Posted at

[k8s] kube-ingress-aws-controller + skipperを構築したときに pods/skipperで403と404が出る

More than 1 year has passed since last update.

Creating ingress with kube-ingress-aws-controller and skipper

kopsでAWSにk8sクラスタを構築したあとに上記を参考にして、Ingressを構築しているときに

Skipperの構築でハマったのでメモ

$ kubectl logs skipper-ingress-9hpr7 -n kube-system -f

10.0.0.30 - - [12/Jul/2018:09:36:07 +0000] "GET /kube-system/healthz HTTP/1.1" 404 10 "-" "kube-probe/1.9" 0 10.0.0.30:9999 - -
[APP]time="2018-07-12T09:36:10Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:10Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="failed to load all: request failed, status: 403, 403 Forbidden"
[APP]time="2018-07-12T09:36:13Z" level=error msg="error while receiveing initial data;request failed, status: 403, 403 Forbidden"

上記のように 403 と 404 でpods/skipperが立ち上がらず2日ほどはまった。

どうやら RBAC 絡みで設定が足りなかった??

https://github.com/zalando-incubator/kube-ingress-aws-controller/issues/153

を参考にRoleの設定をしたらなんとか動いた


kube-rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole
metadata:
name: ingress
rules:
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- patch

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: skipper
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kube-system-default-user-role-binding-ingress
namespace: kube-system
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: ClusterRole
name: ingress
apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kube-system-default-user-role-binding-skipper
namespace: kube-system
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: ClusterRole
name: skipper
apiGroup: rbac.authorization.k8s.io


$ kubectl create -f kube-rbac.yaml

k8s難しいなぁ :joy: