Fix Permissions Error in Cluster Autoscaler 1.27

Question

Fix Permissions Error in Cluster Autoscaler 1.27

jonathanmeier5 opened this issue a year ago · 1 comments

kubernetes/autoscaler#4676 introduced a bug to the cluster autoscaler clusterapi reconciler.

The cluster autoscaler executable attempts to reconcile MachinePool resources, but does not have sufficient permissions to do so in its ClusterRole.

We see the following error:

I0522 21:48:48.957303       1 reflector.go:323] Listing and watching cluster.x-k8s.io/v1beta1, Resource=machinepools from k8s.io/client-go@v0.27.0/tools/cache/reflector.go:231
W0522 21:48:48.959653       1 reflector.go:533] k8s.io/client-go@v0.27.0/tools/cache/reflector.go:231: failed to list cluster.x-k8s.io/v1beta1, Resource=machinepools: machinepools.cluster.x-k8s.io is forbidden: User "system:serviceaccount:eksa-packages:cluster-autoscaler-clusterapi-cluster-autoscaler" cannot list resource "machinepools" in API group "cluster.x-k8s.io" at the cluster scope
E0522 21:48:48.959688       1 reflector.go:148] k8s.io/client-go@v0.27.0/tools/cache/reflector.go:231: Failed to watch cluster.x-k8s.io/v1beta1, Resource=machinepools: failed to list cluster.x-k8s.io/v1beta1, Resource=machinepools: machinepools.cluster.x-k8s.io is forbidden: User "system:serviceaccount:eksa-packages:cluster-autoscaler-clusterapi-cluster-autoscaler" cannot list resource "machinepools" in API group "cluster.x-k8s.io" at the cluster scope

To fix this, we should authorize the cluster role to list machine pool resources.

Answer 1 · 2023-05-23T12:15:37.000Z

Resolved in #2189