gke-autoneg-controller icon indicating copy to clipboard operation
gke-autoneg-controller copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Controller manager service account forbidden listing api resources

Open derektamsen opened this issue 2 years ago • 0 comments

I ran into an issue where the autoneg controller service account is forbidden listing several kubernetes api resources. The autoneg-controller-manager pod is returning the following errors:

E0727 18:09:24.847396       1 reflector.go:126] pkg/mod/k8s.io/[email protected]+incompatible/tools/cache/reflector.go:94: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:autoneg-system:autoneg" cannot list resource "services" in API group "" at the cluster scope
E0727 18:09:24.891173       1 leaderelection.go:306] error retrieving resource lock autoneg-system/controller-leader-election-helper: configmaps "controller-leader-election-helper" is forbidden: User "system:serviceaccount:autoneg-system:autoneg" cannot get resource "configmaps" in API group "" in the namespace "autoneg-system"

This occurs because the autoneg-controller-manager service account is autoneg. However, the rbac role bindings for the service account references, default, instead of autoneg used by the deployment.

derektamsen avatar Jul 27 '22 19:07 derektamsen