Merge pull request #1404 from aolwas/k8s-rbac-doc-update
Add documentation for k8s RBAC configuration.
This commit is contained in:
commit
1da47dfcbb
|
@ -67,6 +67,64 @@ To deploy Træfɪk to your cluster start by submitting the deployment to the clu
|
||||||
```sh
|
```sh
|
||||||
kubectl apply -f examples/k8s/traefik.yaml
|
kubectl apply -f examples/k8s/traefik.yaml
|
||||||
```
|
```
|
||||||
|
### Role Based Access Control configuration (optional)
|
||||||
|
|
||||||
|
Kubernetes introduces [Role Based Access Control (RBAC)](https://kubernetes.io/docs/admin/authorization/) in 1.6+ to allow fine-grained control
|
||||||
|
of Kubernetes resources and api.
|
||||||
|
|
||||||
|
If your cluster is configured with RBAC, you need to authorize Traefik to use
|
||||||
|
kubernetes API using ClusterRole, ServiceAccount and ClusterRoleBinding resources:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- ingresses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
namespace: kube-system
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you add the service account information to Traefik deployment spec:
|
||||||
|
`serviceAccountName: traefik-ingress-controller`
|
||||||
|
|
||||||
|
[examples/k8s/traefik-with-rbac.yaml](https://github.com/containous/traefik/tree/master/examples/k8s/traefik-with-rbac.yaml)
|
||||||
|
|
||||||
### Check the deployment
|
### Check the deployment
|
||||||
|
|
||||||
|
@ -507,4 +565,4 @@ the host header per ingress if you wanted.
|
||||||
You can control which ingress Træfɪk cares about by using the "kubernetes.io/ingress.class"
|
You can control which ingress Træfɪk cares about by using the "kubernetes.io/ingress.class"
|
||||||
annotation. By default if the annotation is not set at all Træfɪk will include the
|
annotation. By default if the annotation is not set at all Træfɪk will include the
|
||||||
ingress. If the annotation is set to anything other than traefik or a blank string
|
ingress. If the annotation is set to anything other than traefik or a blank string
|
||||||
Træfɪk will ignore it.
|
Træfɪk will ignore it.
|
||||||
|
|
87
examples/k8s/traefik-with-rbac.yaml
Normal file
87
examples/k8s/traefik-with-rbac.yaml
Normal file
|
@ -0,0 +1,87 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- ingresses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Deployment
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: traefik-ingress-controller
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
k8s-app: traefik-ingress-lb
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
k8s-app: traefik-ingress-lb
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
k8s-app: traefik-ingress-lb
|
||||||
|
name: traefik-ingress-lb
|
||||||
|
spec:
|
||||||
|
serviceAccountName: traefik-ingress-controller
|
||||||
|
terminationGracePeriodSeconds: 60
|
||||||
|
hostNetwork: true
|
||||||
|
containers:
|
||||||
|
- image: traefik
|
||||||
|
name: traefik-ingress-lb
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 200m
|
||||||
|
memory: 30Mi
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 20Mi
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 80
|
||||||
|
hostPort: 80
|
||||||
|
- name: admin
|
||||||
|
containerPort: 8081
|
||||||
|
args:
|
||||||
|
- -d
|
||||||
|
- --web
|
||||||
|
- --web.address=:8081
|
||||||
|
- --kubernetes
|
Loading…
Reference in a new issue