Kong Ingress Controller without ClusterRole creation

Kubernetes
1

Hi,
I have a question regarding the installation of the Kong Ingress Controller on a Kubernetes cluster on a private cloud.
I would like to know if ever it is possible to install Kong Ingress Controller on a K8S cluster without creating ClusterRole and ClusterRoleBindings ?
I would like that the Kong Ingress Controller applies to a given namespace only, not a the entire cluster.
Can I also skip the creation of the KongClusterPlugins?

Thanks
Jon

2

Yes this is supported. You can use CONTROLLER_WATCH_NAMESPACE flag to limit the scope to a single Namespace.
You will have to tweak ClusterRole to be a Role (and tweak the binding appropriately as well).

Unfortunately no. This is a limitation right now and I’ve opened up KongClusterPlugin should not be a required CRD · Issue #717 · Kong/kubernetes-ingress-controller · GitHub to track it.

3

Thanks Harry for your reply,
Do you know when the enhancement of skipping the KongClusterPlugins creation would be available?

Best Regards
Jon.

4

I can’t give you a timeline yet.
You can start watching this issue:KongClusterPlugin should not be a required CRD · Issue #717 · Kong/kubernetes-ingress-controller · GitHub

5

hi Harry,
Thank you for your reply.
Just to make sure that I am understanding you properly. When you mention “CONTROLLER_WATCH_NAMESPACE flag” you are talking about the CONTROLLER_WATCH_NAMESPACE environment variable under the “ingress-controller” container definition in the Kong Deployment template? Am I correct?

Thank you
Regards
Jon

6

Hi Harry,
I tweaked the ClusterRole to become a Role (changing the kind and adding a namespace). But when I deploy the ingress-controller container, I see the following error:
Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope

Any idea, what could be done to make it work?
Thanks
Regards
Jon

7

Ah, my bad. You will need to give the service account permission to read/list/watch KongClusterPlugin, else this won’t work today.
We do want to make this workflow possible and track this problem in the following issue:

8

Thanks Harry,
I gave read/list/watch permission to the serviceaccount. Please, see below the Role manifest I have deployed. But I still got the same error:
" Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope"

What could I do to make this work when I am not able to create ClusterRole and ClusterRoleBindings for security reasons?

Role Manifest:
"
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: kong-kong
namespace: kong
rules:

  • apiGroups:
    • “”
      resources:
    • endpoints
    • nodes
    • pods
    • secrets
      verbs:
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • nodes
      verbs:
    • get
  • apiGroups:
    • “”
      resources:
    • services
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • networking.k8s.io
    • extensions
    • networking.internal.knative.dev
      resources:
    • ingresses
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • events
      verbs:
    • create
    • patch
  • apiGroups:
    • networking.k8s.io
    • extensions
    • networking.internal.knative.dev
      resources:
    • ingresses/status
      verbs:
    • update
  • apiGroups:
  • apiGroups:
    • configuration.konghq.com
      resources:
    • kongplugins
    • kongclusterplugins
    • kongcredentials
    • kongconsumers
    • kongingresses
    • tcpingresses
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • configmaps
      verbs:
    • create
    • get
    • update
  • apiGroups:
    • “”
      resources:
    • configmaps
    • pods
    • secrets
    • namespaces
      verbs:
    • get
  • apiGroups:
    • “”
      resources:
    • configmaps
      resourceNames:
      # Defaults to “-”
      # Here: “-”
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
    • “kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}”
      verbs:
    • get
    • update
  • apiGroups:
    • “”
      resources:
    • configmaps
      verbs:
    • create
  • apiGroups:
    • “”
      resources:
    • endpoints
      verbs:
    • get
      "

Thanks
Jon

9

KongClusterPlugin is a cluster-level resource. You can only assign RBAC permissions for a cluster-level resources from ClusterRole and ClusterRoleBinding, meaning, if you can’t create those, you can’t use Kong Ingress Controller.

10

Thanks Harry,
I misunderstood your statements.
Now I understand that I cannot install Kong Ingress Controller without creating ClusterRole and ClusterRoleBindings, even though Kong Ingress Controller is intended to be used in a specific namespace, not at a Cluster level.
Thank you
Regards
Jon