Kong Ingress Controller without ClusterRole creation

Hi,
I have a question regarding the installation of the Kong Ingress Controller on a Kubernetes cluster on a private cloud.
I would like to know if ever it is possible to install Kong Ingress Controller on a K8S cluster without creating ClusterRole and ClusterRoleBindings ?
I would like that the Kong Ingress Controller applies to a given namespace only, not a the entire cluster.
Can I also skip the creation of the KongClusterPlugins?

Thanks
Jon

Yes this is supported. You can use CONTROLLER_WATCH_NAMESPACE flag to limit the scope to a single Namespace.
You will have to tweak ClusterRole to be a Role (and tweak the binding appropriately as well).

Unfortunately no. This is a limitation right now and I’ve opened up https://github.com/Kong/kubernetes-ingress-controller/issues/717 to track it.

Thanks Harry for your reply,
Do you know when the enhancement of skipping the KongClusterPlugins creation would be available?

Best Regards
Jon.

I can’t give you a timeline yet.
You can start watching this issue:https://github.com/Kong/kubernetes-ingress-controller/issues/717

hi Harry,
Thank you for your reply.
Just to make sure that I am understanding you properly. When you mention “CONTROLLER_WATCH_NAMESPACE flag” you are talking about the CONTROLLER_WATCH_NAMESPACE environment variable under the “ingress-controller” container definition in the Kong Deployment template? Am I correct?

Thank you
Regards
Jon

Hi Harry,
I tweaked the ClusterRole to become a Role (changing the kind and adding a namespace). But when I deploy the ingress-controller container, I see the following error:
Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope

Any idea, what could be done to make it work?
Thanks
Regards
Jon

Ah, my bad. You will need to give the service account permission to read/list/watch KongClusterPlugin, else this won’t work today.
We do want to make this workflow possible and track this problem in the following issue:

Thanks Harry,
I gave read/list/watch permission to the serviceaccount. Please, see below the Role manifest I have deployed. But I still got the same error:
" Failed to list *v1.KongClusterPlugin: kongclusterplugins.configuration.konghq.com is forbidden: User “system:serviceaccount:kong:kong-kong” cannot list resource “kongclusterplugins” in API group “configuration.konghq.com” at the cluster scope"

What could I do to make this work when I am not able to create ClusterRole and ClusterRoleBindings for security reasons?

Role Manifest:
"
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: kong-kong
namespace: kong
rules:

  • apiGroups:
    • “”
      resources:
    • endpoints
    • nodes
    • pods
    • secrets
      verbs:
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • nodes
      verbs:
    • get
  • apiGroups:
    • “”
      resources:
    • services
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • networking.k8s.io
    • extensions
    • networking.internal.knative.dev
      resources:
    • ingresses
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • events
      verbs:
    • create
    • patch
  • apiGroups:
    • networking.k8s.io
    • extensions
    • networking.internal.knative.dev
      resources:
    • ingresses/status
      verbs:
    • update
  • apiGroups:
  • apiGroups:
    • configuration.konghq.com
      resources:
    • kongplugins
    • kongclusterplugins
    • kongcredentials
    • kongconsumers
    • kongingresses
    • tcpingresses
      verbs:
    • get
    • list
    • watch
  • apiGroups:
    • “”
      resources:
    • configmaps
      verbs:
    • create
    • get
    • update
  • apiGroups:
    • “”
      resources:
    • configmaps
    • pods
    • secrets
    • namespaces
      verbs:
    • get
  • apiGroups:
    • “”
      resources:
    • configmaps
      resourceNames:
      # Defaults to “-”
      # Here: “-”
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
    • “kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}”
      verbs:
    • get
    • update
  • apiGroups:
    • “”
      resources:
    • configmaps
      verbs:
    • create
  • apiGroups:
    • “”
      resources:
    • endpoints
      verbs:
    • get
      "

Thanks
Jon

KongClusterPlugin is a cluster-level resource. You can only assign RBAC permissions for a cluster-level resources from ClusterRole and ClusterRoleBinding, meaning, if you can’t create those, you can’t use Kong Ingress Controller.

Thanks Harry,
I misunderstood your statements.
Now I understand that I cannot install Kong Ingress Controller without creating ClusterRole and ClusterRoleBindings, even though Kong Ingress Controller is intended to be used in a specific namespace, not at a Cluster level.
Thank you
Regards
Jon


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ