From 94ca8493795f0965a72972803758aff450f55459 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 21 May 2026 08:07:29 +0000 Subject: [PATCH] k8s-version-upgrade: grant get/list on apps resources for drain kubectl drain --ignore-daemonsets needs to GET each pod's owner reference (DaemonSet/StatefulSet/ReplicaSet/Deployment) to classify which pods can be drained vs ignored. Without these RBAC verbs, drain bails with 'cannot delete daemonsets ... is forbidden' for every daemonset-managed pod on the node. --- stacks/k8s-version-upgrade/main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf index 7fe00d96..bf777820 100644 --- a/stacks/k8s-version-upgrade/main.tf +++ b/stacks/k8s-version-upgrade/main.tf @@ -168,6 +168,15 @@ resource "kubernetes_cluster_role" "k8s_upgrade_job" { resources = ["poddisruptionbudgets"] verbs = ["get", "list"] } + # Read DaemonSets/StatefulSets/ReplicaSets/Deployments so `kubectl drain + # --ignore-daemonsets` can classify each pod's owner. Without daemonsets + # GET permission, drain bails with "cannot delete daemonsets ... is + # forbidden" for every daemonset-managed pod on the node. (2026-05-20) + rule { + api_groups = ["apps"] + resources = ["daemonsets", "statefulsets", "replicasets", "deployments"] + verbs = ["get", "list"] + } # Chain dispatch — create the next Job; reconcile via apply on retry. # In `default` ns to also create the etcd-snapshot Job from cronjob/backup-etcd. rule {