-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New ingress-controller should not mandate the cluster level permission on IngressClass #7510
Comments
/remove-kind bug
Please close the issue and come discuss in kubernetes.slack.com in the ingress-nginx-users channel |
@longwuyuan Also, I think the issue here is not regarding the use of IngressClass but the hard requirement of Cluster level permissions required for it. Basically, There can be a use case where we need to enable the ingress controller to implement Ingress objects only on a few namespaces and not on all namespaces. If we decide to fix this issue, I'd like to take this up |
Yeah we need to fix this, at least for v1.0.1. My suggestion right now is try to fetch the cluster scoped ingress class, if it fails per access denied do not fetch them to store and warn users about current permission not supporting ingress class We should also start looking at how to support namespaced ingress classes |
/milestone v1.0.1 |
@rikatz And for v1.0.1 we'll be supporting Namespaced IngressClasses, Being tracked in #7519 as @longwuyuan tagged in the previous comment. Right? |
/kind feature |
@akshitgrover go for it :) For now, we should not panic when ingress class is forbidden, but instead disable it Ping me in slack if you need some help! |
/kind bug I think this is a bug, as we don't support namespaced ingress class yet, and we should not stop users of using the ingress-nginx if they don't have cluster wide permission for ingress class :) |
Sure thing |
I guess @yongjie-gong has already raised a PR |
/priority important-soon |
This seems to still be an issue. Currently using Once I change From the events above, it looks like this PR made it into the |
I'm still getting the same error when working with v.1.0.1. - for the versions v.0.x.x, everything works fine. |
@mmuric-sigsci is it an option for you to upgrade to the latest version?! |
Encountered a similar issue on nginx 1.1.1 with helm chart 4.0.15 |
When you use rbac.scope=true (namespace scoped) installation of ingress-nginx, the only way to make controller detect the ingress resource is to use the Another option is to use the deprecated annotation in ingress resource as mentioned in #8136. |
NGINX Ingress controller version: v1.0.0-beta.1
Kubernetes version (use
kubectl version
): 1.21.0Environment:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release): CentOS Linux release 7.6.1810 (Core)
Kernel (e.g.
uname -a
): Linux shc-sma-cd56.hpeswlab.net 3.10.0-957.5.1.el7.x86_64 Basic structure #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxInstall tools:
Please mention how/where was clsuter created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
How was the ingress-nginx-controller installed:
helm ls -A
helm -n <ingresscontrollernamepspace> get values <helmreleasename>
Current State of the controller:
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Current state of ingress object, if applicable:
kubectl -n <appnnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
Others:
kubectl describe ...
of any custom configmap(s) created and in useWhat happened:
I deploy my ingress-controller in kubernetes 1.21 with namespaced permissions only. with old ingress-controller, everythings is fine. but once upgrade to latest ingress controller 1.0.0, ingress-controller cannot start any more because ingress-controller mandate the cluster level permission on "IngressClass". without this permisison, ingress-controller even fail to start while it is fine in old version. is there someone know it is one bug or intended?
With annotation based ingress-controller, my application can easily deploy in shared k8s environment since namespace permission is good enough. but with new approach, i must ask the k8s administrator to create the cluster level object "IngressClass". this udpate change completely application deployment flavor which force k8s kubernete administrator to create the cluster level resource "IngressClass" for every application deployed in k8s cluster which don't have cluster level permission
Error message:
What you expected to happen:
IngressController should start as normal even if ServiceAccount don't have permsison on class level object "IngressClass"
How to reproduce it:
Anything else we need to know:
/kind bug
The text was updated successfully, but these errors were encountered: