Ingress Lab Role Question

Matrix-Zou · October 1, 2022, 1:21pm

In lab: ‘CKA Certification Course – Certified Kubernetes Administrator | KodeKloud’

service account used for ingress controller deployment is ‘ingress-serviceaccount’

rolebinding with role ‘ingress-role’

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2022-10-01T12:53:37Z"
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:app.kubernetes.io/name: {}
          f:app.kubernetes.io/part-of: {}
      f:rules: {}
    manager: python-requests
    operation: Update
    time: "2022-10-01T12:53:37Z"
  name: ingress-role
  namespace: ingress-space
  resourceVersion: "7277"
  uid: 1288d972-7f27-4a27-b110-f52eb4769bf0
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader-nginx
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get

I am bit confusion here. Based on above role definition, it should NOT be able access namespace ‘app-space’. But ingress default backend was in namespace ‘app-space’

--default-backend-service=app-space/default-http-backend

How it worked ?

I try to deploy it in my own cluster.

Keeping get following error log from ingress-controller

F1001 15:26:11.4237807 main.go:99] No service with name app-space/default-http-backend found: services "default-http-backend" is forbidden: User "system:serviceaccount:ingress-space:ingress-nginx" cannot get resource "services" in API group "" in the namespace "app-space"```

Alistair_KodeKloud · October 2, 2022, 1:40pm

Hi @Matrix-Zou

The rolebinding can access the namespace

- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - namespaces
  verbs:
  - get

The above statement permits get access on all the listed resources.

As for your own cluster, were you trying to include the default backend in the ingress configuration? It would look like this

spec:
  defaultBackend:
    service:
      name: default-http-backend
      port:
        number: 80

Also, have you set your cluster up exactly the same way as the lab, i.e. with all the same deployments and services in the app-space namespace?