Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Autoscaler RBAC lack of permissions #538

Open
ricristian opened this issue Feb 10, 2025 · 4 comments
Open

Autoscaler RBAC lack of permissions #538

ricristian opened this issue Feb 10, 2025 · 4 comments

Comments

@ricristian
Copy link

Hi,

I've just installed a completely new cluster and I saw following errors in cluster autoscaler

E0210 22:47:03.765197       1 reflector.go:166] "Unhandled Error" err="pkg/mod/k8s.io/client-go@v0.32.0/tools/cache/reflector.go:251: Failed to watch *v1.VolumeAttachment: failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: User \"system:serviceaccount:kube-system:cluster-autoscaler\" cannot list resource \"volumeattachments\" in API group \"storage.k8s.io\" at the cluster scope" logger="UnhandledError"
I0210 22:47:11.445477       1 hetzner_node_group.go:576] Set node group production-fsn1-autoscaled size from 0 to 0, expected delta 0

I've tried to look into the code the part for autoscaler in order to create a PR with a fix but I couldn't find any yaml template. I've reached a point
manifest = fetch_manifest(settings.manifests.cluster_autoscaler_manifest_url. I guess that the manifests are fetched from remote maybe


Meanwhile I also checked autoscaler issues and indeed it seems to be a problem with that and there is also a PR 
https://github.com/kubernetes/autoscaler/pull/7674 but as usual there something blocking that PR.
@vitobotta
Copy link
Owner

Hi, I noticed that as well. I’ve been doing a lot of testing with the autoscaler over the past few weeks, but I haven’t tried it with volumes after seeing that message in the logs. Fingers crossed they merge that PR soon!

@vitobotta
Copy link
Owner

I just tested using volumes with autoscaled nodes, and it worked without any issues. I’m not entirely sure about the implications of the missing permission, though. I’ll ask in the relevant issue on the repository to get more clarity.

@vitobotta
Copy link
Owner

kubernetes/autoscaler#7663 (comment)

@vitobotta
Copy link
Owner

While waiting for a clarification, I made a gist with a temp fix tom get rid of the permission error at https://gist.githubusercontent.com/vitobotta/3a727c15fd862a92b44530ca6dcb641b/raw/e7a4006a73af30f58b98f1dc94fb42c89762585d/cluster-autoscaler-volumeattachments.yaml.

If you apply this with kubectl apply -f <url> the error disappears. Then once the PR gets merged and the problem is fixed, you can remove this temp ClusteRole with kubectl delete -f <url>.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitobotta @ricristian