viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

k8s-version-upgrade: grant get/list on apps resources for drain

Browse source 
kubectl drain --ignore-daemonsets needs to GET each pod's owner
reference (DaemonSet/StatefulSet/ReplicaSet/Deployment) to classify
which pods can be drained vs ignored. Without these RBAC verbs, drain
bails with 'cannot delete daemonsets ... is forbidden' for every
daemonset-managed pod on the node.
This commit is contained in:
Viktor Barzin 2026-05-21 08:07:29 +00:00
parent a90ce27923
commit 94ca849379
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
stacks/k8s-version-upgrade/main.tf
View file

@ -168,6 +168,15 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" {
resources = ["poddisruptionbudgets"]
verbs = ["get", "list"]
}
# Read DaemonSets/StatefulSets/ReplicaSets/Deployments so `kubectl drain
# --ignore-daemonsets` can classify each pod's owner. Without daemonsets
# GET permission, drain bails with "cannot delete daemonsets ... is
# forbidden" for every daemonset-managed pod on the node. (2026-05-20)
rule {
api_groups = ["apps"]
resources = ["daemonsets", "statefulsets", "replicasets", "deployments"]
verbs = ["get", "list"]
}
# Chain dispatch create the next Job; reconcile via apply on retry.
# In `default` ns to also create the etcd-snapshot Job from cronjob/backup-etcd.
rule {