AWS Calico Chart - seems missing permission for typha-cpha #108
Assignees
Labels
Comments
|
You are right about this. See aws/amazon-vpc-cni-k8s#892 for some more details. |
|
Yet another reason we need to have a single source of config truth :) |
|
Since this has been updated and fixed, I am closing this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
typha autoscaler logs:
E0416 03:30:41.156961 1 reflector.go:283] github.com/kubernetes-incubator/cluster-proportional-autoscaler/pkg/autoscaler/k8sclient/k8sclient.go:96: Failed to watch *v1.Node: unknown (get nodes) │
│ E0416 03:30:42.163238 1 reflector.go:283] github.com/kubernetes-incubator/cluster-proportional-autoscaler/pkg/autoscaler/k8sclient/k8sclient.go:96: Failed to watch *v1.Node: unknown (get nodes) │
│ E0416 03:30:43.170184 1 reflector.go:283] github.com/kubernetes-incubator/cluster-proportional-autoscaler/pkg/autoscaler/k8sclient/k8sclient.go:96: Failed to watch *v1.Node: unknown (get nodes) │
│ I0416 03:30:44.157683 1 k8sclient.go:221] Falling back to extensions/v1beta1, error using apps/v1: deployments.apps "calico-typha" is forbidden: User "system:serviceaccount:kube-system:calico-ty │
│ pha-cpha" cannot get resource "deployments/scale" in API group "apps" in the namespace "kube-system" │
│ E0416 03:30:44.463196 1 reflector.go:283] github.com/kubernetes-incubator/cluster-proportional-autoscaler/pkg/autoscaler/k8sclient/k8sclient.go:96: Failed to watch *v1.Node: unknown (get nodes) │
│ E0416 03:30:45.563406 1 reflector.go:283] github.com/kube
it looks like there is missing permission in typha-cpha Rola and ClusterRole:
--- a/stable/aws-calico/templates/rbac.yaml
+++ b/stable/aws-calico/templates/rbac.yaml
ClusterRole:
resources: ["nodes"]
old verbs: ["list"]
new verbs: ["watch", "list"]
Role:
old - apiGroups: ["extensions"]
new - apiGroups: ["extensions", "apps"]
resources: ["deployments/scale"]
verbs: ["get", "update"]
The text was updated successfully, but these errors were encountered: