jcmoraisjr
commented
5 years ago Hi, I've some confidence that this should work without a clusterrole but I didn't explore such configuration yet. I'll leave this issue open so it won't be forgotten.
Open swapnilgawade16 opened 5 years ago
jcmoraisjr
commented
5 years ago Hi, I've some confidence that this should work without a clusterrole but I didn't explore such configuration yet. I'll leave this issue open so it won't be forgotten.
swapnilgawade16
commented
5 years ago Update: I managed to achieve the namespace isolation with restricted access (only Role/RoleBindings) by adding below arguments to the ingress pod. Found it here https://github.com/jcmoraisjr/haproxy-ingress/blob/master/pkg/common/ingress/controller/launch.go#L109
"--watch-namespace=$(POD_NAMESPACE)",
"--force-namespace-isolation=true",
"--disable-node-list=true"Nice, thanks! Please let this one open until someone move this hints to the docs or examples.
DanMolz
commented
4 years ago Update: I managed to achieve the namespace isolation with restricted access (only Role/RoleBindings) by adding below arguments to the ingress pod. Found it here https://github.com/jcmoraisjr/haproxy-ingress/blob/master/pkg/common/ingress/controller/launch.go#L109
"--watch-namespace=$(POD_NAMESPACE)", "--force-namespace-isolation=true", "--disable-node-list=true"
Can you confirm if you removed the clusterRole and clusterRoleBinding from the pod?
jackivanov
commented
3 years ago @jcmoraisjr Are you still using this workaround?
wgebis
commented
1 year ago Looks that it doesn't work :(. Ingress controller reports:
cannot list resource "ingressclasses" in API group "networking.k8s.io" at the cluster scopeThanks for bringing that (again) to our attention. In fact ingress classes is a needed and cluster scoped resource that makes namepaced ingress not to work. Adding to dev backlog and tagged as v0.15 so we'll remember that in the short term.
wgebis
commented
1 year ago Thanks! It could be great to make haproxy able to run at shared k8s clusters with only namespace related resources. I have used many times haproxy in dedicated k8s infrastructures, in my opinion it's significatly easier to deploy and more powerful than nginx and treafik implementations. 👍
BTW: if you know any workaround to get it work, please let me know in the meantime before v0.15.
waelchlis
commented
6 months ago Is there any plan to include a config where it's possible to run haproxy not completely isolated in one namespace (still serving ingress resources from all namespaces in the cluster) but just being able to restrict access to secrets for the service account to it's own namespace? Currently the "--force-namespace-isolation" option only seems to work together with "--watch-namespace", otherwise I still get an error that the service account can't list secrets at the cluster scope. But this way it's not possible to serve ingress resources in other namespaces, even if all the secrets I need are in the haproxy namespace.
jcmoraisjr
commented
6 months ago There is cross-namespace configs, maybe this is what you're talking about? Otherwise please fill a new issue with your expectation so it won't be forgotten.
pagarwal-tibco
commented
5 months ago Is there any update on deploying ha-proxy with no cluster scope permissions? Or at least only look at specific IngressClass resource and not all.
I am trying to deploy HaProxy ingress specific to one namespace without using ClusterRole and ClusterRoleBinding, just using Role and RoleBinding for one specific namespace.
Details:
--watch-namespace=abcpassed as an argument (used canary tag as it supports this argument) Defined appropriate Role and RoleBinding based on https://github.com/jcmoraisjr/haproxy-ingress/blob/master/examples/rbac/ingress-controller-rbac.ymlBut when I try to start haproxy ingress the ingress complains saying it does not have access to cluster resources.
Does HaProxy ingress support single namespace without ClusterRole or HaProxy ingress will always require ClusterRole?