Traefik:服务器找不到请求的资源

我在一些树莓派上创建了一个k3s集群，目前正在努力使用traefik服务网格来解析我的域。

我以前已经使它工作，但在重新创建我的集群时，我无法通过以下问题:

我在交通工具中遇到的错误信息如下:

Failed to watch *v1alpha1.IngressRouteUDP: failed to list *v1alpha1.IngressRouteUDP: the server could not find the requested resource

这个错误信息在不同的资源类型中重复多次。

当尝试从let encrypt获取tls证书时，我也得到以下错误:

Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200

我已经用以下YAML为登台证书创建了一个clusterissuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: myemail@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: traefik

这似乎正在工作，并返回状态READY=true

然后我用下面的YAML请求了一个暂存证书:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: cert-manager
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: example.com
dnsNames:
- example.com

这就是我遇到404错误的地方，这是由挑战输出的。

在我的traefik部署中也有以下参数:

- --certificatesresolvers.myresolver.acme.email=myemail@example.com
- --global.checknewversion
- --global.sendanonymoususage
- --entryPoints.traefik.address=:9000/tcp
- --entryPoints.web.address=:8000/tcp
- --entryPoints.websecure.address=:8443/tcp
- --api.dashboard=true
- --ping=true
- --providers.kubernetescrd
- --providers.kubernetesingress
- --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik
- --entrypoints.websecure.http.tls=true
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.storage=acme.json

我被难住了。花了一个多星期试图解决这个问题，我确信这是一些简单的东西，我错过了，但我不能工作出来。非常感谢任何帮助。谢谢你。来自traefik pod的日志样本:

1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:04.610288       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "endpoints" in API group "" at the cluster scope
E1019 11:15:04.610542       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "services" in API group "" at the cluster scope
E1019 11:15:04.610902       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingresses" in API group "extensions" at the cluster scope
E1019 11:15:04.610959       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "secrets" in API group "" at the cluster scope
E1019 11:15:04.658001       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteTCP: ingressroutetcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressroutetcps" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:04.861684       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRoute: ingressroutes.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressroutes" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:05.060807       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:05.278868       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.Middleware: middlewares.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewares" in API group "traefik.containo.us" at the cluster scope

澄清一下。解决方案是用nginx-ingress取代trafik。

让我解释第一个不工作的可能原因。我已经为你的交通问题找到了可能的答案。

您的日志显示Kubernetes使用服务帐户运行Traefik，但是服务帐户缺乏对对象的必要访问权限。

问题是您可能缺少ClusterRole和ClusteRoleBinding(可以允许服务帐户Traefik -ingress-controller查看Kubernets资源，包括Traefik的crd)。

请参阅本文档，在这里您可以找到示例。

相关内容

最新更新

热门标签：