Setting up Traefik as Kubernetes Ingress on GCP

0
votes

I'm trying to follow along with this Traefik user guide: https://docs.traefik.io/user-guide/kubernetes/

The key difference between the user guide and my setup is that the guide presumes I'm on Minikube, whereas I'm trying to get this setup on Google Cloud Platform (GCP). I'm a Kubernetes newbie, but I think I've got a decent handle on the fundamentals.

Anyways, with regards to Role Based Access Control configuration presented in the user guide above, I keep getting this error:

Error from server (Forbidden): error when creating "rbac.yml": cl usterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resour ces:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Res ources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{ Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}] user=&{[email protected] [system:authenti cated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/ version"], Verbs:["get"]}] ruleResolutionErrors=[]

I feel like I'm running into Privilege Escalation Prevention and Bootstrapping, but I'm not sure what I need to change/do to move past this.

1
kubernetesgoogle-cloud-platformtraefikgoogle-kubernetes-engine

1 Answers

5
votes

As the document you reference states, you need to escalate your user's privileges, at least to an extent necessary to permit RBAC rule changes.

The easiest way to achieve that is to add a ClusterRoleBinding that assigns cluster-admin privileges. The YAML would look like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: megacorp-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: [email protected]

The YAML assumes that your user email address as registered with GKE is [email protected]. After kubectl applying that manifest, you should be apply to extend the RBAC rules of Traefik accordingly.

Note that cluster-admin is basically the root user of the cluster. More selective permissions are possible as well if you intend to restrict privileges further.