I'm trying to use my operator to check if a pod is sitting on a tainted node.
To get the node's taint information, I used
err := r.Get(ctx, client.ObjectKey{Name: pod.Spec.NodeName}, node)
which works fine with the fakeclient in k8s.
However, when I run it against an EKS cluster, I got the following error:
"msg":"pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1.Node: nodes is forbidden: User \"system:serviceaccount:mike-6mdj7thh:mike-kubernetes-operator-controller-manager\" cannot list resource \"nodes\" in API group \"\" at the cluster scope
How should I fix it? OR How should I debug this type of issue?
It requires ClusterRole and ClusterRoleBinding to access Nodes.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mike-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: mike-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mike-clusterrole
subjects:
- kind: ServiceAccount
name: mike-kubernetes-operator-controller-manager
namespace: {{ .Namespace }}