[stable/traefik] Optional RBAC support for k8s 1.6+ #948
Comments
|
@c-knowles any thoughts on how to implement this? I imagine defining roles and creating service accounts to be the duty of a cluster operator. By that token, I am wondering if maybe all this chart should do is allow the deployment to optionally reference a service account that is defined out-of-band. Or... Do we want to say that whoever installs this chart (typically into the I'm comfortable with either approach. Am just curious to know what you had in mind. |
|
Hmmm, interesting question. I hadn't thought about it much, just wanted to get the item in so we can start to think about it. My first impression is allow it in this chart for ease of use, or at least allow it as an option so this can work out of the box. I wonder what the other charts are doing/assuming. In my case I'm running the chart updates in from our CI so if it isn't built in for now I would likely just put the deploy of the roles and bindings there as well until I work out a nicer way to include them in some automated cluster initialisation. |
Let's keep an eye on that, contribute to those discussions, and see if we can be consistent with whatever the consensus ends up being. |
|
Is there any other discussions around this going on? I know this is an issue for Traefik specifically, but its a bigger helm chart issue for 1.6+ |
|
Any update on this? I've been having trouble with a slow traefik service and wanted to try using this instead. Out of the box, that's not possible yet. Is there a proposed helm direction based on the community? |
|
Submitted a PR just now, there's a comment in the PR but not sure why when switching RBAC off that the deployment still has the old service account. While this is a bit of an edge case, I've set the service account to |
|
Also could not start traefik on k8s 1.6 with helm. Had to fallback to https://docs.traefik.io/user-guide/kubernetes/ with the |
For helm#948. When switching RBAC from true to false, the `serviceAccountName` stays as the Traefik specific one so set it to `default`. Not sure if this is a Helm issue or further upstream.
* RBAC support for Traefik For #948. When switching RBAC from true to false, the `serviceAccountName` stays as the Traefik specific one so set it to `default`. Not sure if this is a Helm issue or further upstream. * Bump the chart version to 1.4.0 * Additional note on k8s version for RBAC
|
#1225 is now merged. |
* RBAC support for Traefik For helm#948. When switching RBAC from true to false, the `serviceAccountName` stays as the Traefik specific one so set it to `default`. Not sure if this is a Helm issue or further upstream. * Bump the chart version to 1.4.0 * Additional note on k8s version for RBAC
* RBAC support for Traefik For helm#948. When switching RBAC from true to false, the `serviceAccountName` stays as the Traefik specific one so set it to `default`. Not sure if this is a Helm issue or further upstream. * Bump the chart version to 1.4.0 * Additional note on k8s version for RBAC
RBAC support is required for k8s 1.6+ clusters with RBAC enabled.
Docs are here.
Example here.
I think it should be optional to support users on k8s < 1.6.
The text was updated successfully, but these errors were encountered: