Migrate to EndpointSlices API

2024-06-21 14:56:03 +02:00 · 2024-06-21 14:56:03 +02:00 · a8a92eb2a5
commit a8a92eb2a5
parent 61defcdd66
88 changed files with 2177 additions and 1555 deletions
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@ -35,12 +35,18 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@ -0,0 +1,27 @@
+---
+title: "Traefik Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
+---
+
+# Migration: Steps needed between the versions
+
+## v3.0 to v3.1
+
+### Kubernetes Provider RBACs
+
+Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
+
+Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs), 
+the `endpoints` right has to be removed and the following `endpointslices` right has to be added.
+
+```yaml
+  ... 
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  ...
+```
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@ -183,7 +183,7 @@ _Optional, Default: ""_

 A label selector can be defined to filter on specific resource objects only,
 this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
-and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
+and has no effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.
 If left empty, Traefik processes all resource objects in the configured namespaces.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
@ -8,13 +8,19 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
      - nodes
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@ -15,12 +15,18 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@ -29,12 +29,18 @@ which in turn will create the resulting routers, services, handlers, etc.
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
@ -427,12 +433,19 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
@ -612,12 +625,19 @@ For more options, please refer to the available [annotations](#on-ingress).
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@ -172,6 +172,7 @@ nav:
          - 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
          - 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
  - 'Migration':
+      - 'Traefik v3 minor migrations': 'migration/v3.md'
      - 'Traefik v2 to v3':
        - 'Migration guide': 'migration/v2-to-v3.md'
        - 'Configuration changes for v3': 'migration/v2-to-v3-details.md'