K3S Traefik 3 installation missing ClusterRoles

andy_dandy · February 13, 2025, 9:26am

Good Day, Friends!

After upgrading my Traefik installation to v3, all ingresses were broken and cluster services not available. Traefik started to serve default certificates and every page were 404.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    image: 
      repository: rancher/mirrored-library-traefik
      tag: 3.3.3

These errors appeared in Traefik logs

W0211 11:14:18.951161 1 reflector.go:561] k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kube-system:traefik" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
E0211 11:14:18.951285 1 reflector.go:158] "Unhandled Error" err="k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User \"system:serviceaccount:kube-system:traefik\" cannot list resource \"endpointslices\" in API group \"discovery.k8s.io\" at the cluster scope" logger="UnhandledError"
W0211 11:14:20.490855 1 reflector.go:561] k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:traefik" cannot list resource "nodes" in API group "" at the cluster scope
E0211 11:14:20.491037 1 reflector.go:158] "Unhandled Error" err="k8s.io/client-go@v0.31.1/tools/cache/reflector.go:243: Failed to watch *v1.Node: failed to list *v1.Node: nodes is forbidden: User \"system:serviceaccount:kube-system:traefik\" cannot list resource \"nodes\" in API group \"\" at the cluster scope" logger="UnhandledError"

I could fix it by adding the desired definitions into the ClusterRole of Traefik

kubectl get clusterrole traefik-kube-system -o yaml > traefik-clusterrole.yaml
sed -i '21i\  - discovery.k8s.io' traefik-clusterrole.yaml
sed -i '25i\  - endpointslices' traefik-clusterrole.yaml
sed -i '35i\  - nodes' traefik-clusterrole.yaml

traefik_pod=$(kubectl get pod -n kube-system | grep "^traefik" | awk '{print $1}')
kubectl delete pod -n kube-system $traefik_pod

The problem is, I have to do the fix everytime I do kubectl apply -f traefik-values.yaml.
I found nothing in the default values regarding this:

github.com/traefik/traefik-helm-chart

traefik/values.yaml

master

# Default values for Traefik
# This is a YAML-formatted file.
# Declare variables to be passed into templates

image:  # @schema additionalProperties: false
  # -- Traefik image host registry
  registry: docker.io
  # -- Traefik image repository
  repository: traefik
  # -- defaults to appVersion
  tag:  # @schema type:[string, null]
  # -- Traefik image pull policy
  pullPolicy: IfNotPresent

# -- Add additional label to all resources
commonLabels: {}

deployment:
  # -- Enable deployment
  enabled: true

This file has been truncated. show original

K3S version

k3s version v1.31.4-rc1+k3s1 (a562d090)
go version go1.22.9

Best Regards

Topic		Replies	Views
Traefik of k3s v1.23 is still querying for removed v1beta1. resources k3s, k3OS, and k3d	0	1684	January 17, 2022
[SOLVED] Unable to use Ingress/Traefik in K3S version v1.23.6+k3s1 (418c3fa8) k3s, k3OS, and k3d	3	9597	December 22, 2023
Traefik dashboard 404 k3s, k3OS, and k3d	1	9032	November 30, 2021
Helm-install-traefik fails to reach kubernetes api k3s, k3OS, and k3d	0	1297	September 22, 2020
K3S: Traefik Dashboard activation k3s, k3OS, and k3d	15	33317	March 6, 2022

K3S Traefik 3 installation missing ClusterRoles

Related topics