From 8e6ce08f33b2adcb9042d2ce7acf8cf51ee1c7bf Mon Sep 17 00:00:00 2001 From: Noureldin <105996926+nmn3m@users.noreply.github.com> Date: Tue, 23 Dec 2025 13:02:04 +0200 Subject: [PATCH] Add RBAC documentation for Ingress NGINX provider --- .../kubernetes-ingress-nginx-rbac.yml | 66 +++++++++++++++++++ .../kubernetes/kubernetes-ingress-nginx.md | 15 +++++ 2 files changed, 81 insertions(+) create mode 100644 docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml diff --git a/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml new file mode 100644 index 000000000..57bd4afb6 --- /dev/null +++ b/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml @@ -0,0 +1,66 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: traefik-ingress-nginx-controller +rules: + - apiGroups: + - "" + resources: + - services + - secrets + verbs: + - list + - watch + # When using the watchNamespaceSelector option, + # Traefik requires permissions to list and watch namespaces. + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + # The pods right is needed to inject k8s.pod.uid and k8s.pod.name OTel attributes. + # When OTel tracing/logs/metrics are not enabled, this rule is not needed. + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: traefik-ingress-nginx-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-nginx-controller +subjects: + - kind: ServiceAccount + name: traefik-ingress-nginx-controller + namespace: default diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md index 4eec82b42..7df3de59b 100644 --- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md +++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md @@ -17,6 +17,21 @@ It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingres For more information about the NGINX Ingress Controller retirement, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement). +## Requirements + +When you install Traefik without using the Helm Chart, +ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider. + +!!! note "Additional RBAC for Namespace Selector" + + When using the `watchNamespaceSelector` option, Traefik requires permissions to list and watch namespaces. + These permissions are included in the RBAC configuration below. + +```bash +# Install RBAC for Traefik Ingress NGINX provider: +kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml +``` + ## Ingress Discovery This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.