fix clusterrole permissions: watch cninodes

[marcincuber]

What type of PR is this?
Fix permissions issue

Which issue does this PR fix:
VPC CNI errors:

E0914 13:07:56.908969      12 reflector.go:148] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: Failed to watch *v1alpha1.CNINode: unknown (get cninodes.vpcresources.k8s.aws)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jdn5126]

@marcincuber in what context are you seeing this error? The VPC CNI only does a GET and PATCH on CNINode (https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.0/pkg/ipamd/ipamd.go#L2283), so WATCH should not be required

[marcincuber]

@marcincuber in what context are you seeing this error? The VPC CNI only does a GET and PATCH on CNINode (https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.0/pkg/ipamd/ipamd.go#L2283), so WATCH should not be required

Not sure which context. But we upgraded to 1.15.0 today and saw the error immediately being thrown every 50 seconds or so. Adding watch perms fixed it. I believe it was happening on the main container aws-node.

Worth noting that it wasn't happening on 1.14.X release which we tested yesterday as well.

[jdn5126]

This is just an error log in the IPAMD logs, right? In other words, the container itself is not crashing and restarting, right? What I assume is happening is that the k8s client is trying to cache CNINode, so it issues a WATCH and logs an error since it lacks permission. We do not need or want to cache this resource locally, though, so this log is harmless. We should still fix it in a future version, though.

[marcincuber]

This is just an error log in the IPAMD logs, right? In other words, the container itself is not crashing and restarting, right? What I assume is happening is that the k8s client is trying to cache CNINode, so it issues a WATCH and logs an error since it lacks permission. We do not need or want to cache this resource locally, though, so this log is harmless. We should still fix it in a future version, though.

Correct, container runs fine and no crashing. Just logging the same error without watch permission.

[jdn5126]

Thanks for finding this @marcincuber! I want to do some more digging on a solution that does not involve caching CNINode resources, as they scale with the number of nodes in the cluster. Adding watch permission is a great workaround in the meantime.

[jdn5126]

@marcincuber I created #2570 for the long-term fix, as this way no WATCH is created for CNINode resources.

[jdn5126]

Closing in favor of #2570