Hi,
I have a question regarding the installation of the Kong Ingress Controller on a Kubernetes cluster on a private cloud.
I would like to know if ever it is possible to install Kong Ingress Controller on a K8S cluster without creating ClusterRole and ClusterRoleBindings ?
I would like that the Kong Ingress Controller applies to a given namespace only, not a the entire cluster.
Can I also skip the creation of the KongClusterPlugins?
Yes this is supported. You can use CONTROLLER_WATCH_NAMESPACE flag to limit the scope to a single Namespace.
You will have to tweak ClusterRole to be a Role (and tweak the binding appropriately as well).
hi Harry,
Thank you for your reply.
Just to make sure that I am understanding you properly. When you mention “CONTROLLER_WATCH_NAMESPACE flag” you are talking about the CONTROLLER_WATCH_NAMESPACE environment variable under the “ingress-controller” container definition in the Kong Deployment template? Am I correct?
Hi Harry,
I tweaked the ClusterRole to become a Role (changing the kind and adding a namespace). But when I deploy the ingress-controller container, I see the following error:
Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope
Any idea, what could be done to make it work?
Thanks
Regards
Jon
Ah, my bad. You will need to give the service account permission to read/list/watch KongClusterPlugin, else this won’t work today.
We do want to make this workflow possible and track this problem in the following issue:
Thanks Harry,
I gave read/list/watch permission to the serviceaccount. Please, see below the Role manifest I have deployed. But I still got the same error:
" Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope"
What could I do to make this work when I am not able to create ClusterRole and ClusterRoleBindings for security reasons?
configmaps
resourceNames:
# Defaults to “-”
# Here: “-”
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
KongClusterPlugin is a cluster-level resource. You can only assign RBAC permissions for a cluster-level resources from ClusterRole and ClusterRoleBinding, meaning, if you can’t create those, you can’t use Kong Ingress Controller.
Thanks Harry,
I misunderstood your statements.
Now I understand that I cannot install Kong Ingress Controller without creating ClusterRole and ClusterRoleBindings, even though Kong Ingress Controller is intended to be used in a specific namespace, not at a Cluster level.
Thank you
Regards
Jon