Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden #4296

Closed
xavierzhao opened this issue Jul 9, 2019 · 3 comments

Comments

@xavierzhao
Copy link

commented Jul 9, 2019

NGINX Ingress controller version:

0.25.0

Kubernetes version (use kubectl version):

v1.14.2

Environment:

  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release): CentOS 7.6
  • Kernel (e.g. uname -a): 3.10.0-957.12.2.el7.x86_64
  • Install tools:
  • Others:

What happened:

Readiness probe failed: HTTP probe failed with statuscode: 500
Back-off restarting failed container

How to reproduce it (as minimally and precisely as possible):

cd to ingress-nginx-nginx-0.25.0/deploy/static
and kubectl apply -f mandatory.yaml
Anything else we need to know:

Modified mandatory.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---

apiVersion: apps/v1
#kind: Deployment
kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  #replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      hostNetwork: true #add
      nodeSelector: #add                                                                                                                                     
        custom/ingress-controller-ready: "true" 
      containers:
        - name: nginx-ingress-controller
          #image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
          image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.25.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
---

Error Log:

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:    0.25.0
  Build:      git-1387f7b7e
  Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------

W0709 09:13:42.313489       6 flags.go:221] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)
nginx version: openresty/1.15.8.1
W0709 09:13:42.318711       6 client_config.go:541] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0709 09:13:42.319018       6 main.go:183] Creating API client for https://10.96.0.1:443
I0709 09:13:42.333424       6 main.go:227] Running in Kubernetes cluster version v1.14 (v1.14.2) - git (clean) commit 66049e3b21efe110454d67df4fa62b08ea79a19b - platform linux/amd64
I0709 09:13:43.050920       6 main.go:102] Created fake certificate with PemFileName: /etc/ingress-controller/ssl/default-fake-certificate.pem
E0709 09:13:43.052946       6 main.go:131] v1.14.2
I0709 09:13:43.099802       6 nginx.go:275] Starting NGINX Ingress controller
I0709 09:13:43.113271       6 event.go:258] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress-nginx", Name:"nginx-configuration", UID:"7e1ea72b-a214-11e9-9859-60a44ca6ca1b", APIVersion:"v1", ResourceVersion:"1718490", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap ingress-nginx/nginx-configuration
I0709 09:13:43.119860       6 event.go:258] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress-nginx", Name:"tcp-services", UID:"7e246e26-a214-11e9-9859-60a44ca6ca1b", APIVersion:"v1", ResourceVersion:"1718491", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap ingress-nginx/tcp-services
I0709 09:13:43.120176       6 event.go:258] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"ingress-nginx", Name:"udp-services", UID:"7e26a526-a214-11e9-9859-60a44ca6ca1b", APIVersion:"v1", ResourceVersion:"1718492", FieldPath:""}): type: 'Normal' reason: 'CREATE' ConfigMap ingress-nginx/udp-services
E0709 09:13:44.203522       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:45.206466       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:46.209163       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:47.211994       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:47.821501       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:13:48.215606       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:49.218214       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:50.220153       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:51.222962       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:52.225671       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:53.228686       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:54.231593       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:55.234717       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:56.237473       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:57.240228       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:57.821322       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:13:58.244181       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:13:59.247169       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:00.249974       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:00.556047       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:14:01.252797       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:02.255876       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:03.258701       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:04.261580       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:05.264247       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:06.267071       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:07.269943       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:07.821342       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:14:08.273841       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:09.276100       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:10.279044       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:10.556160       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:14:11.281861       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:12.284752       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:13.287523       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:14.290334       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:15.293069       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:16.295840       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:17.297692       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:17.821723       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
E0709 09:14:18.301655       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:19.304050       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:20.307105       6 reflector.go:125] pkg/mod/k8s.io/client-go@v0.0.0-20190612125919-78d2af7/tools/cache/reflector.go:98: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User "system:serviceaccount:ingress-nginx:nginx-ingress-serviceaccount" cannot list resource "ingresses" in API group "networking.k8s.io" at the cluster scope
E0709 09:14:20.556518       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
I0709 09:14:20.636166       6 main.go:154] Received SIGTERM, shutting down
I0709 09:14:20.636226       6 nginx.go:402] Shutting down controller queues
I0709 09:14:20.636265       6 status.go:117] updating status of Ingress rules (remove)
E0709 09:14:20.636343       6 store.go:183] Timed out waiting for caches to sync
I0709 09:14:20.636470       6 nginx.go:319] Starting NGINX process
I0709 09:14:20.636608       6 leaderelection.go:235] attempting to acquire leader lease  ingress-nginx/ingress-controller-leader-nginx...
E0709 09:14:20.636843       6 queue.go:78] queue has been shutdown, failed to enqueue: &ObjectMeta{Name:initial-sync,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,ManagedFields:[],}
E0709 09:14:20.639448       6 status.go:121] error obtaining running IPs: []
I0709 09:14:20.639474       6 nginx.go:418] Stopping NGINX process
I0709 09:14:20.645468       6 leaderelection.go:245] successfully acquired lease ingress-nginx/ingress-controller-leader-nginx
I0709 09:14:20.645546       6 status.go:86] new leader elected: nginx-ingress-controller-45qh8
E0709 09:14:20.645660       6 queue.go:78] queue has been shutdown, failed to enqueue: &ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,ManagedFields:[],}
2019/07/09 09:14:20 [notice] 42#42: signal process started
2019/07/09 09:14:20 [error] 42#42: open() "/tmp/nginx.pid" failed (2: No such file or directory)
nginx: [error] open() "/tmp/nginx.pid" failed (2: No such file or directory)
I0709 09:14:20.647889       6 main.go:158] Error during shutdown: exit status 1
I0709 09:14:20.647924       6 main.go:162] Handled quit, awaiting Pod deletion
E0709 09:14:27.820918       6 checker.go:41] healthcheck error: Get http+unix://nginx-status/healthz: dial unix /tmp/nginx-status-server.sock: connect: no such file or directory
I0709 09:14:30.648046       6 main.go:165] Exiting with 1

@cite

This comment has been minimized.

Copy link

commented Jul 9, 2019

Can you try with this patch applied to your ClusterRole definition nginx-ingress-clusterrole:

@@ -157,7 +160,7 @@ rules:
       - list
       - watch
   - apiGroups:
-      - "extensions"
+      - "networking.k8s.io"
     resources:
       - ingresses
     verbs:
@kevupton

This comment has been minimized.

Copy link

commented Jul 9, 2019

@cite can confirm that this works

@xavierzhao

This comment has been minimized.

Copy link
Author

commented Jul 9, 2019

@cite Thanks, it works. but the service ingress-nginx always is pending when I apply cloud-generic.yaml

kubectl -n ingress-nginx get all

NAME                                 READY   STATUS    RESTARTS   AGE                                                                                        
pod/nginx-ingress-controller-ggqb6   1/1     Running   0          18m                                                                                        
pod/nginx-ingress-controller-trfwp   1/1     Running   0          10m                                                                                        
                                                                                                                                                             
NAME                    TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE                                                         
service/ingress-nginx   LoadBalancer   10.102.28.44   <pending>     80:31079/TCP,443:32596/TCP   17m                                                         
                                                                                                                                                             
NAME                                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                          AGE                    
daemonset.apps/nginx-ingress-controller   2         2         2       2            2           custom/ingress-controller-ready=true   18m

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.