tcproute does not work across namespaces
Closed this issue · 3 comments
shensl commented
Welcome!
- Yes, I've searched similar issues on GitHub and didn't find any.
- Yes, I've searched similar issues on the Traefik community forum and didn't find any.
What version of the Traefik's Helm Chart are you using?
30.0.2
What version of Traefik are you using?
v3.1.0
What did you do?
I installed the experimental channel gateway api in my cluster and I then deployed the application using the following yaml file, but the tcproute does not work when across namespaces, it only works in the same namespaces
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-tcp-6600
name: nginx-tcp-6600
namespace: traefik
spec:
replicas: 1
selector:
matchLabels:
app: nginx-tcp-6600
template:
metadata:
labels:
app: nginx-tcp-6600
spec:
containers:
- image: nginx:1.20.0
name: nginx
lifecycle:
postStart:
exec:
command: ["/bin/bash", "-c", "echo 'nginx-tcp-6600' > /usr/share/nginx/html/index.html"]
---
apiVersion: v1
kind: Service
metadata:
name: nginx-tcp-6600
namespace: traefik
spec:
ports:
- port: 6600
targetPort: 80
selector:
app: nginx-tcp-6600
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-gateway-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- services
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- referencegrants
- tcproutes
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-gateway-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-gateway-role
subjects:
- kind: ServiceAccount
name: traefik-controller
namespace: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-controller
namespace: traefik
automountServiceAccountToken: false
---
apiVersion: v1
kind: Service
metadata:
name: tk-tcp-1
namespace: traefik
labels:
app.kubernetes.io/name: tk-tcp-1
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: tk-tcp-1
ports:
- name: tcp-16000
port: 16000
protocol: TCP
targetPort: tcp-16000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tk-tcp-1
namespace: traefik
labels:
app.kubernetes.io/name: tk-tcp-1
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: tk-tcp-1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
minReadySeconds: 0
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "9100"
labels:
app.kubernetes.io/name: tk-tcp-1
spec:
serviceAccountName: traefik-controller
automountServiceAccountToken: true
terminationGracePeriodSeconds: 60
hostNetwork: false
containers:
- image: docker.io/traefik:v3.1.0
imagePullPolicy: IfNotPresent
name: traefik
resources:
readinessProbe:
httpGet:
path: /ping
port: 9000
scheme: HTTP
failureThreshold: 1
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
path: /ping
port: 9000
scheme: HTTP
failureThreshold: 3
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
lifecycle:
ports:
- name: "metrics"
containerPort: 9100
protocol: "TCP"
- name: "traefik"
containerPort: 9000
protocol: "TCP"
- name: tcp-16000
containerPort: 16000
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: data
mountPath: /data
- name: tmp
mountPath: /tmp
args:
- "--global.checknewversion"
- "--global.sendanonymoususage"
- "--entryPoints.metrics.address=:9100/tcp"
- "--entryPoints.traefik.address=:9000/tcp"
- "--entryPoints.tcp-16000.address=:16000/tcp"
- "--ping=true"
- "--metrics.prometheus=true"
- "--metrics.prometheus.entrypoint=metrics"
- "--providers.kubernetesgateway=true"
- "--providers.kubernetesgateway.experimentalchannel=true"
- "--log.level=DEBUG"
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: data
emptyDir: {}
- name: tmp
emptyDir: {}
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: traefik
spec:
controllerName: traefik.io/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: tk-tcp-1
namespace: traefik
spec:
gatewayClassName: traefik
listeners:
- name: tcp-16000
port: 16000
protocol: TCP
allowedRoutes:
kinds:
- kind: TCPRoute
namespaces:
from: All
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tk-tcp-1
namespace: traefik
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: tk-tcp-1
sectionName: tcp-16000
rules:
- backendRefs:
- kind: Service
namespace: traefik
name: nginx-tcp-6600
port: 6600
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-default-tcproute
namespace: default
spec:
from:
- group: gateway.networking.k8s.io
kind: TCPRoute
namespace: traefik
to:
- group: ""
kind: Service
### What did you see instead?
```yaml
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"gateway.networking.k8s.io/v1alpha2","kind":"TCPRoute","metadata":{"annotations":{},"name":"tk-tcp-1","namespace":"traefik"},"spec":{"parentRefs":[{"group":"gateway.networking.k8s.io","kind":"Gateway","name":"tk-tcp-1","sectionName":"tcp-16000"}],"rules":[{"backendRefs":[{"kind":"Service","name":"nginx-tcp-6600","namespace":"default","port":6600}]}]}}
creationTimestamp: "2024-08-12T06:11:09Z"
generation: 1
name: tk-tcp-1
namespace: traefik
resourceVersion: "103900384"
uid: f7481263-1ead-46de-aae8-510a3729d011
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: tk-tcp-1
sectionName: tcp-16000
rules:
- backendRefs:
- group: ""
kind: Service
name: nginx-tcp-6600
namespace: default
port: 6600
weight: 1
status:
parents:
- conditions:
- lastTransitionTime: "2024-08-12T16:21:10Z"
message: ""
observedGeneration: 1
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2024-08-12T16:21:10Z"
message: 'Cannot load TCPRoute service traefik/tk-tcp-1: service not found'
observedGeneration: 1
reason: BackendNotFound
status: "False"
type: ResolvedRefs
controllerName: traefik.io/gateway-controller
parentRef:
group: gateway.networking.k8s.io
kind: Gateway
name: tk-tcp-1
sectionName: tcp-16000
### What is your environment & configuration?
my kubernetes version is v1.26.9
### Additional Information
```shell
the httproute works right when across namespacesmloiseleur commented
I have multiple questions:
- Would you please share your values file ?
- Did you test with latest version, Traefik Proxy v3.1.2 ?
Note: If this issue is confirmed, you'll need to submit it upstream. They will need a simple and reproducible use case.
shensl commented
yes, maybe it's an upstream problem, I have submitted this feedback
traefik/traefik#11000
mloiseleur commented
Since there is no known issue with the Chart on this, I close this issue.
Feel free to re-open if needed.