homelab/traefik
1
0
Fork 0
Code Activity

Add RBAC documentation for Ingress NGINX provider

Browse source
This commit is contained in:
Noureldin 2025-12-23 13:02:04 +02:00 committed by GitHub
parent 97f94349d5
commit 8e6ce08f33
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 81 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

66
docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml Normal file
View file

@ -0,0 +1,66 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-nginx-controller
rules:
- apiGroups:
- ""
resources:
- services
- secrets
verbs:
- list
- watch
# When using the watchNamespaceSelector option,
# Traefik requires permissions to list and watch namespaces.
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
# The pods right is needed to inject k8s.pod.uid and k8s.pod.name OTel attributes.
# When OTel tracing/logs/metrics are not enabled, this rule is not needed.
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-nginx-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-nginx-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-nginx-controller
namespace: default

15
docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
View file

@ -17,6 +17,21 @@ It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingres
For more information about the NGINX Ingress Controller retirement, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement). For more information about the NGINX Ingress Controller retirement, see the [official Kubernetes blog announcement](https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement).
## Requirements
When you install Traefik without using the Helm Chart,
ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider.
!!! note "Additional RBAC for Namespace Selector"
When using the `watchNamespaceSelector` option, Traefik requires permissions to list and watch namespaces.
These permissions are included in the RBAC configuration below.
```bash
# Install RBAC for Traefik Ingress NGINX provider:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
```
## Ingress Discovery ## Ingress Discovery
This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider. This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.