Traefik：服务器找不到请求的资源答案

【问题标题】：Traefik: the server could not find the requested resourceTraefik：服务器找不到请求的资源
【发布时间】：2021-10-18 16:58:54
【问题描述】：

我在一些树莓派上创建了一个 k3s 集群，目前正在努力使用 traefik 服务网格来解析我的域。

我之前已经让它工作了，但是在重新创建我的集群时，我无法通过以下问题：

我在 traefik pod 中遇到的错误消息如下：

Failed to watch *v1alpha1.IngressRouteUDP: failed to list *v1alpha1.IngressRouteUDP: the server could not find the requested resource

对于不同的资源类型，此错误消息会重复多次。

尝试从 Let encrypt 获取 tls 证书时，我也收到以下错误：

Waiting for HTTP-01 challenge propagation: wrong status code '404', expected '200

我使用以下 YAML 为暂存证书创建了一个 clusterissuer：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: myemail@example.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: traefik

这似乎工作并返回状态READY=true

然后我请求了一个带有以下 YAML 的暂存证书：

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager
  annotations:
    certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
  secretName: example-com-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: example.com
  dnsNames:
  - example.com

这是我遇到挑战输出的404 错误的地方。

我的 traefik 部署中还有以下参数：

      - --certificatesresolvers.myresolver.acme.email=myemail@example.com
        - --global.checknewversion
        - --global.sendanonymoususage
        - --entryPoints.traefik.address=:9000/tcp
        - --entryPoints.web.address=:8000/tcp
        - --entryPoints.websecure.address=:8443/tcp
        - --api.dashboard=true
        - --ping=true
        - --providers.kubernetescrd
        - --providers.kubernetesingress
        - --providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik
        - --entrypoints.websecure.http.tls=true
        - --certificatesresolvers.default.acme.tlschallenge
        - --certificatesresolvers.default.acme.storage=acme.json

我被难住了。花了一个多星期的时间试图解决这个问题，我确信这是我想念的简单的东西，但我无法解决。任何帮助是极大的赞赏。谢谢。

来自 traefik pod 的日志示例：

1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.TraefikService: traefikservices.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "traefikservices" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:04.610288       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "endpoints" in API group "" at the cluster scope
E1019 11:15:04.610542       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "services" in API group "" at the cluster scope
E1019 11:15:04.610902       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingresses" in API group "extensions" at the cluster scope
E1019 11:15:04.610959       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "secrets" in API group "" at the cluster scope
E1019 11:15:04.658001       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteTCP: ingressroutetcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressroutetcps" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:04.861684       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRoute: ingressroutes.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressroutes" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:05.060807       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.IngressRouteUDP: ingressrouteudps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "ingressrouteudps" in API group "traefik.containo.us" at the cluster scope
E1019 11:15:05.278868       1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.3/tools/cache/reflector.go:105: Failed to list *v1alpha1.Middleware: middlewares.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewares" in API group "traefik.containo.us" at the cluster scope

【问题讨论】：

您使用的是哪个版本的 Kubernetes？您是否使用裸机安装或某些云提供商？能否请您提供您的日志？
我在树莓派裸机集群上安装 k3s v1.22.2。我刚刚更新了帖子以包含来自 traefik 的一些日志
我已经通过将 traefik 替换为 nginx ingress 解决了这个问题。我不知道是什么导致了这个问题。

标签： kubernetes traefik k3s cert-manager

【解决方案1】：

在这里澄清一切。帮助您的解决方案是用 nginx-ingress 替换 traefik。

让我解释一下为什么第一个不起作用的可能原因。我已经为您的 traefik 问题找到了可能的答案。 Here it is.

您的日志显示 Kubernetes 使用服务帐户运行 Traefik，但服务帐户缺乏对对象的必要访问权限。

问题在于您可能缺少 ClusterRole 和 ClusterRoleBinding（这可以让服务帐户 traefik-ingress-controller 看到包括 Traefik 的 CRD 在内的 Kubernetes 资源）。

另请参阅this documentation，您可以在其中找到示例。

【讨论】：