Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

cluster-autoscaler clusterrole missing permissions for replicasets.apps #261

Closed
mhyllander opened this issue Jan 9, 2019 · 1 comment · Fixed by #263
Closed

cluster-autoscaler clusterrole missing permissions for replicasets.apps #261

mhyllander opened this issue Jan 9, 2019 · 1 comment · Fixed by #263

Comments

@mhyllander
Copy link
Contributor

mhyllander commented Jan 9, 2019

Is this a request for help?: No


Is this an ISSUE or FEATURE REQUEST? (choose one): ISSUE


What version of aks-engine?:
Version: v0.28.1
GitCommit: efc9dcf
GitTreeState: clean


Kubernetes version: 1.13.1

What happened: The cluster-autoscaler logs the following error repeatedly:

E0108 13:26:42.946201       1 reflector.go:134] k8s.io/client-go/informers/factory.go:132: Failed to list *v1.ReplicaSet: replicasets.apps is forbidden: User "system:serviceaccount:kube-system:cluster-autoscaler" cannot list resource "replicasets" in API group "apps" at the cluster scope

What you expected to happen: cluster-autscaler should be able to monitor all resources.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
This apparently happens because in the cluster-autoscaler clusterrole, in /etc/kubernetes/addons/cluster-autoscaler-deployment.yaml, there is the following rule:

- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["watch","list","get"]

The problem can be fixed by adding "replicasets" to the rule:

- apiGroups: ["apps"]
  resources: ["statefulsets","replicasets"]
  verbs: ["watch","list","get"]
@tariq1890
Copy link
Contributor

@mhyllander Thanks for raising this issue. Feel free to raise a PR for this :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants