k8s-version-upgrade: grant pods/log so preflight can verify the etcd snapshot
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Preflight step 6 confirms the pre-upgrade etcd snapshot is non-empty by parsing the backup Job's log (`kubectl -n default logs job/pre-upgrade-etcd-...`). The k8s-upgrade-job ClusterRole granted `pods` get/list/delete but NOT the `pods/log` subresource, so the read failed with Forbidden in the default ns and aborted preflight — after step 5 had already set k8s_upgrade_in_flight=1. A stale out-of-band grant had masked this until a `terragrunt apply` in this session reconciled the role back to its TF definition. Codify pods/log:get. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
bfb86e653f
commit
0c5a9b5f44
1 changed files with 11 additions and 0 deletions
|
|
@ -162,6 +162,17 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" {
|
|||
resources = ["pods"]
|
||||
verbs = ["get", "list", "delete"]
|
||||
}
|
||||
# Read the etcd-snapshot Job's pod logs — preflight verifies the snapshot
|
||||
# size by parsing the backup Job's log (`kubectl logs job/...`). `pods/log`
|
||||
# is a SEPARATE subresource not covered by the `pods` rule above. Missing
|
||||
# this grant aborts preflight step 6 with a Forbidden on pods/log in the
|
||||
# `default` ns (2026-06-17 — surfaced after a stale out-of-band grant was
|
||||
# reconciled away by `terragrunt apply`).
|
||||
rule {
|
||||
api_groups = [""]
|
||||
resources = ["pods/log"]
|
||||
verbs = ["get"]
|
||||
}
|
||||
# Read PDBs to find drain-blocking pods
|
||||
rule {
|
||||
api_groups = ["policy"]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue