draino icon indicating copy to clipboard operation
draino copied to clipboard

Published 20 hours ago verified publisher icon planetlabs

Missing role permissions needed in example manifest

Open cmagorian opened this issue 5 years ago • 4 comments

From deploying the example manifest (not helm), I needed to add the following block in the ClusterRole:

- apiGroups: ['']
  resources: [endpoints]
  verbs: [get, patch, update]

To remove this error message:

leaderelection.go:324] error retrieving resource lock kube-system/draino: endpoints "draino" is forbidden: User "system:serviceaccount:kube-system:draino" cannot get resource "endpoints" in API group "" in the namespace "kube-system"

Would you guys be open to a PR for this?

cmagorian avatar Sep 09 '20 02:09 cmagorian

I'm having nearly the same issue:

E1015 08:57:38.037739       1 leaderelection.go:328] error initially creating leader election record: endpoints is forbidden: User "system:serviceaccount:kube-system:draino" cannot create resource "endpoints" in API group "" in the namespace "kube-system"

I guess there is also create missing. Take a look at the helm chart. I would suggest to create the manifest from the helm chart and sync it via github actions or similar.

tomaaron avatar Oct 15 '20 09:10 tomaaron

Yep! Open to an MR!

jacobstr avatar Oct 15 '20 18:10 jacobstr

I was getting a similar error too but with creation :

error initially creating leader election record: endpoints is forbidden: User "system:serviceaccount:kube-system:draino" cannot create resource "endpoints" in API group "" in the namespace "kube-system"

So I also added create under endpoints:

- apiGroups: ['']
  resources: [endpoints]
  verbs: [get, create, patch, update]

matharoo avatar Feb 03 '21 20:02 matharoo

yes i experienced the same. Solved it by adding that extra rbac permissions. Btw its correctly mentioned in given helm chart, but yes it should be updated in the manifest.yml as well. @cmagorian

tarunptala avatar Feb 11 '21 04:02 tarunptala