -f kube-rbac.yaml

k8s難しいなぁ :joy: