error create resource “configmaps” while deploying nginx ingress controller

2
votes

I followed exactly like this_tutorial to deploy nginx ingress contoller. The yaml files used for deploying the ingress controller and describe output are copied to repo.

After creating the ingress-controller, pod is running but seeing the below error in the ingress-controller log. The error says serviceaccount "nginx" have no permission to create resource "configmaps" in namespace "ingress".

Question I have,

  • what verbs are required in the ClusterRole to allow service account "nginx" to create configmaps in my namespace?
  • Why serviceaccount "nginx" has to create configmaps in the namespace? Because,the ingress controller already has configmap in the namespace then why is the ingress controller tries to create again?

E1115 15:05:49.678247 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"

(truncated)

I1115 15:05:49.742498 7 controller.go:220] ingress backend successfully reloaded... E1115 15:06:03.379102 7 leaderelection.go:228] error initially creating leader election record: configmaps is forbidden: User "system:serviceaccount:ingress:nginx" cannot create resource "configmaps" in API group "" in the namespace "ingress"

detailed kubectl log can be accessed from this_file.

[EDIT]

root@desktop:~/github/# kubectl get -n ingress all
NAME                                            READY   STATUS    RESTARTS   AGE
pod/default-backend-7fcd7954d6-gdmvt            1/1     Running   0          3d14h
pod/default-backend-7fcd7954d6-hf65b            1/1     Running   0          3d14h
pod/nginx-ingress-controller-65bfcb57ff-9nz88   1/1     Running   0          2d22h


NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/default-backend   ClusterIP   10.100.x.y   <none>        80/TCP    3d14h


NAME                                       DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/default-backend            2         2         2            2           3d14h
deployment.apps/nginx-ingress-controller   1         1         1            1           2d22h

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/default-backend-7fcd7954d6            2         2         2       3d14h
replicaset.apps/nginx-ingress-controller-65bfcb57ff   1         1         1       2d22h

root@desktop:~/github# kubectl get -n ingress configmap
NAME                            DATA   AGE
nginx-ingress-controller-conf   1      3d14h
1
kuberneteskubernetes-ingressnginx-ingress

1 Answers

1
votes

It looks like the nginx service account isn't granted permission to create configmap resources in the namespace.

  1. Take a look at this role definition and the role binding files. Apply them after making any necessary adjustments, like for the service account name (from nginx-ingress-serviceaccount to nginx).

  2. The Deployment configuration has this argument: --configmap=\$(POD_NAMESPACE)/nginx-ingress-controller-conf. According to the nginx ingress controller documentation, that is the "...Name of the ConfigMap containing custom global configurations for the controller".